25
BitLocker™ Drive Encryption A look under the covers Steve Lamb Technical Security Advisor, Microsoft UK http://blogs.technet.com/steve_lamb [email protected]
| Date post: | 15-Dec-2015 |
| Category: |
Documents |
| Upload: | madilyn-wollett |
| View: | 227 times |
| Download: | 4 times |
BitLocker™ Drive EncryptionA look under the covers
Steve LambTechnical Security Advisor, Microsoft UKhttp://blogs.technet.com/[email protected]
Agenda• Is EFS Dead?• A quick review• What threats does it mitigate?• What threats ARE NOT mitigated• Enhancements @ Vista SP1• To Gain Access We Need• Deployment Considerations• Resources
Is EFS Dead?
?
A Quick Review
BitLocker
What threats does it mitigate?
• Data @ rest• Over-riding Access Controls
What threats ARE NOT mitigated?
• Stupid User!• Stupid Admin!• Removable Media• Weak Passwords
Enhancements @ SP1
• Multi-volume support• Key Rolling
What Is A Trusted Platform Module ?
TPM 1.2 spec: www.trustedcomputinggroup.org
Secure the pre-boot environment
• Measure EVERYTHING
What do we measure?Volume Blob of Target OS
unlockedAll Boot Blobs
unlockedStatic OS
BootSector
BootManager
Start OS
OS Loader
BootBlock
PreOS
BIOS
MBR
TPM Init
To gain access we need
• Full Volume Encryption Key• Volume Master Key
• Multiple places to store it
Volume Master Key – option 1
TPM
Access
Volume Master Key – option 2
TPM
PIN
Access
Volume Master Key – option 3
TPM
Startup
Key
Access
Volume Master Key – option 4
Recovery Key
Startup
Key
Access
Volume Master Key – option 5
Recovery Password
Access
Keys and Protectors (“Authenticators”)
DATA
1
FVEK
2
VMK
3
TPM
4
TPM+USB
TPM+PIN
USB Key(Recovery or Non-
TPM)
123456-789012-345678-
Recovery Password(48 Digits)
Where’s the Encryption Key?1. Data is encrypted with the FVEK2. The FVEK is encrypted with the VMK and
then stored in the volume metadata.3. The VMK is encrypted by one or more key
protectors, then stored in the volume metadata.
4. The Trusted Platform Module will not decrypt the VMK if the system integrity check fails.
Disk Configuration• Partitioning guidelines:
Disk Configuration Partition 1 Partition 2 Partitions 3
WinRE and BitLocker on separate partitions
BitLockerType 0x71.5GB (Active)
Windows REType 0x271GB
Windows VistaType 0x7
Windows RE and BitLocker on same partition
Windows RE/BitLockerType 0x71.5GB (Active)
Windows VistaType 0x7
Not needed
You can measure the BIOS too
Deployment Considerations
Windows Vista Security Guide provides customers with best practices and automated tools to help them quickly and easily deploy Windows Vista, and provides tested guidance to balance their needs for security and functionality
SOLUTIONACCELERATORS Act faster. Go further.
Tested guidance by Windows Vista Security Experts
Preconfigured, customizable security settings
Unique GPO Accelerator tool deploys security configurations
in minutes vs. hours
Understanding the Options with the Windows Vista Security Guide
Please fill in your Evaluation Form
Resources
• Data Encryption Toolkit for Mobile PCs• Bitlocker Drive Encryption Technical Overview• Keys to Protecting Data with Bitlocker Drive Encryption• Developing Credential Providers for Windows Vista• Create Custom Login Experiences With Credential Providers For
Windows Vista
Resources
Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus!
Technical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdn http://microsoft.com/technet
Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
