Transcript Title of Presentation - University of Reading

BitLocker™ Drive Encryption
A look under the covers
Steve Lamb
Technical Security Advisor, Microsoft UK
http://blogs.technet.com/steve_lamb
[email protected]
Agenda
•
•
•
•
•
•
•
•
Is EFS Dead?
A quick review
What threats does it mitigate?
What threats ARE NOT mitigated
Enhancements @ Vista SP1
To Gain Access We Need
Deployment Considerations
Resources
Is EFS Dead?
?
A Quick Review
BitLocker
What threats does it mitigate?
• Data @ rest
• Over-riding Access Controls
What threats ARE NOT mitigated?
•
•
•
•
Stupid User!
Stupid Admin!
Removable Media
Weak Passwords
Enhancements @ SP1
• Multi-volume support
• Key Rolling
What Is A Trusted Platform Module ?
TPM 1.2 spec:
www.trustedcomputinggroup.org
Secure the pre-boot environment
• Measure EVERYTHING
What do we measure?
PreOS
Static OS
All Boot Blobs
unlocked
Volume Blob of Target OS
unlocked
TPM Init
BIOS
MBR
BootSector
BootBlock
BootManager
OS Loader
Start
OS
To gain access we need
• Full Volume Encryption Key
• Volume Master Key
• Multiple places to store it
Volume Master Key – option 1
TPM
Access
Volume Master Key – option 2
TPM
PIN
Access
Volume Master Key – option 3
TPM
Startup
Key
Access
Volume Master Key – option 4
Recovery
Key
Startup
Key
Access
Volume Master Key – option 5
Recovery
Password
Access
Keys and Protectors (“Authenticators”)
Where’s the Encryption Key?
1. Data is encrypted with the FVEK
2. The FVEK is encrypted with the VMK and then
stored in the volume metadata.
3. The VMK is encrypted by one or more key
protectors, then stored in the volume metadata.
4. The Trusted Platform Module will not decrypt the
VMK if the system integrity check fails.
1
TPM+PIN
TPM+USB
3
2
USB Key
(Recovery or Non-TPM)
4
DATA
TPM
FVEK
VMK
123456789012345678-
Recovery Password
(48 Digits)
Disk Configuration
• Partitioning guidelines:
Disk Configuration
WinRE and
BitLocker on
separate
partitions
Partition 1
BitLocker
Type 0x7
1.5GB (Active)
Windows
Windows RE and RE/BitLocker
BitLocker on
Type 0x7
same partition
1.5GB (Active)
Partition 2
Partitions 3
Windows RE
Type 0x27
1GB
Windows Vista
Type 0x7
Windows Vista
Type 0x7
Not needed
You can measure the BIOS too
Deployment Considerations
Understanding the Options with the
Windows Vista Security Guide
Unique GPO Accelerator tool
deploys security configurations
in minutes vs. hours
Tested guidance by Windows Vista
Security Experts
Preconfigured, customizable security
settings
Windows Vista Security Guide provides customers with best
practices and automated tools to help them quickly and
easily deploy Windows Vista, and provides tested guidance
to balance their needs for security
and functionality
SOLUTIONACCELERATORS Act faster. Go further.
Please fill in your Evaluation Form
Resources
•
•
•
•
•
Data Encryption Toolkit for Mobile PCs
Bitlocker Drive Encryption Technical Overview
Keys to Protecting Data with Bitlocker Drive Encryption
Developing Credential Providers for Windows Vista
Create Custom Login Experiences With Credential Providers For
Windows Vista
Resources
Technical Communities, Webcasts, Blogs, Chats &
User Groups
http://www.microsoft.com/communities/default.mspx
Microsoft Learning and Certification
http://www.microsoft.com/learning/default.mspx
Microsoft Developer Network (MSDN) & TechNet
http://microsoft.com/msdn
http://microsoft.com/technet
Trial Software and Virtual Labs
http://www.microsoft.com/technet/downloads/trials/default.mspx
Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus!
© 2007 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.