Sunday, February 27, 2011

BitLocker with TPM and Cert - Brief Introduction

BitLocker is introduced on Windows Vista and Server 2008 to guard against theft of sensitive drives and cold boot attacks. In Windows 7 and Server 2008 R2, Bitlocker further introduces some enhancements, including eliminate the need of pre-creating 1.5GB partition and "BitLocker to Go" for removable media.

You can also use BitLocker with (1) Trusted Platform Module (TPM) and (2) smart card certificate for enhanced security. TPM is a microcontroller security chip embedded on motherboard to protect sensitive key materials from unauthorized tampering. TPM is used for system drive (e.g. C:\) where Windows is installed and the certificate is for data drives, including both fixed and removable media.

On the drive that Windows is installed on, BitLocker uses the Trusted Platform Module (TPM) to detect if the computer's critical startup process has been tampered with. Additionally, a PIN or startup key can be required for users to have access to the drive's data.

BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing your hard disk and installing it in another computer.

During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier. This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that your Windows installation has been tampered with.

On fixed and removable data drives, users can use smart card certificate or password to unlock BitLocker-protected drive. An administrator that has been designated a BitLocker data recovery agent is also able to use certificate to recover access to a BitLocker-protected drive.

BitLocker and TPM recovery information can also be backup to Active Directory. This ensures that encrypted data belonging to the enterprise can always be accessed by authorized users. Backing up the TPM owner information for a computer allows administrators to locally and remotely configure the TPM security hardware on that computer. As an example, an administrator might want to reset the TPM to factory defaults when decommissioning or repurposing computers.

More detailed technical documentation and guides can be obtained from this Microsoft Technet site.

More information on BitLocker & TPM Recovery.

No comments:

Post a Comment