BitLocker:
Is It Really Secure?
1-800-COURSES
www.globalknowledge.com
Expert Reference Series of White Papers
Introduction: What Is It?
BitLocker, whose full name is Windows BitLocker Full Drive Encryption, is a new technology available in
Windows Vista Enterprise and Windows Vista Ultimate and also available in Windows Server 2008. It is one of
the new security features for both Business and Personal Users designed to address the threat of unauthorized
access to data as well as illegitimate booting of the operating system. BitLocker addresses a previously long
history of vulnerability, such as data theft by inappropriately booting a computer through stolen credentials,
using external attack tools such as bootable operating systems on CD-ROM or USB boot devices
, or transfer
-
ring a computer’s hard drive and reading it in a foreign system. Another security concern is obtaining unautho-
rized access into a stolen laptop or mainstream computer, and accessing a recycled or decommissioned com-
puter. BitLocker effectively encrypts the volume that runs the operating system, while Windows Server 2008
can additionally encrypt other volumes.
By design, BitLocker encrypts the entire Windows operating system volume on the hard-drive, including the
operating system files, user data, hibernation files, page file, and temporary files. Any applications installed on
the system volume will benefit from this form of protection. BitLock
er verifies the integrity of the early stages
of the boot components and boot configuration data so that any alteration of the boot process will prevent
the operating system from starting. It is as valuable for servers as it is for laptops and desktops, especially
those machines that are off-site at remote or branch offices where these machines are less physically protect-
ed. The possibility exists that BitLock
er-protected machines might be physically compromised and possibly
stolen. The result will be that access of data on the system disk will be protected. These features are extremely
important to owners and users of laptops, who benefit from the safety and comfort of knowing that the infor-
mation cannot be accessed. This is extremely reassuring.
What Is Needed

Not all versions of
Windows
V
ista have the BitLocker feature. The only Windows Vista versions that come with
BitLocker are the higher priced versions of Windows Vista Enterprise and Windows Vista Ultimate. Upgrade
paths are in place that will allow owners of other versions of Windows Vista to easily upgrade to either
Enterprise or Ultimate
.
The most secure way to implement BitLocker is to have a computer with a cryptographic hardware microchip
called the Trusted Platform Module (TPM) version 1.2 or later, along with a Trusted Computing Group (TCG)
compliant BIOS. The TPM is a hardware component pre-installed on newer computers to protect data and
ensure that the computer has not been tampered with while the system was offline or shutdown. This compo-
nent allows the option to lock the normal startup process until the user supplies a personal identification num-
ber (PIN).
Mark Mizrahi, Global Knowledge Instructor, MCSE, MCT, CEH
BitLocker: Is It Really Secure?
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 2
I
t should be noted that the availability of computers with the TPM hardware components preinstalled are hard
to find, probably due to the manufacturer’s desire to keep costs low. It is a fact that since the majority of sales
are versions of Windows Vista that do not support BitLocker, hardware is pre-built without the TPM compo-
nents and TCG compliant BIOS.
Another, although less secure, way to use BitLocker on computers that do not have the TPM hardware is insert
a removable USB device, such as a flash drive, that contains a startup key. This implementation does not pro-
vide the pre-startup system integrity verification offered by BitLocker working with TPM hardware.
Optionally, in a domain environment, BitLocker supports the remote escrow of Keys to the Active Directory
Domain Services (AD DS) as well as a Windows Management Instrumentation (WMI) interface with scripting
support for remote administration of this feature. BitLocker can also be configured with Group Policy Objects

(GPO).
Either method does provide multi-factor authentication and insures that the computer will not start or even
resume from hibernation until the correct PIN or startup k
ey is used.
For BitLocker to function, the hard disk requires at least two (NTFS) formatted volumes. One volume that sup-
ports the boot files that boot the operating system,
known as the system volume and having a minimum of
size of 1.5 GB, and another volume that supports operating system, known as the boot partition. In the event
that two volumes are not available, Windows Vista has “diskpart” command line tool that gives you the ability
to shrink the size of an NTFS volume so that the system volume for BitLocker can be created.
How It Works
BitLocker provides three modes of operation: Transparent Operation Mode, User Authentication Mode, and USB
Key Mode. The first two modes require the TPM (version 1.2 or later) and TCG-compliant BIOS. The third mode
does not require a TPM chip.
Transparent operation mode: This mode exploits the capabilities of the TPM 1.2 hardware to provide
transparency of the BitLocker technology to the user then they logon to Windows Vista as normal. The key
used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader
code if the early boot files appear to be unmodified. The pre-OS components of BitLocker achieve this by
implementing a Static Root of Trust Measurement, which is a methodology specified by the Trusted Computing
Group ( />User authentication mode: This mode requires that the user provide some authentication to the pre-boot
environment in order to be able to boot the OS
.
T
wo authentication modes are supported,
a pre-boot PIN
entered by the user or a Universal Serial Bus USB ( />inserted that contains the required startup key. The USB device does not require a TPM chip.
USB Key: The user must insert a USB device that contains a startup key into the computer to be able to boot
the protected OS. This mode requires that the BIOS on the protected machine support the reading of USB
devices in the pre-OS environment.
BitLocker encrypts data using the Advanced Encryption Standard (AES) with key lengths of 128 or 256 bits,

plus an optional diffuser
. The Default encryption setting is AES 128 bit with the Elephant Diffuser. AES algo-
rithm was chosen in-part because of its fast performance. According to Microsoft BitLocker imposes a single
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 3
d
igit percentage of overhead. All BitLocker encryption is done in the background and all decryption is done as
blocks as requested.
BitLocker uses the TPM to verify the integrity of early boot components and boot configuration data. This helps
ensure that BitLocker makes the encrypted volume accessible only if those components have not been tam-
pered with and the encrypted drive is located in the original computer.
BitLocker helps ensure the integrity of the startup process by:
• Providing a method to check that early boot file integrity has been maintained, and help ensure that
there has been no adversarial modification of those files, such as with boot sector viruses or rootkits.
• Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for the Windows operating system volume.
TPM-only scenario
• Locking the system when tampered with. If any monitored files have been tampered with, the system-
does not start. This alerts the user to the tampering, since the system fails to start as usual. In the event
that system lockout occurs, BitLocker offers a simple recovery process.
Authentication modes in the boot sequence
BitLocker supports four different authentication modes, depending on the computer's hardware capabilities
and the desired level of security:
• BitLocker with a TPM (no additional authentication factors)
• BitLocker with a TPM and a PIN
• BitLocker with a TPM and a USB startup key
• BitLocker without a TPM (USB startup key required)
Each time Windows Vista starts up with BitLocker enabled, the boot code performs a sequence of steps based
on the volume protections set.

These steps can include system integrity checks and other authentication steps
(PIN or USB startup key) that must be verified before the protected volume is unlocked.
For recovery purposes
, BitLock
er uses a recovery k
ey (stored on a USB device) or a recovery password (numeri-
cal password), as shown in the Bitlocker Architecture section below. You create the recovery key or recovery
password during BitLock
er initialization.
Inserting the recovery k
ey or typing the recovery password enables an
authorized user to regain access to the encrypted volume in the event of an attempted security breach or sys-
tem failure.
BitLocker searches for keys in the following sequence:
1.
Clear key: System integrity verification has been disabled and the BitLocker volume master key is
freely accessible. No authentication is necessary.
2.
Recovery key or startup key (if pr
esent):
If a recovery k
ey or startup k
ey is present,
BitLock
er will
use that key immediately and will not attempt other means of unlocking the volume.
3.
Authentication
1. TPM: The TPM successfully validates early boot components to unseal the volume master key.
2. TPM + startup key: The TPM successfully validates early boot components and a USB flash drive

containing the correct startup k
ey has been inserted.
Copyright ©2007 Global Knowledge T
raining LLC. All rights reserved.
Page 4
3
. TPM + PIN: The TPM successfully validates that early boot components and the user enters the cor-
rect PIN.
4.
Recovery
1. Recovery password: The user must enter the correct recovery password.
2. Recovery key: If none of the above steps successfully unlocks the drive, the user is prompted to
insert the USB flash drive that holds the recovery key, and then restart the computer.
In this scenario, BitLocker is enabled on a computer that has a TPM, but no additional authentication factors
have been enabled. The hard disk is partitioned with two volumes:
• The system volume that contains the files that boot the operating system
• The Windows Vista operating system volume known as the boot volume
As shown in Figure 1, BitLocker encrypts the operating system volume with a full volume encryption key. This
key is itself encrypted with the volume master key, which, in turn, is encrypted by the TPM.
Figure 1. Accessing a BitLocker-enabled volume with TPM protection
This scenario can be enabled or disabled by the local administrator using the BitLock
ers’ Control P
anel Applets’
Security items in Control Panel in Windows Vista. Turning BitLocker off decrypts the volume and removes all
keys. New keys are created once BitLock
er is turned back on at a later time.
Enhanced Authentication Scenarios
These scenarios add additional authentication factors to the basic scenario described previously. As shown in
Figure 2, using BitLocker on a computer that has a TPM offers two multifactor authentication options:
Copyright ©2007 Global Knowledge T

raining LLC. All rights reserved.
Page 5
Figure 2. Accessing a BitLocker-enabled volume with enhanced protection