Feb 23 2007

Put Your Drives on Lockdown

By using BitLocker Drive Encryption, you can protect your data on systems running Windows Vista.

No doubt you’ve seen the headlines about lost and stolen notebook computers compromising the personal and confidential information of millions of people. Some of these breaches resulted from poor network security and business policies, but unencrypted data often was also to blame.

If a disk drive is encrypted, the extent of the damage done when a portable computer is lost or stolen is the cost of replacing the system. Instead, businesses often spend millions recovering from these incidents and suffer damage to their reputations from the exposure of sensitive data.

A feature of the new Microsoft Windows Vista allows full-disk encryption. BitLocker works with the Trusted Platform Module, a chip used to provide additional security functionality that’s permanently attached to a system’s motherboard. Tying the encryption key to the hardware and the validation process of TPM means hackers cannot modify or bypass the encryption — a problem with other encryption tools Microsoft has offered.

Less Exposed

Previous Windows versions have included data encryption features, such as Encrypted File System (EFS), but the tools protected only files and folders. An attacker could boot another OS, such as the Knoppix Linux distribution, to access and crack a system’s password store. Once the system authenticates a hacker, EFS cannot provide protection.

Other Windows encryption tools have relied on the user to decide what should or should not be encrypted. Even if a systems administrator creates a special encrypted folder on a drive specifically to hold confidential or sensitive data, there’s no way to be sure that users put all appropriate data in the folder. In the event of a notebook theft, the company would still be unable to guarantee that private or personally identifiable information was not exposed. But encrypting the entire drive removes the guesswork.

65% The rise last year in average financial losses from notebook computer thefts.

— 2006 CSI/FBI Computer Crime & Security Survey

BitLocker has four main components: Microsoft TPM driver, Windows Management Instrumentation (WMI) provider, TPM Base Services Application Programming Interface (TBS API) and BitLocker Drive Encryption. The TPM driver lets Windows interact with the TPM chip on a system, and the WMI provider supports BitLocker management and scripting. The TBS API provides a means for applications to use the TPM, while BitLocker encrypts and decrypts the data.

BitLocker doesn’t rely on proprietary encryption; instead it uses the 128-bit Advanced Encryption Standard algorithm. Microsoft chose AES because the speed of encryption and decryption makes the process fairly transparent to users, its ability to scale will allow use with future hard-drive sizes, and the methods for creating and maintaining keys are user-friendly. Plus, hackers cannot boot another OS to get at data because the drive is encrypted. According to Microsoft, TPM protects a drive from running on anything but the original OS.

Before you can encrypt your drive using BitLocker, you need to have two separate volumes. One will be a small partition for the Active Volume. This drive will remain unencrypted and contain the files necessary to start the computer. Ideally, the drive should be configured so that no data can be written to it. The larger volume will contain Windows OS files and data. Except for the boot sector and volume metadata, this drive will be completely encrypted by BitLocker.

CEO Takeaway
There are third-party products for full-disk encryption, such as Pointsec and the open-source TrueCrypt. But if you are deploying Microsoft Windows Vista, you can use BitLocker, its built-in disk encryption feature, to:

• prevent hackers from getting into data stored on hard drives;
• manage encryption settings via Active Directory and Group Policy Objects;
• use command-line scripting, which makes it an ideal choice for protecting data on Windows networks.
Tony Bradley, a Microsoft MVP (Most Valuable Professional) in Windows Security, is a computer security consultant with
BT INS in Houston, Texas, and author of Essential Computer Security.