Original title: Windows 10 and Bitlocker. I just upgraded to Windows 10 and someone told me to use Bitlocker for encryption. I can't find it. Is is something I need to download? I thought it was part of the upgrade to 10. May 06, 2019 If you want to use standard BitLocker encryption instead, it's available on supported devices running Windows 10 Pro, Enterprise, or Education. Some devices have both types of encryption. For example, a Surface Pro which runs Windows 10 Pro has both the simplified device encryption experience, and the full BitLocker management controls.
Applies to
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10.For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see Secure boot and BitLocker Device Encryption overview.For a general overview and list of topics about BitLocker, see BitLocker.
Jul 05, 2016 Windows 10, similar to previous versions, includes BitLocker Drive Encryption, a feature that allows you to use encryption on your PC's hard drive.
When users travel, their organizationâs confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.
Table 2 lists specific data-protection concerns and how they are addressed in Windows 10 and Windows 7.
Table 2. Data Protection in Windows 10 and Windows 7
Prepare for drive and file encryption
The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and thatâs a scenario that organizations need to avoid.Whether youâre planning to encrypt entire volumes, removable devices, or individual files, Windows 10 meets your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
TPM pre-provisioning
In Windows 7, preparing the TPM for use offered a couple of challenges:
Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in usersâ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled.
Microsoft includes instrumentation in Windows 10 that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
Deploy hard drive encryption
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10.
BitLocker Device Encryption
Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition.
Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). https://brownnoble734.weebly.com/gameboy-advance-emulator.html. In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.
Encrypted hard drive support
SEDs have been available for years, but Microsoft couldnât support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PCâs processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.For more information about encrypted hard drives, see Encrypted Hard Drive.
Preboot information protection
An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided.Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. https://brownnoble734.weebly.com/photo-booth-app-for-pc.html. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devicesâ configuration they may not offer additional security when it comes to key protection. For more information, see BitLocker Countermeasures.
Manage passwords and PINs
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files.
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second âsomething you knowâ). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis.Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.For more information about how startup security works and the countermeasures that Windows 10 provides, see Protect BitLocker from pre-boot attacks.
Configure Network Unlock
Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).Network Unlock requires the following infrastructure:
For more information about how to configure Network Unlock, see BitLocker: How to enable Network Unlock.
Microsoft BitLocker Administration and Monitoring
Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
For more information about MBAM, including how to obtain it, see Microsoft BitLocker Administration and Monitoring on the MDOP TechCenter.
BitLocker is a full volume encryption feature included with Microsoft Windows (Pro and Enterprise only) versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode[1] with a 128-bit or 256-bit key.[2][3] CBC is not used over the whole disk; it is applied to each individual sector.[4]
History[edit]
BitLocker originated as a part of Microsoft's Next-Generation Secure Computing Base architecture in 2004 as a feature tentatively codenamed 'Cornerstone',[5][6] and was designed to protect information on devices, particularly in the event that a device was lost or stolen; another feature, titled 'Code Integrity Rooting', was designed to validate the integrity of Microsoft Windows boot and system files.[5] When used in conjunction with a compatible Trusted Platform Module (TPM), BitLocker can validate the integrity of boot and system files before decrypting a protected volume; an unsuccessful validation will prohibit access to a protected system.[7][8] BitLocker was briefly called Secure Startup prior to Windows Vista being released to manufacturing.[7]
BitLocker is available on:
Features[edit]
Initially, the graphical BitLocker interface in Windows Vista could only encrypt the operating system volume. Starting with Windows Vista with Service Pack 1 and Windows Server 2008, volumes other than the operating system volume could be encrypted using the graphical tool. Still, some aspects of the BitLocker (such as turning autolocking on or off) had to be managed through a command-line tool called
manage-bde.wsf .[14]
The version of BitLocker, included in Windows 7 and Windows Server 2008 R2, adds the ability to encrypt removable drives. On Windows XP or Windows Vista, read-only access to these drives can be achieved through a program called BitLocker To Go Reader, if FAT16, FAT32 or exFAT filesystems are used.[15] In addition, a new command-line tool called
manage-bde replaced the old manage-bde.wsf .[16]What Is Bitlocker Drive Encryption Service Windows 10
Starting with Windows Server 2012 and Windows 8, Microsoft has complemented BitLocker with the Microsoft Encrypted Hard Drive specification, which allows the cryptographic operations of BitLocker encryption to be offloaded to the storage device's hardware.[17][18] In addition, BitLocker can now be managed through Windows PowerShell.[19] Finally, Windows 8 introduced Windows To Go in its Enterprise edition, which BitLocker can protect.[20]
Device encryption[edit]
Windows Mobile 6.5, Windows RT and core edition of Windows 8.1 include device encryption, a feature-limited version of BitLocker that encrypts the whole system.[21][22][23] Logging in with a Microsoft account with administrative privileges automatically begins the encryption process. The recovery key is stored to either the Microsoft account or Active Directory, allowing it to be retrieved from any computer. While device encryption is offered on all versions of 8.1, unlike BitLocker, device encryption requires that the device meet the InstantGo (formerly Connected Standby) specifications,[23] which requires solid-state drives, non-removable RAM (to protect against cold boot attacks) and a TPM 2.0 chip.[21][24]
Starting with Windows 10 1703, the requirements for device encryption have changed, requiring a TPM 1.2 or 2.0 module with PCR 7 support, UEFI Secure Boot, and that the device meets Modern Standby requirements or HSTI validation.[25] Gba rom hacking tools.
In September 2019 new update was released (KB4516071[26]) changing the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. This is due hardware encryption flaws and security concerns related to those issues[27].
Encryption modes[edit]
There are three authentication mechanisms that can be used as building blocks to implement BitLocker encryption:[28]
The following combinations of the above authentication mechanisms are supported, all with an optional escrow recovery key:
Operation[edit]
BitLocker is a logical volume encryption system. (A volume spans part of a hard disk drive, the whole drive or more than one drive.) When enabled, TPM and BitLocker can ensure the integrity of the trusted boot path (e.g. BIOS and boot sector), in order to prevent most offline physical attacks and boot sector malware.[35]
What Is Bitlocker Encryption Windows 10
In order for BitLocker to encrypt the volume holding the operating system, at least two NTFS-formatted volumes are required: one for the operating system (usually C:) and another with a minimum size of 100 MB, which remains unencrypted and boots the operating system.[35] (In case of Windows Vista and Windows Server 2008, however, the volume's minimum size is 1.5 GB and must have a drive letter.)[36] Unlike previous versions of Windows, Vista's 'diskpart' command-line tool includes the ability to shrink the size of an NTFS volume so that this volume may be created from already allocated space. A tool called the BitLocker Drive Preparation Tool is also available from Microsoft that allows an existing volume on Windows Vista to be shrunk to make room for a new boot volume and for the necessary bootstrapping files to be transferred to it.[37]
Once an alternate boot partition has been created, the TPM module needs to be initialized (assuming that this feature is being used), after which the required disk encryption key protection mechanisms such as TPM, PIN or USB key are configured.[38] The volume is then encrypted as a background task, something that may take a considerable amount of time with a large disk as every logical sector is read, encrypted and rewritten back to disk.[38] The keys are only protected after the whole volume has been encrypted, when the volume is considered secure.[39] BitLocker uses a low-level device driver to encrypt and decrypt all file operations, making interaction with the encrypted volume transparent to applications running on the platform.[38]
Encrypting File System (EFS) may be used in conjunction with BitLocker to provide protection once the operating system is running. Protection of the files from processes and users within the operating system can only be performed using encryption software that operates within Windows, such as EFS. BitLocker and EFS, therefore, offer protection against different classes of attacks.[40]
In Active Directory environments, BitLocker supports optional key escrow to Active Directory, although a schema update may be required for this to work (i.e. if the Active Directory Services are hosted on a Windows version previous to Windows Server 2008).
BitLocker and other full disk encryption systems can be attacked by a rogue boot manager. Once the malicious bootloader captures the secret, it can decrypt the Volume Master Key (VMK), which would then allow access to decrypt or modify any information on an encrypted hard disk. By configuring a TPM to protect the trusted boot pathway, including the BIOS and boot sector, BitLocker can mitigate this threat. (Note that some non-malicious changes to the boot path may cause a Platform Configuration Register check to fail, and thereby generate a false warning.)[35]
Security concerns[edit]
According to Microsoft sources,[41] BitLocker does not contain an intentionally built-in backdoor; without a backdoor there is no way for law enforcement to have a guaranteed passage to the data on the user's drives that is provided by Microsoft. In 2006 the UK Home Office expressed concern over the lack of a backdoor[42] and tried entering into talks with Microsoft to get one introduced, although Microsoft developer Niels Ferguson and other Microsoft spokesmen state that they will not grant the wish to have one added.[43] Microsoft engineers have said that FBI agents also put pressure on them in numerous meetings in order to add a backdoor, although no formal, written request was ever made; Microsoft engineers eventually suggested to the FBI that agents should look for the hard-copy of the key that the BitLocker program suggests its users to make.[44] Although the AES encryption algorithm used in BitLocker is in the public domain, its implementation in BitLocker, as well as other components of the software, are proprietary; however, the code is available for scrutiny by Microsoft partners and enterprises, subject to a non-disclosure agreement.[45][46]
The 'Transparent operation mode' and 'User authentication mode' of BitLocker use TPM hardware to detect if there are unauthorized changes to the pre-boot environment, including the BIOS and MBR. If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device. This cryptographic secret is used to decrypt the Volume Master Key (VMK) and allow the bootup process to continue.[47]
Nevertheless, in February 2008, a group of security researchers published details of a so-called 'cold boot attack' that allows full disk encryption systems such as BitLocker to be compromised by booting the machine off removable media, such as a USB drive, into another operating system, then dumping the contents of pre-boot memory.[48] The attack relies on the fact that DRAMretains information for up to several minutes (or even longer if cooled) after power has been removed. There is the Bress/Menz device described in US Patent 9,514,789 that can accomplish this type of attack.[49] Use of a TPM alone does not offer any protection, as the keys are held in memory while Windows is running. Similar full disk encryption mechanisms of other vendors and other operating systems, including Linux and Mac OS X, are vulnerable to the same attack. The authors recommend that computers be powered down when not in physical control of the owner (rather than be left in a sleep mode) and that the encryption software be configured to require a password to boot the machine.[48]
Bitlocker Download
Once a BitLocker-protected machine is running, its keys are stored in memory where they may be susceptible to attack by a process that is able to access physical memory, for example, through a 1394 or ThunderboltDMA channel.[50]
Starting with Windows 8 and Windows Server 2012 Microsoft removed the Elephant Diffuser from the BitLocker scheme for no declared reason.[51] Dan Rosendorf's research shows that removing the Elephant Diffuser had an 'undeniably negative impact' on the security of BitLocker encryption against a targeted attack.[52] Microsoft later cited performance concerns, and noncompliance with the Federal Information Processing Standards (FIPS), to justify the diffuser's removal.[53] Starting with Windows 10 version 1511, however, Microsoft added a new FIPS-compliant XTS-AES encryption algorithm to BitLocker.[1]
On 10 November 2015, Microsoft released a security update to mitigate a security vulnerability in BitLocker that allowed authentication to be bypassed by employing a malicious Kerberos key distribution center, if the attacker had physical access to the machine, the machine was part of domain and had no PIN or USB protection.[54]
In October 2017, it was reported that a flaw in a code library developed by Infineon, which had been in widespread use in security products such as smartcards and TPMs, enabled private keys to be inferred from public keys. This could allow an attacker to bypass BitLocker encryption when an affected TPM chip is used.[55] Microsoft released an updated version of the firmware for Infineon TPM chips that fixes the flaw via Windows Update.[56]
See also[edit]What Is Bitlocker Recovery Windows 10References[edit]
![]() External links[edit]
Retrieved from 'https://en.wikipedia.org/w/index.php?title=BitLocker&oldid=919163847'
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |