In my last article I discussed the BitLocker to Go features from a user’s perspective. Today I will take a closer look at the features that are of interest from a system administrator’s point of view.
I think it is important to have just one USB stick encryption solution in a corporate environment because it simplifies the work for help desk personnel. If an end user calls because he or she is unable to access the data on an encrypted memory stick, and you don’t even know what encryption software has been used, things can get difficult.
Because BitLocker is part of Windows, it is the first option to consider if you want to introduce an encryption solution for portable devices. The fact that BitLocker is tightly integrated into Windows makes its management easier. For example, its software doesn’t have to be installed separately and updates can be deployed via Windows Update or WSUS. Moreover, like any other Windows component, BitLocker can be centrally configured through Group Policy.
There are quite a few new Group Policy settings in Windows 7 related to BitLocker. I will only discuss the most important ones in detail. Perhaps the most important feature is that BitLocker’s recovery methods are integrated into Active Directory. The main problem of any encryption technology is that a secret key is required. If this key or the password that protects it gets lost, the encrypted data is lost too. I think it is an even greater threat to your organization, if you allow end users to encrypt data without having a disaster-recovery strategy. TrueCrypt supports data recovery, which is sufficient for private users and small companies. However, large corporations need a centrally manageable recovery procedure.
Like in Windows Vista, BitLocker in Windows 7 supports the storage of recovery information in Active Directory. You can centrally store the recovery password and the key package of each user in AD DS. The key package contains the encryption key protected by one or more recovery passwords. Of course, it is possible to configure this feature via Group Policy.
However, the interesting enhancement in Windows 7 is the support of a Data Recovery Agent (DRA). Unfortunately, I wasn’t able to try this feature because I couldn’t find any documentation about it. It is possible that this feature is not yet implemented in the current betas of Windows 7 and Windows Server 2008 R2 even though it can be enabled via Group Policy.
My guess is that DRA for BitLocker works similarly to the DRA feature of Encrypting File System (EFS). In EFS there is a private master key that can be used to decrypt all EFS files in a Windows domain. This key is associated with the first domain controller’s administrator account. It can be exported via the Microsoft Management Console Certificates snap-in on the domain controller. If you import this key on a workstation, you can decrypt any EFS file with it (more precisely the symmetric key that is used to encrypt the files). I wasn’t able to find a corresponding certificate for BitLocker on a Windows Server 2008 R2 domain controller; however, the Local Policy Security Editor in Windows 7 has a special folder for the BitLocker certificate, which is right below the corresponding EFS folder. It is used to configure the Data Recovery Agent. This indicates that BitLocker’s recovery procedure is probably similar to the one for EFS. If you know more about the BitLocker DRA, it would be greatly appreciated if you share your knowledge.
The advantage of DRA over storing recovery information in AD separately for each user is obvious. It saves space in AD and makes the disaster-recovery procedure much easier. Of course, the availability of such a master key poses a security risk because if the private key falls into the wrong hands, it can be used for decrypting everything in an organization.
DRA can be enabled separately for BitLocker-protected operating system drives and removable data drives. I am not sure if this means that there are two separate master keys. I believe though that DRA will mostly be used for BitLocker to Go. Almost everyone uses a USB stick to transport data, but a comparably smaller number of end users have business laptops. To deal with end users who have forgotten their BitLocker to Go password will be part of the system administrator course once Windows 7 is ubiquitous.
It would be useful if the user’s domain password would automatically be used to protect flash drives. It works with EFS, so it should be doable for BitLocker as well. One more password for end users means a lot more work for administrators.
This will be particularly true if your organization decides to make use of another new feature of BitLocker—the ability to mandate encryption prior to granting write access to a portable data device. If this policy is enabled, users will see a pop-up window whenever they insert an unencrypted portable data drive that gives them the option to encrypt the device or to open it without write access.
The corresponding Group Policy offers another interesting option. Administrators can deny write access to BitLocker devices that have been configured in another organization. The main purpose of this is to enforce policies of your own organization, such as password complexity requirements or the supported recovery methods.
My first thought was this feature would help prevent data theft. However, as long as end users have write access to USB sticks, they can take confidential data outside an organization even if BitLocker to Go is mandatory. What is missing here is a feature that prevents the usage of BitLocker-encrypted flash drives in another organization. Public key cryptography would make such a feature possible. Perhaps the next BitLocker version will support this option.
All in all, I think that BitLocker to Go is an interesting enhancement in Windows 7 for large organizations. Because of its limited support for Windows Vista and Windows XP, however, I recommend using TrueCrypt instead of BitLocker in small organizations. I wonder if this is the reason BitLocker is only available for Windows 7 Ultimate and Windows 7 Enterprise.