Examining BitLocker’s Drive Encryption

BitLocker was first introduced with the release of Windows Vista. Since entering the Windows Server 2008 family of operating systems, Microsoft has continued to improve BitLocker by adding new features, for example: support for data volumes, smart card certificates, data recovery agents, USB flash drives, a new RSAT BitLocker interface, and so on.

Understanding Its Benefits
By using BitLocker in conjunction with Windows Server 2008 R2, an organization can enjoy a number of benefits:

. Prevention of unauthorized access to data at rest, which is located on Windows managed system volumes, data volumes, and USB flash drives.

. Support for integrity checking of early boot components using Trusted Platform Module (TPM) to ensure that a machine has not been tampered with and that encrypted materials are located on the original machine.

. Protection against cold boot attacks by requiring an interactive form of authentication (including a PIN or a USB key) in addition to the presence of the TPM hardware before a machine will boot or resume from hibernation.

. Support for escrow of BitLocker recovery materials in Active Directory.

. A streamlined recovery process, which can be delegated to non-Domain Administrators.

. Windows Server 2008 R2 and Windows 7 automatically creates the necessary BitLocker disk partitions during installation.

. Support for BitLocker protection on USB flash drives. This feature is called BitLocker To Go.

. Lastly, support for Data Recovery Agent (DRA) support so that authorized IT administrators will always have access to BitLocker protected volumes.


Understanding TPM
The term Trusted Platform Module (TPM) is used to refer to both the name of a published specification by the Trusted Computing Group for a secure cryptoprocessor and the implementation
of that specification in the form of a TPM chip. A TPM chip’s main purpose in life is the secure generation of cryptographic keys, the protection of those keys, and the ability to act as a hardware pseudo-random number generator. In addition, a TPM chip can also provide remote attestation and sealed storage. Remote attestation is a feature in which a hash key summary is created based on a machine’s current hardware and software configuration. Typically, remote attestation is used by third-party applications such as BitLocker to ensure a machine’s state has not been tampered with. Sealed storage is used to encrypt data such that it may only be decrypted once the TPM chip releases the appropriate decryption key. This release is only done by TPM chip once the required authenticator for that data has been provided. Lastly, a TPM chip can also be used to authenticate hardware devices.

In BitLocker, a TPM chip is used to protect the encryption keys and provide integrity authentication for a trusted boot pathway (that is, BIOS, boot sector, and so on). This type of TPM-supported protection is only performed when BitLocker is in either Transparent Operation mode or User Authentication mode. When in either of these modes, BitLocker uses the TPM chip to detect if there are unauthorized changes to the preboot environment (trusted boot pathway protection) such as the BIOS and MBR. If unauthorized changes were made, BitLocker will then request that a recovery key be provided before the Volume Master Key can be decrypted and bootup of the machine can continue.

Source of Information : Sams - Windows Server 2008 R2 Unleashed