BitLocker:
Is It Really Secure?
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction: What Is It?
BitLocker, whose full name is Windows BitLocker Full Drive Encryption, is a new technology available in
Windows Vista Enterprise and Windows Vista Ultimate and also available in Windows Server 2008. It is one of
the new security features for both Business and Personal Users designed to address the threat of unauthorized
access to data as well as illegitimate booting of the operating system. BitLocker addresses a previously long
history of vulnerability, such as data theft by inappropriately booting a computer through stolen credentials,
using external attack tools such as bootable operating systems on CD-ROM or USB boot devices
, or transfer
-
ring a computer’s hard drive and reading it in a foreign system. Another security concern is obtaining unautho-
rized access into a stolen laptop or mainstream computer, and accessing a recycled or decommissioned com-
puter. BitLocker effectively encrypts the volume that runs the operating system, while Windows Server 2008
can additionally encrypt other volumes.
By design, BitLocker encrypts the entire Windows operating system volume on the hard-drive, including the
operating system files, user data, hibernation files, page file, and temporary files. Any applications installed on
the system volume will benefit from this form of protection. BitLock
er verifies the integrity of the early stages
of the boot components and boot configuration data so that any alteration of the boot process will prevent
the operating system from starting. It is as valuable for servers as it is for laptops and desktops, especially
those machines that are off-site at remote or branch offices where these machines are less physically protect-
ed. The possibility exists that BitLock
er-protected machines might be physically compromised and possibly
stolen. The result will be that access of data on the system disk will be protected. These features are extremely
important to owners and users of laptops, who benefit from the safety and comfort of knowing that the infor-
mation cannot be accessed. This is extremely reassuring.
What Is Needed

(GPO).
Either method does provide multi-factor authentication and insures that the computer will not start or even
resume from hibernation until the correct PIN or startup k
ey is used.
For BitLocker to function, the hard disk requires at least two (NTFS) formatted volumes. One volume that sup-
ports the boot files that boot the operating system,
known as the system volume and having a minimum of
size of 1.5 GB, and another volume that supports operating system, known as the boot partition. In the event
that two volumes are not available, Windows Vista has “diskpart” command line tool that gives you the ability
to shrink the size of an NTFS volume so that the system volume for BitLocker can be created.
How It Works
BitLocker provides three modes of operation: Transparent Operation Mode, User Authentication Mode, and USB
Key Mode. The first two modes require the TPM (version 1.2 or later) and TCG-compliant BIOS. The third mode
does not require a TPM chip.
Transparent operation mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide
transparency of the BitLocker technology to the user then they logon to Windows Vista as normal. The key
used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader
code if the early boot files appear to be unmodified. The pre-OS components of BitLocker achieve this by
implementing a Static Root of Trust Measurement, which is a methodology specified by the Trusted Computing
Group ( />User authentication mode: This mode requires that the user provide some authentication to the pre-boot
environment in order to be able to boot the OS
.
T
wo authentication modes are supported,
a pre-boot PIN
entered by the user or a Universal Serial Bus USB ( />inserted that contains the required startup key. The USB device does not require a TPM chip.
USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot
the protected OS. This mode requires that the BIOS on the protected machine support the reading of USB
devices in the pre-OS environment.
BitLocker encrypts data using the Advanced Encryption Standard (AES) with key lengths of 128 or 256 bits,

These steps can include system integrity checks and other authentication steps
(PIN or USB startup key) that must be verified before the protected volume is unlocked.
For recovery purposes
, BitLock
er uses a recovery k
ey (stored on a USB device) or a recovery password (numeri-
cal password), as shown in the Bitlocker Architecture section below. You create the recovery key or recovery
password during BitLock
er initialization.
Inserting the recovery k
ey or typing the recovery password enables an
authorized user to regain access to the encrypted volume in the event of an attempted security breach or sys-
tem failure.
BitLocker searches for keys in the following sequence:
1.
Clear key: System integrity verification has been disabled and the BitLocker volume master key is
freely accessible. No authentication is necessary.
2.
Recovery key or startup key (if pr
esent):
If a recovery k
ey or startup k
ey is present,
BitLock
er will
use that key immediately and will not attempt other means of unlocking the volume.
3.
Authentication
1. TPM: The TPM successfully validates early boot components to unseal the volume master key.
2. TPM + startup key: The TPM successfully validates early boot components and a USB flash drive

raining LLC. All rights reserved.
Page 5
Figure 2. Accessing a BitLocker-enabled volume with enhanced protection