SECCT10:BitLocker™ Drive EncryptionDeployment

Russell Humphries

Senior Product Manager – Window Vista Security

Disclaimer

• This presentation contains preliminary information that may be changed substantially prior to final commercial release of the software described herein.

• The information contained in this presentation represents the current view of Microsoft Corporation on the issues discussed as of the date of the presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of the presentation.

• This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

• Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this presentation. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this information does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

•© 2006 Microsoft Corporation. All rights reserved.

The U.S. Dept of Justice estimates that intellectual The U.S. Dept of Justice estimates that intellectual property theft cost enterprises $250 billion in 2004property theft cost enterprises $250 billion in 2004

Loss of revenue, market capitalization, and Loss of revenue, market capitalization, and competitive advantagecompetitive advantage

Leaked executive e-mails can be embarrassingLeaked executive e-mails can be embarrassing

Unintended forwarding of sensitive information can Unintended forwarding of sensitive information can adversely impact the company’s image and/or adversely impact the company’s image and/or credibilitycredibility

Increasing regulation: SOX, HIPAA, GLBAIncreasing regulation: SOX, HIPAA, GLBABringing a company into compliance can be Bringing a company into compliance can be complex and expensivecomplex and expensiveNon-compliance can lead to significant legal fees, Non-compliance can lead to significant legal fees, fines and/or settlementsfines and/or settlements

FinancialFinancialFinancialFinancial

Image & Image & CredibilityCredibilityImage & Image &

CredibilityCredibility

Legal & Legal & Regulatory Regulatory ComplianceCompliance

Legal & Legal & Regulatory Regulatory ComplianceCompliance

Information Loss Is CostlyInformation Loss Is CostlyInformation loss – whether via theft or accidental leakage – is Information loss – whether via theft or accidental leakage – is costly on several levelscostly on several levels

“BitLocker Drive Encryption provides stronger protection for data stored on your Windows Vista ™ systems – even

when the system is in unauthorized hands or is running a different or attacking OS. BitLocker does this by utilizing full volume encryption; this prevents a thief who boots another OS or runs a software disk inspection tool from breaking Vista file and system protections or even the

offline viewing of data files.”

BitLocker Drive Encryption

BitLocker Drive Encryption fully encrypts the entire Windows Vista volume.

Designed specifically to prevent the unauthorized disclosure of data when it is at rest.

Provides data protection on your Windows client systems, even when the system is in unauthorized hands.

Designed to utilize a v1.2 Trusted Platform Module (TPM) for secure key storage and boot environment authentication

BitLockerBitLocker

secure

usable affordable

Adapted from Jesper M. Johansson, “Security Management”, Microsoft TechNet

Security Management

7

Who are these people?

VandalVandal

TrespasserTrespasser

ThiefThief

SpySpy

AuthorAuthor

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddyScript-KiddyUndergraduateUndergraduate ExpertExpert SpecialistSpecialist

8

Who are these people?

VandalVandal

TrespasserTrespasser

ThiefThief

SpySpy

AuthorAuthor

National InterestNational Interest

Personal GainPersonal Gain

Personal FamePersonal Fame

CuriosityCuriosity

Script-KiddyScript-KiddyUndergraduateUndergraduate ExpertExpert SpecialistSpecialistLargest area by volumeLargest area by volume

Largest area by $ lostLargest area by $ lost

Largest area by $ spentLargest area by $ spent

Fastest Fastest growing growing segmentsegment

Spectrum of Protection

Security

Ea

s e o

f U

s e TPM OnlyProtects against: SW-only attacksVulnerable to:

Some HW attacks

TPM + PINProtects against: Many HW attacks

Vulnerable to: Some HW attacks

Dongle OnlyProtects against: All HW attacksVulnerable to: Losing dongle

Pre-OS attacksDongle left with

device

TPM + DongleProtects against:

Software and HW attacks

Vulnerable to: Losing dongle

Dongle left with device

BitLocker offers a spectrum of protection allowing customers to balance ease-of-use

against the threats they are most concerned with.

BitLocker disk layout

Ease of DeploymentEase of DeploymentIntegration with existing Integration with existing infrastructureinfrastructureDeployment features

Functionality fully exposed by WMI

Supplied MMC plug-in

Integrates with Group Policy

Active Directory

Seamless integration with Longhorn Server

Schema extensions available for Server 2003 sp1 and higher

Auto-escrow of recovery keys enabled by defaultConfidential bit set on keys; read-only by admin only

BitLocker TPM Administration Storyboard – New Machine

Basic TPM Administration/DeploymentBasic TPM Administration/Deployment1.1. Machine arrives at enterprise in un-Machine arrives at enterprise in un-

initialized state.initialized state.2.2. Turn TPM OnTurn TPM On3.3. Check for physical presence by Check for physical presence by

rebooting the machine and rebooting the machine and prompting user at BIOS screen for prompting user at BIOS screen for key press.key press.

4.4. Log back into Windows VistaLog back into Windows Vista5.5. Take Ownership of TPMTake Ownership of TPM6.6. Check for existence of Endorsement Check for existence of Endorsement

Key (Provided by OEM)Key (Provided by OEM)7.7. Create TPM Administration Create TPM Administration

Password.Password.8.8. Commit changes to TPM and Commit changes to TPM and

initialize.initialize.9.9. Publish TPM Administration Publish TPM Administration

Password to AD/FilePassword to AD/File10.10. TPM Initialization CompleteTPM Initialization Complete

User name:

Windows

Password:

Log on to:

Username

*********

Domain

OK Cancel Shut Down... Options <<

******************

******************

A configuration change was requested to enable, activate, and allow a user to take

ownership of this computer’s TPM (Trusted Platform Module)

NOTE: This action will switch on the TPM

Press [F10] to enable, activate, and allow a user to take ownership of the TPM

Press ESC to reject this change request and continue

Note: Steps 1-3 can be pre-config’ed Note: Steps 1-3 can be pre-config’ed (OEM, SP)(OEM, SP)

1111 22 33

44

55

667788

99 1010

BDE installation

1. Active Directory prepared for CS keys2. Windows Vista Install

a. BDE is only available in the Enterprise and Ultimate versions of Windows Vista.

b. BDE requires a partition separate from the Windows Vista OS partition with a min free space of 350Mb.

c. During installation the system is checked for correct version of TPM (v 1.2) and BIOS via Plug and Play.

d. TPM & BDE drivers are installed.3. BDE Initialization

a. Scripted initialization of TPM.b. TPM Ownership password saved to

Active Directory4. Remote executed Script BDE

a. Policy saves recovery key to ADb. System encrypted

5. Inspect audit logs for successful end to encryption.

BitLocker Enterprise Machine Deployment with TPM

BitLocker Enterprise Machine Deployment with TPM

Windows Vista InstallWindows Vista Install

TPM Script InitializationTPM Script Initialization

22

BDE script setupBDE script setup

Active Directory is prepared Active Directory is prepared for BDE Keysfor BDE Keys

Store BDE recovery keyStore BDE recovery key

Store TPM Ownership Store TPM Ownership PasswordPassword1

2

3

4

5

Example Recovery ScenarioExample Recovery Scenario1.1. Feature turned on.Feature turned on.2.2. AD access via network.AD access via network.3.3. Recovery key escrowed to AD Recovery key escrowed to AD

and/or USB dongle.and/or USB dongle.4.4. User drops laptop and breaks User drops laptop and breaks

motherboard.motherboard.5.5. HD from old broken machine put HD from old broken machine put

into new laptop with BDE enabled.into new laptop with BDE enabled.6.6. BDE can’t access HD because the BDE can’t access HD because the

TPM key in new laptop is different.TPM key in new laptop is different.7.7. User launches BDE recovery:User launches BDE recovery:

A.A. User uses USB dongle to User uses USB dongle to recover the drive. recover the drive.

-or--or-A.A. User calls admin and User calls admin and

Administrator authenticates Administrator authenticates user.user.

B.B. Admin gets correct recovery Admin gets correct recovery key from AD. key from AD.

C.C. Admin reads key to user over Admin reads key to user over the phone. the phone.

D.D. User types in recovery key.User types in recovery key.8.8. Recovery key is used to recover Recovery key is used to recover

the drivethe drive

22

11

88

Alert: Secure Startup Recovery

Secure Startup has failed.

Please insert your USB recovery device and reboot your computer , or call your administrator for your Secure Startup recovery key.

Close

x

Secure Startup Recovery Key

Please enter your Secure Startup Recovery Key.

CancelOk

x

**** **** **** ****

Secure Startup Recovery Mode

You have successfully recovered your data.

The recovery process is complete.

Close

x

33

77CC

77DD

11

22

33

44 55 66

7a7a

7b7b

7c7c7d7d7e7e

88

BitLocker BitLocker Recovery

Upgrading computers with Upgrading computers with BDEBDE1.1.Turn off BitLockerTurn off BitLocker

2.2.Upgrade systemUpgrade system

Updated BIOSUpdated BIOS

-- or ---- or --

Install Service PackInstall Service Pack

3.3.Turn On BitLocker – no Turn On BitLocker – no encryption requiredencryption required

* If doing an update using Windows Update Services, the hash of the new component will already be calculated, so BitLocker will not need to be disabled to do the update.

System Upgrade with System Upgrade with BitLocker™BitLocker™

11

22

33

© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.