BitLocker, the full volume encryption feature included with Microsoft Windows (Pro and Enterprise only)
BitLocker was designed to protect data by providing encryption for entire volumes. By de default, it uses an AES encryption algorithm in cypher block chaining (CBC or XTS mode with a 128-bit or 256-bit key). CBC is applied to each individual sector of the disk.
Encrypting every bit of data is a crucial security precaution. If one of your devices were lost or stolen, you’d probably cringe at the cost of replacing it. But that’s nothing compared to what you’d stand to lose if someone had unfettered access to the data on that device. Even if they can’t sign in using your Windows user account, a thief could boot from a removable device and browse the contents of the system drive with impunity. By encrypting the entire device, its contents will be available to you or someone with the recovery key.
BitLocker in Windows 10
Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attachments, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives or portable drives.
Every edition of Windows 10 includes strong encryption options, with business editions having the best set of management tools. On all devices that are designed for Windows 10, device encryption is automatically enabled. Windows Setup automatically creates the necessary partitions and initialises encryption on the operating system drive with a clear key.
Data-protection concern and how they are addressed in Windows 10:
- The Windows devices are increasingly protected BitLocker Device Encryption out of box and support SSO to seamlessly protect the BitLocker encryption key from cold boot attacks. Network Unlock allows devices to start automatically when connected to your internet network.
- BitLocker requires the user to enter a Recovery Key only when disk corruption occurs or when one loses the PIN or password.
- Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drivers in seconds.
- BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allows administrators to enable BitLocker quickly on new computers.
- BitLocker supports offloading encryption to encrypted hard drives.
- BitLocker supports encrypted hard drives with onboard encryption hardware build in, which allows administrators to use the familiar BitLocker administrative tools to manage them.
For the most part, BitLocker is a set-it-and-forget-it feature. After you enable encryption for a drive, tools built into the operating system can be used to perform a variety of management tasks.
The simplest tools are available in the Windows graphical interface, but only if you are running Windows 10 Pro or Enterprise. Windows 10 Business editions come with more features like enabling BitLocker for the system drive, suspending encryption temporarily and backing up your recovery key. You can also manage encryption on removable drives and on secondary internal drives. Windows PowerShell includes a full set of BitLocker cmdlets. You can use Get-BitLocker Volume, for example, to see the status of all fixed and removable drives on the current system.
Prepare your organisation for BitLocker: Planning and policies
Your internal IT professional or your outsourced IT team will have to design your BitLocker development strategy, define the appropriate policies and confirmation requirements based on your business needs.
Audit your environment
After understanding your current environment, an informal audit will be performed to define your current policies, procedures, and hardware environment. Review your existing corporate security policies if they exist (if your organisation is not currently using disk encryption software, these won’t exist). These might need to modify your organisation’s policies to address the capabilities of BitLocker.
Encryption keys and authentication
The trusted platform module (TPM) is a hardware component installed in many newer computers by computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
If your computers do not have a TPM version 1,2 or higher additional support processes similar to multifactor authentication are required. BitLocker offers the option to lock the normal start-up process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a start-up key.
These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or start-up key is presented. This implementation will require the user to insert a USB start-up key to start the computer or resume from hibernation and does not provide the pre-start-up system integrity verification offered by BitLocker working with a TPM. Windows offers different authentication methods.
Non-TPM hardware configurations
Devices that do not include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a start-up password and PCs can use a start-up key. Your IT professional will have to test your individual hardware platforms with the BitLocker system check option while enabling BitLocker.
Disk configuration considerations
Two partitions will be required: one for the operations system and its support files, that it must be formatted with the NTFS file system and the system partition (or boot partition) that contains the files that are needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker is enabled just on the operations system and support files partition.
With newer operating systems, the feature can be easily provisioned before the operation system is installed. Your IT administrator will be able to enable BitLocker prior to operating system deployment. But this requires that the device has a TPM.
Used Disk Space only encryption
The BitLocker Setup wizard provides administrators with the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Your IT professional can use the new BitLocker Group Policy setting to enforce either Used Disk Space Only or Full disk encryption.
Active Directory Domain Services considerations
BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Your IT professional can configure the Group Policy setting for each drive type to enable backup of BitLocker recovery information.
BitLocker To Go
Removable storage devices need encryption too. This includes USB flash drives as well as MicroSD cards that can be used in some PCs. That’s where BitLocker To Go works. To turn on BitLocker encryption for a removable drive, you must be running a business edition of Windows 10. You can unlock that device with any Windows edition. As part of the encryption process, you need to set a password that will be used to unlock the drive. Your IT professional will also need to save the recovery key for the drive (it’s not automatically saved to a cloud account).
Federal Information Processing Standard (FIPS) support for recovery password protector
Functionality introduced in Windows Server 2012 R2 and Windows 8.1, allows BitLocker to be fully functional in FIPS mode.
This is how we are doing things at Xenex Systems. If you want to find out how we can help your organisation take the right steps in planning and implementing, using all the advantages offered by the Windows 10 features, get in touch with us at (08) 6245 2800 or leave your details here. If you haven’t moved to Windows 10 yet, as Microsoft Silver Partner we can assist in the transition.