Windows BitLocker Drive Encryption is a new security feature that provides better data protection for your computer, by encrypting all data stored on the Windows operating system volume.
In Windows 7, a volume consists of one or more partitions on one or more hard disks. BitLocker works with simple volumes, where one volume is one partition. A volume usually has a drive letter assigned, such as "C:"
A Trusted Platform Module (TPM) is a microchip that is built into a computer. It is used to store cryptographic information, such as encryption keys. Information stored on the TPM can be more secure from external software attacks and physical theft.
- BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
- BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script.
When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
How does BitLocker Drive Encryption work?
If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
- Encrypting the entire volume protects all of the data, including the operating system itself, the Windows registry, temporary files, and the hibernation file. Because the keys needed to decrypt data remain locked by the TPM, an attacker cannot read the data just by removing your hard disk and installing it in another computer.
- During the startup process, the TPM releases the key that unlocks the encrypted partition only after comparing a hash of important operating system configuration values with a snapshot taken earlier.
This verifies the integrity of the Windows startup process. The key is not released if the TPM detects that your Windows installation has been tampered with.
What is a TPM?
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
- The TPM is usually installed on the motherboard of a desktop or portable computer, and communicates with the rest of the system by using a hardware bus.
- Computers that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure.
- Each TPM has a master wrapping key, called the Storage Root Key (SRK), which is stored within the TPM itself. The private portion of a key created in a TPM is never exposed to any other component, software, process, or person.
- Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to specific hardware or software conditions. This is called "sealing" a key.
- When a sealed key is first created, the TPM records a snapshot of configuration values and file hashes. A sealed key is only "unsealed" or released when those current system values match the ones in the snapshot.
- BitLocker uses sealed keys to detect attacks against the integrity of the Windows operating system.
With a TPM, private portions of key pairs are kept separated from the memory controlled by the operating system. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely upon the operating system and is not exposed to external software vulnerabilities.
Difference between BitLocker in Windows-Vista and Windows-7
The BitLocker feature was introduced in Windows Vista and allowed you to encrypt the content of your hard drive. In Windows 7 BitLocker allows you to encrypt portable USB flash drives also.
How to use BitLocker Facility?
Right-click on the flash drive you want to encrypt and select Turn on BitLocker. After BitLocker initialized the flash drive you will need to enter in a password to unlock the drive. You can also set up a Smartcard which are usually used in a work environment. Next you will be prompted to store the recovery key which is used in the event you lose your password or smartcard. If you store it as a file make sure that it is not on the same drive that you’re encrypting. After the key has been saved as a file or printed you will see a confirmation message. Finally you will be ready to start encrypting the drive so just click the Start Encrypting button.
While it is encrypting there will be a progress screen displayed.
A successful encryption of the USB flash drive. notice that the drive icon will change to show its encrypted with BitLocker.
Notice that the drive icon will change to show its encrypted with BitLocker where the gold lock indicates it is locked up and the gray lock is displayed after you have unlocked it.
Right-click on that icon to bring up options to manage BitLocker encryption.
The next time you plug in the drive to a Windows 7 machine you will be prompted to enter the password to gain access to the drive. You can also always have it unlocked on specific machines in the future.