BitLocker Drive Encryption
Given the number of corporate laptops lost to theft or forgetfulness each year,
it's little wonder that the cost of replacing these machines is far outweighed
by the value of the information stored on them. Nearly every month you can read
a news story about someone who lost a laptop that contains private information
for customers and clients, requiring a company to undertake an expensive and
embarrassing public process to try to set things right. Laptop loss and theft
can easily lead to identity theft, sometimes on a massive scale. The key to
preventing this kind of information loss is to encrypt the data on the laptop,
thus preventing others from removing the machine's hard disk and accessing its
contents.
Windows NT-based versions of Windows, such as XP and Windows 2000, have included
Encrypting File System (EFS) for years. EFS provides you the flexibility to
encrypt individual folders on your hard disk, ensuring that all the data they
contain—including documents and other data files added after the folder
is encrypted—are protected from prying eyes. EFS does its work with a
minimal, imperceptible performance hit, and the results have proven quite satisfactory.
We'll look at Vista's improvements to EFS in Part 2 of this write-up next month,
but Vista Enterprise and Vista Ultimate include an even more impressive encryption
function called BitLocker Drive Encryption. BitLocker Drive Encryption automatically
encrypts the entire Windows volume (i.e., the partition on which the WINDOWS
directory is located—typically the C drive) without requiring the end
user to configure anything. Admins can easily roll out this feature to executives
and others who travel with sensitive corporate data.
But BitLocker doesn't stop there. You might remember that Microsoft's Next-Generation
Secure Computing Base (NGSCB—formerly code-named Palladium) technologies
were originally going to be a major part of Vista. Today, BitLocker Drive Encryption
is one of only a handful of NGSCB-based technologies that remain in the product.
The NGSCB component of BitLocker works with Trusted Platform Module 1.2 hardware
on the motherboard to ensure the integrity of key system components at boot
time. This integrity check ensures that the BitLocker-protected hard disk hasn't
been placed into a different PC, but it also helps prevent attacks that can
occur at boot time before the OS is loaded.
For those who don't have Trusted Platform Module 1.2–enabled hardware,
Microsoft offers a slightly less effective version of BitLocker that requires
you to use a USB memory key instead. This version supplies all of BitLocker's
disk encryption functionality but doesn't include the integrity checks.
For the end user, BitLocker Drive Encryption is a bit ponderous to install.
You must reserve a second active partition of at least 1.5GB in size on the
laptop's hard drive. This volume won't be encrypted and will contain a few files
needed for the PC to boot correctly. If you didn't partition your system correctly
during initial setup, you'll need to find a Vista-compatible nondestructive
partition utility that can do the job. Users of Vista Ultimate have access to
a free extra called the BitLocker Drive Preparation Tool, which will perform
this partitioning. Microsoft must think Vista Enterprise users are able to handle
this kind of thing on their own.
But Wait, There's More
We're far from finished discussing Vista's security features. Next month, I'll
examine Vista's EFS improvements, file system and registry virtualization, service
isolation, driver signing, and code integrity features, Address Space Layout
Randomization, and security features you'll only see in x64 versions of Vista.