Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume . It is used to prevent unauthorized access to data storage.
52-487: BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista . It is designed to protect data by providing encryption for entire volumes . By default, it uses the Advanced Encryption Standard (AES) algorithm in cipher block chaining (CBC) or " xor–encrypt–xor (XEX) -based Tweaked codebook mode with ciphertext Stealing " (XTS) mode with
104-457: A BIOS boot sequence, it typically does not ask for the FDE password. Hibernation, in contrast goes via a BIOS boot sequence, and is safe. All software-based encryption systems are vulnerable to various side channel attacks such as acoustic cryptanalysis and hardware keyloggers . In contrast, self-encrypting drives are not vulnerable to these attacks since the hardware encryption key never leaves
156-414: A 128- bit or 256-bit key . CBC is not used over the whole disk; it is applied to each individual sector . BitLocker originated as a part of Microsoft's Next-Generation Secure Computing Base architecture in 2004 as a feature tentatively codenamed "Cornerstone" and was designed to protect information on devices, particularly if a device was lost or stolen. Another feature, titled "Code Integrity Rooting",
208-550: A USB flash drive or PIN code. Although the AES encryption algorithm used in BitLocker is in the public domain , its implementation in BitLocker, as well as other components of the software, are proprietary ; however, the code is available for scrutiny by Microsoft partners and enterprises, subject to a non-disclosure agreement . According to Microsoft sources, BitLocker does not contain an intentionally built-in backdoor , so there
260-413: A backdoor, although no formal, written request was ever made; Microsoft engineers eventually suggested that agents should look for the hard copy of the encryption key that the BitLocker program suggests that its users make. Niels Ferguson's position that "back doors are simply not acceptable" is in accordance with Kerckhoffs's principle . Stated by Netherlands-born cryptographer Auguste Kerckhoffs in
312-541: A feature-limited version of BitLocker that encrypts the whole system. Logging in with a Microsoft account with administrative privileges automatically begins the encryption process. The recovery key is stored to either the Microsoft account or Active Directory ( Active Directory requires Pro editions of Windows), allowing it to be retrieved from any computer. While device encryption is offered on all editions of Windows 8.1, unlike BitLocker, device encryption requires that
364-465: A malicious PCI Express Device, which can in turn write directly to the memory and bypass the Windows login. To protect again this type of attack, Microsoft introduced "Virtualization-based Security". In October 2017, it was reported that a flaw enabled private keys to be inferred from public keys , which could allow an attacker to bypass BitLocker encryption when an affected TPM chip is used. The flaw
416-470: A new FIPS-compliant XTS-AES encryption algorithm to BitLocker. Starting with Windows 10 version 1803, Microsoft added a new feature called "Kernel Direct Memory access (DMA) Protection" to BitLocker, to protect against DMA attacks via Thunderbolt 3 ports. "Kernel Direct Memory access (DMA) Protection" only protects against attacks through Thunderbolt. Direct Memory Access is also possible through PCI Express . In this type of attack an attacker would connect
468-452: Is a largely structural one. Access to protected information must be provided only to the intended recipient and at least one third party. The third party should be permitted access only under carefully controlled conditions, for instance, a court order . Thus far, no system design has been shown to meet this requirement fully on a technical basis alone. All proposed systems also require correct functioning of some social linkage, for instance
520-464: Is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. These third parties may include businesses, who may want access to employees' secure business-related communications , or governments , who may wish to be able to view the contents of encrypted communications (also known as exceptional access ). The technical problem
572-596: Is available on: Initially, the graphical BitLocker interface in Windows Vista could only encrypt the operating system volume. Starting with Windows Vista with Service Pack 1 and Windows Server 2008, volumes other than the operating system volume could be encrypted using the graphical tool. Still, some aspects of the BitLocker (such as turning autolocking on or off) had to be managed through a command-line tool called manage-bde.wsf . The version of BitLocker included in Windows 7 and Windows Server 2008 Release 2 adds
SECTION 10
#1732779908183624-572: Is no Microsoft-provided way for law enforcement to have guaranteed access to the data on a user's drive. In 2006, the UK Home Office expressed concern over the lack of a backdoor and tried entering into talks with Microsoft to get one introduced. Microsoft developer and cryptographer Niels Ferguson denied the backdoor request and said, "over my dead body". Microsoft engineers have said that United States Federal Bureau of Investigation agents also put pressure on them in numerous meetings to add
676-434: Is seamlessly encrypted on write and decrypted on read, in such a way that the user and/or application software remains unaware of the process, can be called transparent encryption. Disk encryption does not replace file encryption in all situations. Disk encryption is sometimes used in conjunction with filesystem-level encryption with the intention of providing a more secure implementation. Since disk encryption generally uses
728-500: Is technical concerns for the additional vulnerabilities likely to be introduced by supporting key escrow operations. Thus far, no key escrow system has been designed which meets both objections and nearly all have failed to meet even one. Key escrow is proactive, anticipating the need for access to keys; a retroactive alternative is key disclosure law , where users are required to surrender keys upon demand by law enforcement, or else face legal penalties. Key disclosure law avoids some of
780-460: Is that the blocks where the operating system is stored must be decrypted before the OS can boot, meaning that the key has to be available before there is a user interface to ask for a password. Most Full Disk Encryption solutions utilize Pre-Boot Authentication by loading a small, highly secure operating system which is strictly locked down and hashed versus system variables to check for the integrity of
832-502: Is the Return of Coppersmith's Attack or ROCA vulnerability which is in a code library developed by Infineon and had been in widespread use in security products such as smartcards and TPMs. Microsoft released an updated version of the firmware for Infineon TPM chips that fixes the flaw via Windows Update. Full volume encryption The expression full disk encryption (FDE) (or whole disk encryption ) signifies that everything on
884-411: Is unfeasible due to the cost of helpdesk operatives for small companies or implementation challenges. Some benefits of ERI-file recovery: Most full disk encryption schemes are vulnerable to a cold boot attack , whereby encryption keys can be stolen by cold-booting a machine already running an operating system , then dumping the contents of memory before the data disappears. The attack relies on
936-428: The data remanence property of computer memory, whereby data bits can take up to several minutes to degrade after power has been removed. Even a Trusted Platform Module (TPM) is not effective against the attack, as the operating system needs to hold the decryption keys in memory in order to access the disk. Full disk encryption is also vulnerable when a computer is stolen when suspended. As wake-up does not involve
988-490: The 19th century, the principle holds that a cryptosystem should be secure, even if everything about the system, except the encryption key, is public knowledge. Since 2020, BitLocker's method and data structure is public knowledge due to reverse engineering; the Linux cryptsetup program is capable of reading and writing BitLocker-protected drives given the key. Starting with Windows 8 and Windows Server 2012, Microsoft removed
1040-557: The Active Directory Services are hosted on a Windows version previous to Windows Server 2008). BitLocker and other full disk encryption systems can be attacked by a rogue boot manager . Once the malicious bootloader captures the secret, it can decrypt the Volume Master Key (VMK), which would then allow access to decrypt or modify any information on an encrypted hard disk. By configuring a TPM to protect
1092-628: The Elephant Diffuser from the BitLocker scheme for no declared reason. Dan Rosendorf's research shows that removing the Elephant Diffuser had an "undeniably negative impact" on the security of BitLocker encryption against a targeted attack. Microsoft later cited performance concerns, and noncompliance with the Federal Information Processing Standards (FIPS), to justify the diffuser's removal. Starting with Windows 10 version 1511, however, Microsoft added
SECTION 20
#17327799081831144-562: The Microsoft Encrypted Hard Drive specification, which allows the cryptographic operations of BitLocker encryption to be offloaded to the storage device's hardware, for example, self-encrypting drives . In addition, BitLocker can now be managed through Windows PowerShell . Finally, Windows 8 introduced Windows To Go in its Enterprise edition, which BitLocker can protect. Windows Mobile 6.5 , Windows RT and core editions of Windows 8.1 include device encryption ,
1196-648: The Modern Standby or HSTI compliance no longer required and the DMA interfaces blocklist removed. In September 2019 a new update was released (KB4516071) changing the default setting for BitLocker when encrypting a self-encrypting drive. Now, the default is to use software encryption for newly encrypted drives. This is due to hardware encryption flaws and security concerns related to those issues. Three authentication mechanisms can be used as building blocks to implement BitLocker encryption: The following combinations of
1248-478: The Pre-Boot kernel. Some implementations such as BitLocker Drive Encryption can make use of hardware such as a Trusted Platform Module to ensure the integrity of the boot environment, and thereby frustrate attacks that target the boot loader by replacing it with a modified version. This ensures that authentication can take place in a controlled environment without the possibility of a bootkit being used to subvert
1300-472: The TPM module needs to be initialized (assuming that this feature is being used), after which the required disk-encryption key protection mechanisms such as TPM, PIN or USB key are configured. The volume is then encrypted as a background task, something that may take a considerable amount of time with a large disk as every logical sector is read, encrypted and rewritten back to disk. The keys are only protected after
1352-414: The ability to encrypt removable drives. On Windows XP or Windows Vista, read-only access to these drives can be achieved through a program called BitLocker To Go Reader, if FAT16 , FAT32 or exFAT filesystems are used. In addition, a new command-line tool called manage-bde replaced the old manage-bde.wsf . Starting with Windows Server 2012 and Windows 8, Microsoft has complemented BitLocker with
1404-503: The ability to shrink the size of an NTFS volume so that this volume may be created from already allocated space. A tool called the BitLocker Drive Preparation Tool is also available from Microsoft that allows an existing volume on Windows Vista to be shrunk to make room for a new boot volume and for the necessary bootstrapping files to be transferred to it. Once an alternate boot partition has been created,
1456-455: The above authentication mechanisms are supported, all with an optional escrow recovery key: BitLocker is a logical volume encryption system. (A volume spans part of a hard disk drive , the whole drive or more than one drive.) When enabled, TPM and BitLocker can ensure the integrity of the trusted boot path (e.g. BIOS and boot sector), in order to prevent most offline physical attacks and boot sector malware. In order for BitLocker to encrypt
1508-526: The boot drive require a pre-boot authentication component which is available for all types of solutions from a number of vendors. It is important in all cases that the authentication credentials are usually a major potential weakness since the symmetric cryptography is usually strong. Secure and safe recovery mechanisms are essential to the large-scale deployment of any disk encryption solutions in an enterprise. The solution must provide an easy but secure way to recover passwords (most importantly data) in case
1560-442: The brute-force limit is not trivially bypassed. Although this has the advantage that the disk cannot be removed from the device, it might create a single point of failure in the encryption. For example, if something happens to the TPM or the motherboard , a user would not be able to access the data by connecting the hard drive to another computer, unless that user has a separate recovery key. There are multiple tools available in
1612-547: The correct password / keyfile (s) or correct encryption keys . The entire file system within the volume is encrypted (including file names, folder names, file contents, and other meta-data ). To be transparent to the end-user, transparent encryption usually requires the use of device drivers to enable the encryption process. Although administrator access rights are normally required to install such drivers, encrypted volumes can typically be used by normal users without these rights. In general, every method in which data
BitLocker - Misplaced Pages Continue
1664-476: The decryption key using the TPM, thus tying the hard disk drive (HDD) to a particular device. If the HDD is removed from that particular device and placed in another, the decryption process will fail. Recovery is possible with the decryption password or token . The TPM can impose a limit on decryption attempts per unit time, making brute-forcing harder. The TPM itself is intended to be impossible to duplicate, so that
1716-495: The device meet the InstantGo (formerly Connected Standby ) specifications, which requires solid-state drives and a TPM 2.0 chip. Starting with Windows 10 1703, the requirements for device encryption have changed, requiring a TPM 1.2 or 2.0 module with PCR 7 support, UEFI Secure Boot , and that the device meets Modern Standby requirements or HSTI validation. Device encryption requirements were relaxed in Windows 11 24H2, with
1768-515: The directory structure, file names, modification timestamps or sizes. Trusted Platform Module (TPM) is a secure cryptoprocessor embedded in the motherboard that can be used to authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication . It can be used to verify that the system seeking the access is the expected system. A limited number of disk encryption solutions have support for TPM. These implementations can wrap
1820-432: The disk controller. Also, most full disk encryption schemes don't protect from data tampering (or silent data corruption, i.e. bitrot ). That means they only provide privacy, but not integrity. Block cipher-based encryption modes used for full disk encryption are not authenticated encryption themselves because of concerns of the storage overhead needed for authentication tags. Thus, if tampering would be done to data on
1872-515: The disk is encrypted, but the master boot record (MBR), or similar area of a bootable disk, with code that starts the operating system loading sequence, is not encrypted. Some hardware-based full disk encryption systems can truly encrypt an entire boot disk , including the MBR. Transparent encryption , also known as real-time encryption and on-the-fly encryption ( OTFE ), is a method used by some disk encryption software . "Transparent" refers to
1924-757: The disk, the data would be decrypted to garbled random data when read and hopefully errors may be indicated depending on which data is tampered with (for the case of OS metadata – by the file system; and for the case of file data – by the corresponding program that would process the file). One of the ways to mitigate these concerns, is to use file systems with full data integrity checks via checksums (like Btrfs or ZFS ) on top of full disk encryption. However, cryptsetup started experimentally to support authenticated encryption Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of disk encryption: One issue to address in full disk encryption
1976-399: The fact that data is automatically encrypted or decrypted as it is loaded or saved. With transparent encryption, the files are accessible immediately after the key is provided, and the entire volume is typically mounted as if it were a physical drive, making the files just as accessible as any unencrypted ones. No data stored on an encrypted volume can be read (decrypted) without using
2028-401: The files from processes and users within the operating system can only be performed using encryption software that operates within Windows, such as EFS. BitLocker and EFS, therefore, offer protection against different classes of attacks. In Active Directory environments, BitLocker supports optional key escrow to Active Directory, although a schema update may be required for this to work (i.e. if
2080-426: The market that allow for disk encryption. However, they vary greatly in features and security. They are divided into three main categories: software -based, hardware-based within the storage device, and hardware-based elsewhere (such as CPU or host bus adaptor ). Hardware-based full disk encryption within the storage device are called self-encrypting drives and have no impact on performance whatsoever. Furthermore,
2132-457: The media encryption keys are not as well protected. There are other (non-TCGA/OPAL based) self-encrypted drives (SED) that don't have the known vulnerabilities of the TCG/OPAL based drives (see section below). They are Host/OS and BIOS independent and don't rely on the TPM module or the motherboard BIOS, and their Encryption Key never leaves the crypto-boundary of the drive. All solutions for
BitLocker - Misplaced Pages Continue
2184-399: The media-encryption key never leaves the device itself and is therefore not available to any malware in the operating system. The Trusted Computing Group Opal Storage Specification provides industry accepted standardization for self-encrypting drives. External hardware is considerably faster than the software-based solutions, although CPU versions may still have a performance impact , and
2236-406: The pre-boot decryption. With a pre-boot authentication environment, the key used to encrypt the data is not decrypted until an external key is input into the system. Solutions for storing the external key include: All these possibilities have varying degrees of security; however, most are better than an unencrypted disk. Key escrow Key escrow (also known as a "fair" cryptosystem )
2288-459: The pre-boot environment, including the BIOS and MBR . If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device. This cryptographic secret is used to decrypt the Volume Master Key (VMK) and allow the bootup process to continue. However, TPM alone is not enough: All these attacks require physical access to the system and are thwarted by a secondary protector such as
2340-499: The process of request for access, examination of request for 'legitimacy' (as by a court ), and granting of access by technical personnel charged with access control. All such linkages / controls have serious problems from a system design security perspective. Systems in which the key may not be changed easily are rendered especially vulnerable as the accidental release of the key will result in many devices becoming totally compromised, necessitating an immediate key change or replacement of
2392-586: The same key for encrypting the whole drive, all of the data can be decrypted when the system runs. However, some disk encryption solutions use multiple keys for encrypting different volumes. If an attacker gains access to the computer at run-time, the attacker has access to all files. Conventional file and folder encryption instead allows different keys for different portions of the disk. Thus an attacker cannot extract information from still-encrypted files and folders. Unlike disk encryption, filesystem-level encryption does not typically encrypt filesystem metadata, such as
2444-445: The system. On a national level, key escrow is controversial in many countries for at least two reasons. One involves mistrust of the security of the structural escrow arrangement. Many countries have a long history of less than adequate protection of others' information by assorted organizations, public and private, even when the information is held only under an affirmative legal obligation to protect it from unauthorized access. Another
2496-404: The trusted boot pathway, including the BIOS and boot sector , BitLocker can mitigate this threat. (Note that some non-malicious changes to the boot path may cause a Platform Configuration Register check to fail, and thereby generate a false warning.) The "Transparent operation mode" and "User authentication mode" of BitLocker use TPM hardware to detect whether there are unauthorized changes to
2548-413: The user leaves the company without notice or forgets the password. Challenge–response password recovery mechanism allows the password to be recovered in a secure manner. It is offered by a limited number of disk encryption solutions. Some benefits of challenge–response password recovery: An emergency recovery information (ERI) file provides an alternative for recovery if a challenge–response mechanism
2600-456: The volume holding the operating system, at least two NTFS -formatted volumes are required: one for the operating system (usually C:) and another with a minimum size of 100 MB, which remains unencrypted and boots the operating system. (In case of Windows Vista and Windows Server 2008 , however, the volume's minimum size is 1.5 GB and must have a drive letter .) Unlike previous versions of Windows, Vista's "diskpart" command-line tool includes
2652-405: The whole volume has been encrypted when the volume is considered secure. BitLocker uses a low-level device driver to encrypt and decrypt all file operations, making interaction with the encrypted volume transparent to applications running on the platform. Encrypting File System (EFS) may be used in conjunction with BitLocker to provide protection once the operating system is running. Protection of
SECTION 50
#17327799081832704-436: Was designed to validate the integrity of Microsoft Windows boot and system files. When used in conjunction with a compatible Trusted Platform Module (TPM), BitLocker can validate the integrity of boot and system files before decrypting a protected volume; an unsuccessful validation will prohibit access to a protected system. BitLocker was briefly called Secure Startup before Windows Vista's release to manufacturing . BitLocker
#182817