4sysops » encryption

Active Directory and BitLocker – Part 1: Introduction

Kyle Beckman — Mon, 31 Oct 2011 23:30:13 +0000

This tutorial in seven parts describes in detail how to configure Active Directory for BitLocker and gives valuable best practice tips.

You don’t have to go very far to hear a story about a laptop computer being stolen that contained the names and personal information of hundreds, thousands, or even tens of thousands of people. Whether they realize it or not, many organizations have employees that are carrying around company trade secrets or the personal information of employees, contractors, customers, patients, and/or students. In most cases, loss of these devices could have regulatory, legal, monetary, or reputation implications for not only the organization who lost the data, but for those whose personal information was lost.

What about your company’s sensitive data? What would happen if your closest competitor had the laptop of someone from your marketing or sales department and all of the data that resided on it? What if a missing laptop from a doctor at your hospital landed on the desk of a local news reporter? What if a faculty member at your university left a laptop in a coffee shop never to be seen again? These are all very real situations that could happen to your organization if you’re not taking precautions to ensure that data stored on these devices is protected from unauthorized access.

Luckily, Microsoft has a solution available for this very issue: BitLocker Drive Encryption. BitLocker is disk encryption for computers running Windows Vista and 7, Ultimate and Enterprise editions. Unfortunately, BitLocker does not support Windows 7 Business or Windows 7 Professional.) By itself, BitLocker can encrypt the contents of a drive to prevent unauthorized access. But, coupled with Active Directory, BitLocker can be managed with Group Policy and have its recovery information backed up transparently every time a drive is encrypted.

Configure Active Directory to backup BitLocker Recovery information

First, you’ll need to configure Active Directory to store all of your recovery information for your BitLocker encrypted devices. Don’t worry if you’ve already encrypted devices, you can still add this information to AD after you’ve performed the schema update. Just be aware that this information will not be added automatically once you update your AD schema.

To update your AD schema, you’ll need to ensure that all of your Domain Controllers are running Windows Server 2003 SP1 or higher and the account updating your schema must be a Schema Admin or an Enterprise Admin. Bitlocker does not require a minimum functional level for AD, but Microsoft highly recommends making sure that all of your DC’s are running a minimum of Server 2003 with SP1 so that your Bitlocker recovery information is only accessible by authorized users.

If you meet those requirements, download the self-extracting archive, “Configuring AD to Back up BitLocker and TPM Recovery Information.exe,” that contains: Add-TPMSelfWriteACE.vbs, BitLockerTPMSchemaExtension.ldf, List-ACEs.vbs, Get-TPMOwnerInfo.vbs, and Get-BitLockerRecoveryInfo.vbs. Extract the files to a folder on your Domain Controller.

In the next post I will describe how to update the Active Directory Schema for BitLocker, write about the ACE settings and Password Recovery Viewer.

Author: Kyle Beckman
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Unlock BitLocker under Windows PE

Michael Pietroforte — Thu, 27 Jan 2011 02:24:10 +0000

In this article, you will learn how to create a Windows PE 3.0 installation that you can use to unlock BitLocker encrypted drives with the manage-bde command.

A while back, I claimed that hard drives in business PCs should always be encrypted for various reasons. Even though many third-party encryption solutions are available, BitLocker would always be my first choice because it is perfectly integrated into Windows. Unfortunately, by default this is not the case for Windows PE.

A disadvantage of hard drive encryption is that you can’t easily access the system drive for troubleshooting if Windows is unable to boot up properly. Imagine a high-ranking manager coming to your office one morning, telling you that her laptop doesn’t boot up and that she has important data on the encrypted system disk that she desperately needs later today. Ah, and by the way, her flight leaves in an hour. What will you do?

One option is to boot up from your Windows PE rescue USB stick, unlock the BitLocker encrypted drive, retrieve the important data, and be a hero. Another option would be to look for another job, but we won’t pursue this problem solution here.

To unlock a BitLocker encrypted drive from the command prompt, you need the Windows command manage-bde. However, if you only have a common bootable Windows PE USB stick, your heroic deed will miserably fail with this error message:

ERROR: An error occurred (code 0×80040154): Class not registered

Not nice if your impatient manager is looking over your shoulder, claiming that she has booked a business class flight that will not wait for her. To avoid this embarrassing situation, you’d better have a Windows PE rescue stick at hand where all Windows PE WMI classes have been installed.

To create a Windows PE installation that you can use to unlock BitLocker encrypted drives, you have to download the Windows AIK (WAIK) for Windows 7, install the WAIK, launch the Deployment Tools Command Prompt with admin privileges, and then follow this procedure:

Create a Windows PE WIM image to unlock BitLocker

copype.cmd x86 c:\winpe_x86


dism /mount-wim /wimfile:c:\winpe_x86\winpe.wim /index:1 /mountdir:c:\winpe_x86\mount
dism /image:c:\winpe_x86\mount /add-package /packagepath:"c:\Program Files\Windows AIK\Tools\PETools\x86\WinPE_FPs\WinPE-WMI.cab"
dism /unmount-Wim /mountdir:c:\winpe_x86\mount /commit

copy c:\winpe_x86\winpe.wim c:\winpe_x86\ISO\sources\boot.wim

If you prefer to boot Windows PE from a DVD or CD, you can create a bootable ISO file with this command:

oscdimg -n -bc:\winpe_x86\etfsboot.com c:\winpe_x86\ISO c:\winpe_x86\winpe_x86.iso

Under Windows 7, you can create the bootable Windows PE DVD through the context menu of the ISO file. I have already explained in detail how to create a bootable Windows PE USB stick before, so I won’t repeat this procedure here.

Unlock BitLocker with manage-bde

Once you have booted up Windows PE, you can unlock the BitLocker encrypted system drive with this command:

manage-bde -unlock c: -recoverypassword

I assume here that you have stored all BitLocker recovery keys either in Active Directory or at another safe place. Of course, without a recovery key, you can’t access a BitLocker encrypted drive from a second Windows installation. After all, that is the point of encrypting hard drives.

Tip: Copy the recovery key file to your USB stick before you boot up. Then you can open the recovery key file with Notepad and paste the key on the command line.

Manage-bde also has the recoverykey parameter, which is supposed to allow you to read the recovery key file from a drive:

manage-bde -unlock c: -recoverykey

However, when I tried this option I only got this error message:

ERROR: An error occurred while attempting to read the key from disk.

I got the same error message under Windows 7, so I somehow think there is a bug involved because the recovery key worked fine. Please let me know if this option worked for you.

Author: Michael Pietroforte
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Seven reasons why you need BitLocker hard drive encryption for your whole organization

Michael Pietroforte — Thu, 01 Apr 2010 17:22:03 +0000

Perhaps you believe your office is your well-protected castle. You think nobody can access your disks and, because you don’t have laptop users, you don’t need BitLocker disk encryption in your organization. This post provides seven reasons why you are wrong. In my view, hard disk encryption is a must for all PCs in your organization. BitLocker alone justifies the deployment of Windows 7 Enterprise or Ultimate instead of Windows 7 Professional.

1. Confidential data

It is true that the most common use of BitLocker is to protect the data on stolen laptops. Since you are probably an IT pro, you know that anybody can access the data on an unencrypted disk without requiring any passwords by booting up from a second drive. Thus, hard disk encryption is the only way to protect the data on a stolen laptop. However, who says that the disks in your PCs or servers can’t be stolen? Did you ever wonder what a disgruntled employee could do with the easy-to-remove hot-plug hard disks in your servers? If you use RAID, you might not even notice the theft for a while. I suppose, your organization protects all your valuable printed documents in a safe. Do you have the same security precautions for your valuable digital data?

2. System data

Okay, you say you don’t have any confidential data in your organization. Let’s forget for a moment that this is probably only an excuse. But what about the security relevant data that is stored on every system disk? Password hashes for example. Once an attacker has physical access to one of your company’s system disks, this opens a variety of ways to attack your whole network. Brute force attacks to crack cached passwords is only one option. If the stolen computer is a domain member, a hacker can use its trust relationship to access other machines in your organization. However, if the disk is encrypted, the bad guy has little chance to compromise your network.

3. Disk crashes

You think all your disks are physically well protected? Read on. What are you doing with a crashed disk that you just bought a year ago? Right, you send it to the manufacturer so they can verify that the disk is really broken and that the terms of the guarantee are met. Who knows, perhaps it’s only a malfunction of the electronics and they can even repair the hard drive. Now, do you really want to send an unencrypted disk with security relevant data to people you don’t really know? The same applies if you have a support contract with your PC vendor that damaged PCs will be repaired or replaced with new ones. And you don’t really trust the nice guy from UPS who picks up the broken PCs. Do you?

4. Disk disposal

For every hard drive comes the time when the last journey to the scrap yard becomes inevitable. I know, you are a conscientious admin and erase every disk thoroughly with a special hard drive eraser tool. Don’t blush now. You didn’t do that in the past? I know, disposing of a couple hundred PCs is work enough and erasing just one big hard disk can take days. However, if all the disks in your organization are BitLocker encrypted, you can be a conscientious admin without erasing hard disks for weeks before you dispose of them.

5. Why not a third party drive encryption software?

I hope, I have already convinced you by now that hard disk encryption is a must. BitLocker is certainly not the only encryption solution out there. A popular contender is TrueCrypt. I outlined already a few days ago why I am not really a friend of TrueCrypt drive encryption. Other encryption solutions exist, such as from PGP. However, I wouldn’t use third-party software for this purpose because system drive encryption always requires tight integration with Windows. I could also tell you some stories about former versions of PGP drive encryption. With any Windows update you are in danger that your encryption software breaks and that your PCs become unusable. The problems I had with TrueCrypt demonstrate how difficult it is to integrate drive encryption into Windows. Moreover, if you have more than 50 machines in your network, BitLocker is the best choice because of its good integration in Active Directory.

6. Why not Encrypting File System (EFS)?

Okay, no third party encryption software. But what about the Encrypting File System (EFS)? It is perfectly integrated into Windows and like BitLocker it can be managed centrally. The advantage of EFS is that you don’t need Windows 7 Enterprise or Ultimate and you can deploy Windows Professional instead. However, the problem with EFS is that you can’t encrypt the whole system drive. Therefore, EFS doesn’t help with the concerns I outlined above. EFS is useful if you want to encrypt a couple of private files. But it is no option for encrypting a whole disk drive.

7. Sleep well

Okay, I admit it. I made this one up because I needed a seventh reason. All such blog posts about Windows 7 need seven reasons these days. But then, a good sleep is so important. No more nightmares of your CEO’s computer with all the confidential data falling into the hands of a competitor. Isn’t that reason enough to deploy BitLocker?

Author: Michael Pietroforte
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Don’t use TrueCrypt drive encryption – BitLocker is better

Michael Pietroforte — Wed, 31 Mar 2010 19:30:36 +0000

I’ve been using TrueCrypt drive encryption for some time for my external hard drives. Some days ago, I moved to BitLocker and I am quite happy with it. In this post I explain why. Please note that this comparison is about device-hosted encryption and not about system drive encryption.

No system image backups

The one thing I disliked most about TrueCrypt is that I couldn’t use my external drive for system image backups because the Windows 7 Backup and Restore applet no longer recognized this drive. You might say that this is not TrueCrypt’s fault. However, for me, it didn’t matter whose fault it was as I was just robbed from an important function of my external hard drive.

No TPM support

One of the advantages of BitLocker is that it supports the Trusted Platform Module (TPM) chip. This not only improves security, significantly, but it also makes the use of encryption technology more convenient. Of course, you then need a computer with TPM, but BitLocker also works without TPM. You might have read the news that TPM was cracked, recently. However, the procedure is extremely time consuming and can only be done by experts. When it comes to security, vulnerabilities are absolutely unimportant. What counts is who possesses the capabilities to crack a system and how much effort is necessary. The TPM significantly raises the bar to crack an encrypted system, and TrueCrypt doesn’t reach this level of security.

Password hassle

Thanks to the TPM, you don’t have to type a password every time you connect the drive. Passwords are the weak point of any security mechanism. I don’t just have key loggers in mind. There are a myriad of ways to steal a password. This is what they teach hackers in elementary school. Password plus hardware token is the most secure way to protect your encrypted data. BitLocker also allows you to work without a password. This is still secure as long as you are the only one who can log on to your computer. This way encryption becomes convenient and ensures that people use it.

Manual auto-mount

I like this “Auto-mount device” button in TrueCrypt. I always thought “auto” means that I don’t have to do it manually. Well, yes, only two clicks are required to “auto-mount” a TrueCrypt device. If these were the only clicks, I might just ignore this little hassle. Of course, BitLocker can “automatically auto-mount” encrypted volumes.

“You need to format the disk”

This is just a minor glitch; however, after a while it got on my nerves. Every time I plugged in the drive, Windows would welcome this new device with “You need to format the disk in drive F: before you can use it.” Perhaps, there is a switch somewhere deep down in the Windows engine room that would allow me to turn off this unnerving popup message. But why didn’t the TrueCrypt developers do that for me?

Additional drive letter

Another minor glitch. Windows Explorer always uses two drive letters for one disk: one for the TrueCrypt drive and the one that Windows is so eager to format. Since I often have quite a few drives connected (external, network, etc.) this can be disturbing because it is one more thing that can mess up your drive letter order. This is particularly true if you work with multiple TrueCrypt encrypted drives because it multiplies the number of used drive letters by two.

Decrypting TrueCrypt

This is not a minor glitch. At first, I didn’t believe it when I wasn’t able to find a decryption function in the TrueCrypt user interface. So I went to the TrueCrypt site to confirm that I was just too blind to see how to get rid of the encryption. I was happy when I finally found the How to Remove Encryption page. Happiness turned into anger when my blind eyes were shocked to read the instructions:

Right-click the area representing the storage space of the encrypted device and select ‘New Partition’ or ‘New Simple Volume’.

So I decrypt a TrueCrypt volume by formatting it? Thank you very much for this brilliant tip. The suggestion to copy the data to a different place before I format the disk is also exceptional. Unfortunately, the instructions had no tip where I could just cache my 1.5TB of data. I wonder, why TrueCrypt offers decryption for system drives but not for simple data volumes?

I am still using TrueCrypt for file-hosted encryption. It is the best tool around for this purpose. I also prefer the tool for thumb drive encryption because BitLocker To Go doesn’t support write access on Windows XP. But when it comes to device-hosted encryption TrueCrypt is no match for BitLocker. This also applies to system drive encryption, which was significantly improved in Windows 7 especially because you can now start the encryption process without hassle after the system is installed. Together with TPM support and Active Directory integration BitLocker is the more secure and the more powerful solution.

Just one final note for those of you who think that it is unfair to bash “free” software. No software is really free because it costs time and therefore money to manage it. And the fact that TrueCrypt doesn’t support decryption cost me a lot of time. So, I thought, I should just warn others not to make the same mistake and use TrueCrypt for drive encryption.

Author: Michael Pietroforte
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

BitLocker vs. TrueCrypt – Performance benchmark on netbooks

Alexander Weiss — Wed, 25 Nov 2009 21:50:09 +0000

Last year, Intel introduced a new system platform called Atom^TM, which consumes less power compared to standard CPUs and is highly integrated. A new type of PC developed around this platform: the netbook. Although the Atom offers very little CPU power, certain advantages of the netbooks make them attractive to mobile home and business users alike: compact size, long-lasting battery charge, and low price.

Because netbooks are designed to be taken with you everywhere, their small size makes it easier for you to forget them and for criminals to steal. A lost netbook containing sensitive data could be a real threat, particularly to enterprises whose very survival can depend on the security of their data.

The Enterprise and Ultimate editions of Windows 7 offer a comfortable way to encrypt your hard disk and protect your data, called BitLocker. Encryption isn’t free, however, even with this tool—it needs CPU power. On common CPUs, you will barely notice a difference in how fast the computer deals with your daily work whether your hard disk is encrypted or not. Atom computers, however, just cope with a slim Windows Desktop, and as soon as more applications run at the same time the system feels slow. Enabling encryption further cripples their performance.

A few options exist to help you gain a little bit of performance. You can set a group policy to change the default encryption algorithm from 128 bit key with diffuser to AES 128 bit without diffuser, which lets you gain a little bit of performance at the expense of security. Installing more memory offers another boost in performance because the data is only encrypted when written to the hard disk. Neither option will increase the performance significantly, though, but maybe another encryption tool will.

TrueCrypt, a free application that was already discussed in a few posts, offers fewer options than BitLocker regarding centralized management. Nonetheless, TrueCrypt is very popular because it’s free and it is open source. For some security gurus, open source is the only way to implement secure encryption because—by obfuscating code and not making it publicly available—the number of persons who can review and test the algorithm are limited.

To decide if it’s worth it to switch to TrueCrypt I ran some benchmarks on an Atom N260 Netbook. For BitLocker, I chose three different encryption algorithms. For TrueCrypt, I chose only the fastest algorithm according to its built-in benchmark. Here are the results:

As you can see, TrueCrypt performs worse. The default BitLocker algorithm (AES 128 bit with diffuser) is 12% faster. If you use the same algorithm in BitLocker and TrueCrypt, BitLocker is even faster by 14%. So switching to TrueCrypt in order to increase performance is a bad idea. But in defense of TrueCrypt I have to say that the difference is hardly noticeable; running encryption on a netbook makes it slow whether BitLocker or TrueCrypt is used.

Author: Alexander Weiss
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Review: Windows 7 BitLocker to Go – Part 2: Manageability

Michael Pietroforte — Sat, 31 Jan 2009 00:45:32 +0000

In my last article I discussed the BitLocker to Go features from a user’s perspective. Today I will take a closer look at the features that are of interest from a system administrator’s point of view.

I think it is important to have just one USB stick encryption solution in a corporate environment because it simplifies the work for help desk personnel. If an end user calls because he or she is unable to access the data on an encrypted memory stick, and you don’t even know what encryption software has been used, things can get difficult.

Because BitLocker is part of Windows, it is the first option to consider if you want to introduce an encryption solution for portable devices. The fact that BitLocker is tightly integrated into Windows makes its management easier. For example, its software doesn’t have to be installed separately and updates can be deployed via Windows Update or WSUS. Moreover, like any other Windows component, BitLocker can be centrally configured through Group Policy.

There are quite a few new Group Policy settings in Windows 7 related to BitLocker. I will only discuss the most important ones in detail. Perhaps the most important feature is that BitLocker’s recovery methods are integrated into Active Directory. The main problem of any encryption technology is that a secret key is required. If this key or the password that protects it gets lost, the encrypted data is lost too. I think it is an even greater threat to your organization, if you allow end users to encrypt data without having a disaster-recovery strategy. TrueCrypt supports data recovery, which is sufficient for private users and small companies. However, large corporations need a centrally manageable recovery procedure.

Like in Windows Vista, BitLocker in Windows 7 supports the storage of recovery information in Active Directory. You can centrally store the recovery password and the key package of each user in AD DS. The key package contains the encryption key protected by one or more recovery passwords. Of course, it is possible to configure this feature via Group Policy.

However, the interesting enhancement in Windows 7 is the support of a Data Recovery Agent (DRA). Unfortunately, I wasn’t able to try this feature because I couldn’t find any documentation about it. It is possible that this feature is not yet implemented in the current betas of Windows 7 and Windows Server 2008 R2 even though it can be enabled via Group Policy.

My guess is that DRA for BitLocker works similarly to the DRA feature of Encrypting File System (EFS). In EFS there is a private master key that can be used to decrypt all EFS files in a Windows domain. This key is associated with the first domain controller’s administrator account. It can be exported via the Microsoft Management Console Certificates snap-in on the domain controller. If you import this key on a workstation, you can decrypt any EFS file with it (more precisely the symmetric key that is used to encrypt the files). I wasn’t able to find a corresponding certificate for BitLocker on a Windows Server 2008 R2 domain controller; however, the Local Policy Security Editor in Windows 7 has a special folder for the BitLocker certificate, which is right below the corresponding EFS folder. It is used to configure the Data Recovery Agent. This indicates that BitLocker’s recovery procedure is probably similar to the one for EFS. If you know more about the BitLocker DRA, it would be greatly appreciated if you share your knowledge.

The advantage of DRA over storing recovery information in AD separately for each user is obvious. It saves space in AD and makes the disaster-recovery procedure much easier. Of course, the availability of such a master key poses a security risk because if the private key falls into the wrong hands, it can be used for decrypting everything in an organization.

DRA can be enabled separately for BitLocker-protected operating system drives and removable data drives. I am not sure if this means that there are two separate master keys. I believe though that DRA will mostly be used for BitLocker to Go. Almost everyone uses a USB stick to transport data, but a comparably smaller number of end users have business laptops. To deal with end users who have forgotten their BitLocker to Go password will be part of the system administrator course once Windows 7 is ubiquitous.

It would be useful if the user’s domain password would automatically be used to protect flash drives. It works with EFS, so it should be doable for BitLocker as well. One more password for end users means a lot more work for administrators.

This will be particularly true if your organization decides to make use of another new feature of BitLocker—the ability to mandate encryption prior to granting write access to a portable data device. If this policy is enabled, users will see a pop-up window whenever they insert an unencrypted portable data drive that gives them the option to encrypt the device or to open it without write access.

The corresponding Group Policy offers another interesting option. Administrators can deny write access to BitLocker devices that have been configured in another organization. The main purpose of this is to enforce policies of your own organization, such as password complexity requirements or the supported recovery methods.

My first thought was this feature would help prevent data theft. However, as long as end users have write access to USB sticks, they can take confidential data outside an organization even if BitLocker to Go is mandatory. What is missing here is a feature that prevents the usage of BitLocker-encrypted flash drives in another organization. Public key cryptography would make such a feature possible. Perhaps the next BitLocker version will support this option.

All in all, I think that BitLocker to Go is an interesting enhancement in Windows 7 for large organizations. Because of its limited support for Windows Vista and Windows XP, however, I recommend using TrueCrypt instead of BitLocker in small organizations. I wonder if this is the reason BitLocker is only available for Windows 7 Ultimate and Windows 7 Enterprise.

Author: Michael Pietroforte
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Review: Windows 7 BitLocker to Go – Part 1: Usability

Michael Pietroforte — Thu, 29 Jan 2009 19:00:16 +0000

BitLocker to Go is a new feature in Windows 7 that allows you to encrypt data on removable drives such as USB sticks. I believe that BitLocker to Go will be more popular than BitLocker for fixed-drive encryption, which I reviewed in my last article. Portable drives get lost much easier simply because they are smaller than laptops. Because they often contain important business data, unencrypted memory sticks pose a considerable security risk for any organization.

Of course, flash drive encryption isn’t anything new. Many portable storage devices come with their own encryption software and there are also free tools such as TrueCrypt that support USB stick encryption. However, in corporate environments, BitLocker to Go has some important advantages over these free solutions. In this article, I will discuss BitLocker to Go from the end user’s perspective. In my next post, I will cover the management features.

An important argument for BitLocker to Go is that it is integrated into Windows 7, which simplifies its usage. The BitLocker applet in the Control Panel displays all connected USB sticks. You can also turn on BitLocker to Go in Windows Explorer through the context menu of the memory stick. Before Windows can encrypt the flash drive you have to choose a password or a smart card that will be required later for unlocking the device.

Furthermore, you can store a 48-digit recovery key in a file. It is also possible to print the key. The recovery key is needed if you forget your password or lose your smart card. If you click on “I forgot my password” when BitLocker prompts you to enter the password to unlock the flash drive, you can either type the recovery key or load it from another flash drive. The second option was grayed out when I tried this feature. I didn’t find a Group Policy setting to enable it, so perhaps it is not yet implemented in Windows 7 Beta 1.

Encryption takes a couple of seconds for 100MB. The speed certainly depends on the capabilities of the stick. Once it is encrypted you can launch the BitLocker management tool from the context menu where you can change the password, remove the password, add a smart card (which is necessary if you remove the password), save the recovery key again, and enable automatic unlocking of the memory stick. Decrypting a portable drive is only possible through the Control Panel applet.

What I dislike about BitLocker to Go is that you have to encrypt the entire memory stick. I prefer to have an unencrypted section for files that need no protection. I always feel a little uncomfortable when I enter a password on other people’s computers because there might be a key logger running in the background. Thus, I want to use my password only if I really need access to confidential data. Of course, you can always bring a second unencrypted flash drive with you for this purpose. However, this is just another device that can get lost or forgotten.

A more severe downside of BitLocker to Go is that it is not possible to write to encrypted USB sticks on Windows Vista and Windows XP. Moreover, read access is quite cumbersome. It is not possible to directly open a file in Windows Explorer. After you enter the BitLocker password on Vista or XP, a window pops up where you have to choose which file you want to copy to the desktop.

I must admit I don’t understand why this procedure is necessary. The BitLocker to Go application is on the USB stick. Hence, it should be possible to allow direct read and write access. Some features, such as the integration in Windows Explorer or the control via Group Policy, can only work if certain components are available on the desktop. However, it would have been possible to install these at the same time as the USB stick is inserted. Other flash drive encryption solutions can be used on any Windows version. Considering that the point of a portable device is to use it on multiple machines, it certainly is an important shortcoming of BitLocker to Go that its full functionality is only available on Windows 7. I hope that Microsoft will at least offer updates for Vista and XP that will offset this downside.

Even though BitLocker to Go has some disadvantages from the end user’s perspective, I believe it is a good choice in corporate environments because it can be managed centrally. This will be the topic of my next post.

Author: Michael Pietroforte
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

Windows 7 BitLocker Review

Michael Pietroforte — Wed, 28 Jan 2009 23:40:18 +0000

This article reviews Windows 7 BitLocker and BitLocker to Go in detail and gives tips how to install and configure BitLocker.

BitLocker was introduced with Windows Vista and, as far as I know, it was not very popular. This might be because it is available only for Windows Vista Ultimate and Windows Vista Enterprise. But the main reason probably is that it is complicated to set up. I compared BitLocker to TrueCrypt a year ago and concluded that the Open Source tool is the better drive encryption solution. BitLocker in Windows 7, however, has significantly improved. In this article I discuss BitLocker’s system drive encryption, and in my next post I will review BitLocker-to-Go, the new encryption solution for removable storage devices.

BitLocker for Vista was too complicated to set up once the operating system is installed. Users had to shrink the system partition to make space for the BitLocker partition. Microsoft acknowledged that this was too difficult for end users, and too time consuming for administrators, and released the BitLocker Drive Preparation Tool, which is part of the Ultimate Extras and is also available for Windows Vista Enterprise.

BitLocker drive preperation is now integrated into Windows 7. It greatly simplifies the encryption of a system drive. BitLocker can be found under System and Security in the Control Panel. Basically, you only have to turn on BitLocker, and the Drive Preparation Tool does the rest. This works, however, only if the computer has a TPM (Trusted Platform Module). If not, the encryption key also can be stored on a USB stick.

But USB stick support has to be enabled before being used. Unfortunately, this can’t be done via the Control Panel; it has to be enabled through Group Policy or the Local Group Policy Editor (type gpedit.msc at Start Search). I am sure this will confuse many people. The settings’ location has changed slightly in Windows 7: “Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components |Operating Systems Drives | BitLocker Drive Encryption -> Require Additional Authentication at Startup”. Please note there are two independent keys for Windows 7 and Server 2008/Vista.

Once you have allowed BitLocker without TPM, the wizard in the BitLocker Drive Preparation will let you store the Startup Key on a USB flash drive. It also allows you to save a Recovery Key, which you will need if you have lost your USB stick. You will then be asked whether you want to run a BitLocker System Check. If you agree, your computer will be restarted to check whether the USB device is available during the boot-up process. Note that this usually doesn’t work if you try it in a virtual environment. But there are workarounds (VMware Workstation, Virtual PC). These posts were written for Vista, but they should work for Windows 7 also.

BitLocker preparation works differently in Windows 7 from Vista because the BitLocker partition is already available. I am not sure if Windows 7 setup will create it also in editions that don’t support BitLocker. Like with Vista, BitLocker will be supported only for the Ultimate and Enterprise editions. The BitLocker partition has 200 MB (400MB if WinRE (Windows Recovery Environment) is installed). Unlike in Vista, it has no drive letter and is hidden, which makes sense. You can see it in Disk Management, though. According to Microsoft, upgrades from Vista to Windows 7 are possible if BitLocker is enabled.

The encryption process seemed quite fast to me but, because I was testing in a virtual environment, that might not mean much. For 1GB, BitLocker took approximately 30 seconds. Once the system drive is encrypted, you can boot-up Windows 7 only if the USB stick (and/or the TPM) is present. If you have lost the USB drive, you will require the Recovery Key or the Recovery Password.

Windows 7 chooses the Recovery Password, which has 48 digits. So it is not really a viable alternative to the TPM or the USB stick. I prefer TrueCrypt here; it allows you to choose a memorable passphrase and it doesn’t require special hardware for it. This might not be as secure BitLocker’s method, but I think it is secure enough if you don’t happen to be a CIA agent. If you forget the USB stick or the Recovery Key at your office before a trip, your laptop will be useful only as ballast for your luggage. Note that for system drives, you can use only a PIN, instead of a USB stick, if your computer is equipped with a TPM. Unlocking a fixed drive with a password works only for volumes other than the operating system volume.

However, BitLocker has two important advantages over TrueCrypt. It can be centrally managed through Group Policy, and it allows you to store the Recovery Key and the Recovery Password in Active Directory. BitLocker has quite a few new Group Policy settings compared to Vista, mostly because of the new features such as BitLocker-to-Go. Vista also supports Active Directory integration, but Windows 7 has an important new recovery option, the Data Recovery Agent. I will write more about this feature in my next post about BitLocker-to-Go, because I think this feature will be used more often for portable devices.

Author: Michael Pietroforte
Copyright © 2006-2012, 4sysops, Digital fingerprint: 3db371642e7c3f4fe3ee9d5cf7666eb0

Related

How not to encrypt a USB memory stick

Michael Pietroforte — Tue, 26 Feb 2008 20:14:18 +0000

Josh from the InfiniteAdmin blog has an interesting post about solid state disk (SSD) encryption. He raised doubts that drive encryption tools such as TrueCrypt are secure enough if applied to SSDs. Like memory sticks SSDs are flash drives that usually work with NAND technology. Therefore, these concerns also apply to USB sticks.

Do you recommend your users to encrypt their memory sticks? I hope so. Even if you don’t have confidential data on your stick now, can you guarantee this also in the future? So, better make sure now that a lost thumb drive won’t compromise your company.

If you are a security-conscious admin, you might have recommended unknowingly an insecure encryption method in the past. Crypto tools that are good enough for conventional magnetic drives cannot always provide the same level of security for flash drives. The problem with flash memory is that it has a relatively short lifespan. To remedy this downside the so-called wear-leveling technique is used to prolong a flash drive’s service life. Please, check out my article about the lifespan of flash memory for more information.

Wear-leveling algorithms use different techniques. What is important here is that a certain piece of data is not always stored at the same location. You could say that it is this effect that reduces the wear-and-tear of memory cells. The point now is that if you encrypt data on flash memory, you can’t be sure that all cells that contain data in the clear are really wiped out because the operating system is not aware of all locations where data has been stored before.

A solution to this problem is not to store cleartext on a flash drive in the first place. If you want to work with full disk encryption, you should encrypt the memory stick before you store any confidential data on it. An even better way is to encrypt data on your hard disk first. An advantage is that the encryption process is faster. If you use TrueCrypt for example, you can create an encrypted volume first, and then copy this file which contains all your encrypted files to your USB stick. This also allows you to backup the flash drive easily.

System drive encryption: TrueCrypt 5 vs. Bitlocker

Michael Pietroforte — Thu, 14 Feb 2008 19:31:16 +0000

TrueCrypt 5 is available for some days now. Today, I found time to have a look at the new version of my favorite free encryption tool. The most noteworthy new feature certainly is its ability to encrypt system drives/partitions. Until now TrueCrypt was only an alternative to the Encrypting Files System (EFS) under Windows. Now, Truecrypt 5 also competes with Vista’s Bitlocker. In this post, I explore the pros and cons of both crypto tools.

If you don’t know TrueCrypt yet, I recommend reading my review of TrueCrypt 4 first so you will get a general idea about the tool. As far as I can see, everything I said there is still valid for TrueCrypt 5.0. Today, I will only focus on the system partition encryption feature.

Encrypting the hard disk makes sense on any computer that is prone to getting into the wrong hands. This applies especially to laptops and computers in public places. Vista’s Bitlocker is a solution to this problem provided you have Vista Enterprise or Ultimate. TrueCrypt 5 is another option and it not only works on every Vista edition it also supports Windows XP/2000/2003.

Encrypting a system partition with Truecrypt 5 is super simple. A wizard guides you to a process offering detailed information for every step. When I tested this feature, I didn’t need any documentation. This is not the case with Bitlocker. It is highly recommended to read the Bitlocker documentation first in order to understand all its options. The installations process is certainly more complex. The fact that Bitlocker requires two partitions illustrates this. If you installed Vista without configuring it first for Bitlocker you already have a problem. TrueCrypt, on the other hand, allows you to encrypt your system drive without hassle after you installed the OS. Actually, there is no other way for TrueCrypt, anyway.

After TrueCrypt has encrypted your system drive, you won’t realize any difference at first. That is, encryption and decryption works in the background and you shouldn’t realize any performance loss. However, when you boot-up the next time, you will make out the difference. Before the OS is loaded you have to enter your TrueCrypt password. Bitlocker works similarly, but has more options to offer here. Instead of entering the so-called pre-boot PIN you can also insert a USB device that contains the start-up key. And if your computer has a TPM chip (Trusted Platform Module), you can logon to Vista as usual, i.e. you don’t need a pre-boot PIN or a USB device with the start-up key. TrueCrypt doesn’t support TPM.

Bitlocker has other features that TrueCrypt lacks. If you lose your TrueCrypt password, you’ll be lost, too. TrueCrypt creates an ISO file for a Rescue disc during the configuration process, but this CD will only be of help if the TrueCrypt boot loader was damaged or if you want to decrypt your system drive. However, without the correct password, you won’t get very far. (Please also read the comments below about this topic) Bitlocker allows you to store the recovery password on one or more USB devices and it is even possible to store recovery information in Active Directory. Of course, you can save the password manually on a safe place with TrueCrypt, too. As long as you have to do this for one or two computers only, it is not big a deal. But big enterprises probably will go for Bitlocker.

So Bitlocker’s biggest advantages are its TPM support and its sophisticated recovery options. TrueCrypt is much easier to handle and practically needs no preparations. Hence, if you have not much time to read the Bitlocker documentation and just a couple of users who want to be sure that nobody gets access to the data on a lost laptop, TrueCrypt is the better choice.

Truecrypt 4.3 now supports Vista – better than Bitlocker or EFS

Michael Pietroforte — Thu, 19 Apr 2007 09:55:27 +0000

There has been a lot of media coverage about Bitlocker recently. It is supposed to be a solution for laptop users who want to encrypt their whole hard disks under Vista. You can’t encrypt your whole system partition with Truecrypt, but, in my view, is a much better solution if you want to secure confidential data.

Update: Please, also check out my review about TrueCrypt 5.

I’ve read several instructions on how to install Bitlocker (print), and it always seemed to be quite complicated to me. If you make a mistake, you might not be able to boot up again. If you plan to deploy Vista on your laptop fleet with Bitlocker, you should be prepared to take some time until you fully understand how Bitlocker works.

I remember well when EFS (Encrypting File System) was first introduced with Windows 2000. It had so many problems in the beginning, and it even was possible to crack it. That’s why, I wouldn’t trust Bitlocker. It is new, and I am sure it contains bugs.

In Windows XP, and probably also in Vista, EFS is more reliable, but it still has some shortcomings. If someone gets access to the hard disk, he can at least read the file names. So he can guess what kind of data you encrypted. I also think that the handling of the encryption key is too complicated. Another problem is that all encrypted data is always accessible after the user has logged on. Essentially, this means that malware started by this user also has access to this data. The last issue also applies to Bitlocker.

Truecrypt doesn’t have these shortcomings and it is much easier to handle in my view. Most importantly, you only mount a volume when you really need access to the confidential data. Since it is a free tool, it will only cost you time to download it. I reviewed Truecrypt a while ago, so I won’t describe it again. The major new feature of version 4.3 certainly is that it officially supports Vista now.

Infinite Password Generator: one Password is enough

Michael Pietroforte — Wed, 21 Jun 2006 20:32:55 +0000

How many passwords do you use? I’ve already given up counting mine. The list just keeps getting longer and longer, since i use a new password for every application or web site. (I hope you do this too.) Of course, it’s hard to remember all of them. So I save them in an encrypted file using Locknote. Infinite Password Generator offers another solution for this password problem. Instead of saving your passwords with a password manager, you generate the password each time you need it. Sounds strange, but it works.

Infinite Password Generator creates a password using the MD5 hash algorithm. All you need is a master password and a keyword. The keyword should be easy to remember, a term that you associate with the corresponding account. For example, for your Google mail account, you could use “Gmail”. The generated password can’t be guessed by an attacker. If you forget the password, all you have to do, is to generate it again using the master password and the keyword. The MD5 algorithm assures that the generated password will be always the same.

Infinite Password Generator can store all your keywords. This is not risky since an attacker would still need the the master password to generate your passwords. So all in all you use this tool like a password manager since you only have to memorize one password, the master password. However, with this method you don’t save your passwords in a file. Saving passwords is always a risk and if you lose this file, you will probably be lost too. If you chose your keywords carefully, you still will be able to reconstruct your passwords even if your keyword list is destroyed.

Passwordsaver: securing passwords without computer

Michael Pietroforte — Wed, 24 May 2006 18:20:11 +0000

The major problem with any password-saving software is that passwords have to be loaded into the computer’s memory when you want to access them. This is a security risk. Passwordsaver (PWS) is a USB stick that solves this problem. It doesn’t show the passwords on the computer screen, but on its own tiny display.

PWS has a battery which allows you to enter and access the passwords without a computer. If you already have many passwords which you secured with a software-based password managing tool, then you can transfer them using a USB port.

Passwordsaver can store 1000 records. Every record contains an unencrypted field with 32 characters that serve as password description. Three encrypted fields, one with 32 characters and two with 16 characters, contain the confidential data. PWS uses AES 128 as encryption algorithm.

To access the passwords, you have to enter the database password. If someone enters a wrong password thrice, the database locks and can only be unlocked with a master password. Entering the master password incorrectly three times will destroy the data.

Only the hash codes of the database password and the master password are stored on the PWS, not the passwords itself. Thus, it is not possible to access these passwords by physical means.

If you value security, shelling out 39.95 Euro for Passwordsaver might be worth it.

Folder Lock: Encrypt folders

Michael Pietroforte — Mon, 22 May 2006 20:01:01 +0000

I just had a quick look at Folder Lock for Windows. It has more or less the same functionality as TrueCrypt which I discussed recently. It can make folders invisible and encrypt them as well. The advantage of Folder Lock is that you don’t have to reserve space on your hard disk for your encrypted folders. It can encrypt an existing folder. However, it is not free. It costs $30.

Update: Please, also check out my review about TrueCrypt 5.

TrueCrypt: Free disk encryption for Windows and Linux

Michael Pietroforte — Wed, 05 Apr 2006 18:03:26 +0000

TrueCrypt is a nifty free Open Source disk encryption tool. It encrypts a whole hard disk or partition and also can create virtual volumes. TrueCrypt uses encrypted container files which can be mounted like hard disks. Under Windows, you can assign a driver letter to such a virtual device. I tested version 4.1 for Windows.

Update: Please, also check out my review about TrueCrypt 5.

All in all, TrueCrypt made a very good impression to me. I sometimes encrypt important confidential data using EFS (Encrypting File System). I think, I’ll switch to TrueCrypt now. Its biggest advantage over EFS is that it hides filenames and folder structure. I also like that one only can mount an encrypted volume when the data on it is needed. This brings some extra security.

TrueCrypt is very easy to use. The manual has 98 pages, but I was able to use TrueCrypt without consulting it. It uses self explaining wizards to create encrypted volumes. I recommend consulting the manual though, if you use TrueCrypt regularly. You will get there, detailed information of how TrueCrypt works.

Within less than a minute, I mounted my first encrypted virtual device. TrueCrypt supports several encryption algorithms.The best known ones are AES, Blowfish and Twofish. The supported bit lengths should be secure enough for the next 100 years or so.

When creating a virtual partition, you have to specify its size. The container file occupies this space even without files in it. One shouldn’t encrypt partitions that already contain files since TrueCrypt has to format it first.

You need a password and/or a keyfile to mount an encrypted device. Any file longer than 16 Bytes is good as a keyfile. TrueCrypt can also create one for you. The advantage of using a keyfile is that it provides protection against keystroke loggers. The safest way certainly is the combination of password and keyfile. TrueCrypt even supports multiple keyfiles. This way, you can manage multi-user shared access since all users have to supply their keyfiles before the encrypted device can be mounted.

Another interesting feature of TrueCrypt are the hidden volumes. Hidden volumes reside within another TrueCrypt volume. One simply uses another password to open a hidden volume. If someone forces you to open the TrueCrypt volume, you only enter the password for the outer volume. It is not possible to prove that a TrueCrypt volume contains a hidden volume. But be careful with hidden volumes. It is possible that you overwrite the contents of a hidden volume with data from the outer volume. The manual explains how one can prevent this.

TrueCrypt is also quite fast. I tested it on a PC with a 1 GHz CPU. It took TrueCrypt 13 seconds to format a virtual disk with 200 MB using AES as encryption algorithm. I then copied 150 MB in 20 seconds to the encrypted virtual volume. Working with encrypted files didn’t seem to be slower than with unencrypted files.

TrueCrypt: Free Open Source On-The-Fly Encryption

FREE: Steganos Locknote – Password saver and text encryption

Michael Pietroforte — Mon, 06 Mar 2006 18:40:08 +0000

How do you secure your passwords? As a sys admin you probably have countless accounts and I hope you don’t use the same password for all of them. I use by far too many passwords to remember them all. Writing them down is the only solution.

One way certainly is to note them on a normal piece of paper and deposit it on a safe place. The other option is to encrypt your passwords then save them in a file. For extra security you can store the file on a USB stick which you only plug in when you need access to the file. If someone finds out your master password he still has to get your USB stick.

There are many password savers with nice features. But sometimes the simplest solution is the best. That’s why I chose Locknote to secure my passwords. This free tool doesn’t’ have to be installed and therefore runs also from an USB stick. It works like a normal editor, but it doesn’t save a text file on the hard disk. The text entered in the editor is stored together with Locknote’s exe file. The tool encrypts your information using AES with a 256 bit key. If you want to make a copy of your passwords you can just copy the complete exe file.

Locknote’s edge over other password savers is that you can secure any text file with it. Entering new accounts is very fast, as one doesn’t have to fill out several fields. There is only one disadvantage of Locknote. A password saver will usually ask you twice to enter the password of a new account. But mistyping a password using Locknote means probably running into serious problems later. I recommend entering the password first in Locknote and then to copy and paste to the registration form.