Encrypt The Planet

How does BitLocker Drive Encryption work?

Your data is protected by encrypting the entire Windows operating system volume.

If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing your hard disk and installing it in another computer.

During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that your Windows installation has been tampered with.

By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. An administrator can use Group Policy or a script to enable additional features and options.

For enhanced security, you can combine the use of a TPM with either a PIN entered by the user or a startup key stored on a USB flash drive.

On computers without a compatible TPM, BitLocker can provide encryption, but not the added security of locking keys with the TPM. In this case, the user is required to create a startup key that is stored on a USB flash drive.

FREE ALTERNATIVE TO BITLOCKER     BUY WINDOWS VISTA    BUY WINDOWS 7

NSA - On securely configuring Bitlocker

This method is for using Bitlocker without a TPM supported motherboard. Follow the steps below to enable Bitlocker with a USB dongle which will act as your key for decrypting the chosen encrypted hardrives.

1. Click on the Start Button and key in gpedit.msc in the search box and hit Enter.
2. Navigate through: Computer Policy, Administrative Templates, Windows Components and BitLocker Drive Encryption.
3. Right click on Control Panel Setup: Enable advanced startup options and select Properties.
4. checkbox ALLOW BITLOCKER WITHOUT A COMPATIBLE TPM
5. Dropdownbox, REQUIRE STARTUP KEY WITH TPM
6. REQUIRE STARTUP PIN with TPM (for extra security)
7. Click: NEXT SETTING
8. Configure encryption method: ENABLED
9. Drop down: AES 256bit with Diffuser (highest security)
10. NEXT SETTING
11. Prevent memory overwrite on restart: DISABLED
12. NEXT SETTING
13. Configure TPM platform validation profile: NOT USED IF YOU HAVE NO TPM
14. APPLY
15. Click the start button, control panel, security, Bitlocker Drive Encryption (will take time to load)
16. Turn on bitlocker for your harddrives you wish to encrypt.
17. You will be asked to use a USB flash drive to store your encrytion key. This will require
    you to have the USB key inserted in a USB port every time you start up your computer.
    DO NOT LOOSE IT, KEEP IT SECURE! DO NOT LET IT GET INTO THE WRONG HANDS.

So now you have Bitlocker setup, and are using a USB drive for your dongle key. You are aware now that the weakest link to protecting your data is the USB key with your Bitlocker encryption keys on it.  Physical protection of the USB dongle is now your highest priority. If the USB dongle were to fall into the wrong hands, your hard drive is now open if that person has physical access to your computer. So how to mitigate this vulnerability?  How about a USB drive with fingerprint authentication? Check out Axiom's bio drive. The Axiom BioDrive is a biometric USB flash drive that provides secure data protection by requiring an authenticated fingerprint to access files. Each drive also comes loaded with 128-bit encryption for added protection to make sure you are fully protected. When the drive is plugged in, the security features are instantly recognized on all current Windows operating systems without the need of downloading any drivers. Simply plug in the drive, swipe your fingerprint and in 3 seconds you have instant access to all of your protected files. Simply copy all your Bitlocker keys on to this drive plug it in, boot up windows with your finger on the fingerprint scanner, USB drive unlocks, windows authenticates its keys, your computer is now unlocked.

This is only theory at the moment. We have looked at this USB drive, and theoretically this USB drive should work in this fashion. Others would fail because they require their own software to run during a windows user session, IE: when windows is booted up and you are logged into your user account. We would love to hear your ideas on this one! Post results in our forum in the Bitlocker section.

• BitLocker FAQ
• Windows BitLocker Drive Encryption Step-by-Step Guide
• Windows Trusted Platform Module Management Step-by-Step Guide
• Windows BitLocker Drive Encryption Design and Deployment Guides - Download
• Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information
• Data Encryption Toolkit for Mobile PCs
• BitLocker Drive Encryption Technical Overview
• Implementing BitLocker on Servers
• Description of the BitLocker Drive Preparation Tool
• Error Message When Trying to Use BitLocker Drive Encryption in Windows Vista:"The drive configuration is unsuitable for BitLocker Drive Encryption"
• BitLocker Recovery Password Viewer for Active Directory Users and Computers Tool
• Windows Security Blog
• Windows 7 Bitlocker (Non microsoft website)