Zeb Bowden
01/16/2007

(Presentation in Word format can be found here)

Bitlocker

I.Goals

  1. Primary goal is to protect data on stolen laptops
  2. Can also help with surplus costs as all you have to do to protect data is delete keys
  3. System integrity checking

II. Processes

  1. In general, BitLocker does most of it's work at System Startup
  2. Requires an unencrypted 1.5GB partition set to Active (to boot)
  3. With a TPM (v 1.2): It will do integrity checking of system files and hardware integrity
  4. Without a TPM: It will still protect data with a key stored on a jump drive
  5. Seamlessly encrypts/decrypts sectors with a filter driver in the file system stack.

III. Focus

  1. Single User focused, you can't share a machine without sharing the key
  2. Windows System Volume is the intended target, though you can do other disks with command line utility. You will have to manually (or script) the "unlock" of non-system partitions.

IV. Encryption

  1. Full Drive encryption
  2. Uses AES 128 or 256
  3. Recovery keys can be stored on USB devices or escrowed in AD (not available yet)
  4. System based - meaning there's one key per Volume and the System controls it.

V. Miscellaneous

  1. Microsoft says: BitLocker provides protection for the Windows partition and is not a replacement for EFS. BitLocker does not encrypt data stored outside the Windows partition, but it does provide an added security layer for EFS by encrypting the EFS keys within the Windows partition.
  2. Sharing files on a BitLocker'd partition is seamless (maybe too easy and data sent in the clear).
  3. Only supported on Ultimate and Enterprise versions

EFS

I Goals

  1. The main goal of EFS is to prevent unauthorized access to data (including access to files on shared resources).

II. Processes

  1. Encrypts/decrypts files and folders when EFS is enabled (file attribute).
  2. For the most part EFS is transparent to users (once setup), like BitLocker it is integrated into NTFS.
  3. The non-transparency comes in when you want to share encrypted files.
  4. When you move an EFS encrypted file across the network, it is sent in the clear.

III. Focus

  1. User based, but not necessarily Single User focused. Doesn't really scale that well for sharing with lots of people but it is multi-user friendly.
  2. Generally folder focused though you can encrypt entire volumes (including paging file and offline folders)
    • Danger here is users don't know when to put sensitive files in EFS folders
    • Offline files can be a problem

IV. Encryption

  1. Key management is essential (AD integration is there, though we've not tested)
  2. Keys can be stored on smart cards
  3. EFS uses user based encryption/decryption - meaning that the EFS driver needs to get access to a key associated with a particular user (not a System)
  4. Uses AES 256 by default but others are available (3DES, DESX)

V. Miscellaneous

  1. Supported on Business, Enterprise, and Ultimate
  2. Still can come back to password strength (if not using smartcards for key storage: if your password is guessed, then access to your key is possible
  3. Sharing EFS encrypted files is more difficult (maybe good?): you have to get the user(s) certificate to encrypt the file for them to view.
  4. Could be difficult to implement with an enterprise PKI. Example: Cert expiration, MS solution is 100 year expiration (stand alone install).

Documentation

Additional Information (added by Zeb on 01/17/2007)

To follow up onone of Phil'squestions from the meeting about which key actually encrypts the data in BitLocker. I knew it was symmetric but wasn't sure if the encryption key itself was stored on the jump drive .. It looks like it's not, rather it uses that key to decrypt the actual encryption key. Here's a snippet from http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx: "Figure 1 shows how volume contents are encrypted with a Full Volume Encryption Key (FVEK), which in turn is encrypted with a Volume Master Key (VMK). Securing the VMK is an indirect way of protecting data on the disk volume: the addition of the volume master key allows the system to be re-keyed easily when keys upstream in the trust chain are lost or compromised. This saves the expense of decrypting and re-encrypting the entire disk volume."

EFS actually uses symetric encryption as well to do the actual encryption of the files. It will use asymetric encryption to encrypt/decrypt the symetric data encryption key. The encrypted data encryption key is then stored in the header of the EFS encrypted file.

A few tricks from the cmd line: (don't forget to put the colons after the drive letters)

1. To encrypt a drive: cscript manage-bde.wsf -on <drive to encrypt>: -rp -sk <jump drive>:

2. To auto-unlock other drives on startup: cscript manage-bde.wsf -autounlock -enable <drive letter>:

3. To add an additional key: cscript manage-bde.wsf -protectors -add <drive to encrypt>: -sk <jumpdrive letter>:

  • No labels