As the second installment of my education FAQs for Windows Vista technologies, I have gathered a series of popular questions regarding BitLocker drive encryption. Tony Ureche, Program Manager, has been kind enough to allow me a blog interview based on questions I have received during customer discussions and feedback from the Windows-HIED listserv.
If you are not familiar with BitLocker, information can be found on the TechNet website and I would also recommend taking a look at the TPM specifications.
<Michael> Thanks very much for assisting with this write-up, can you give us a brief overview of your role at Microsoft?
<Tony> I am a Program Manager in Windows Security which is part of the Core Operating System Division. I am working on BitLocker, focusing on things like key management and FIPS certification.
<Michael> The most common question I hear is how to deploy BitLocker across an enterprise environment, especially when a workstation deployment solution is already in place such as unattended installs for faculty and staff machines. What should customers be thinking about to take advantage of BitLocker in a deployment scenario?
<Tony> Enterprises that have deployment mechanisms in place will only need small deltas to their configurations. WDS deployment is fully supported. Image-based deployments using unattended setup are also supported: When creating the reference image, the IT admin needs to ensure that the correct drive configuration has been applied and that the appropriate images for each volume will be pushed down. Once the images have reached the target machines, a small mod in the unattend.xml script is sufficient to ensure the correct install of the images in a way that allows proper BitLocker setup:
<Michael> What would happen if you tried to capture a BitLocker encrypted partition using an imaging tool?
<Tony> The image of a BitLocker-protected partition is encrypted. So capturing that would look like a pile of random bits or like a huge encrypted file.
<Michael> What does BitLocker mean for hard drive recovery in the event of a hardware failure?
<Tony> I the event of a hardware failure, the user may need to move the disk to another computer. In that case, the disk will need to go through a recovery process: using a recovery key or a recovery password – created when BitLocker was setup on that drive – the user will be able to unlock the volume and recover the data. The difference between a recovery key and a recovery password is that the former is a machine-readable key that can be stored on a USD thumb drive, while the latter is a human-readable set of digits that can be printed, stored as a txt file or stored in AD (and read back to the user by HelpDesk).
As for actual drive failure, the BitLocker team is working looking into offering an efficient solution -- note that in order to recover any data from the BitLocker-protected drive, the user is required to have knowledge of the recovery key.
<Michael> How does BitLocker work with EFS?
<Tony> BitLocker and EFS are complementary security solutions. Besides protecting the boot process, BitLocker encrypts the entire OS volume, with no additional granularity in regards to files or users. EFS on the other hand, offers per file/directory and per user granularity. Together, BitLocker and EFS offer a comprehensive solution for securing data on a laptop, desktop or server.
<Michael> BitLocker requires a separate 1.5 GB system partition for storing boot information unencrypted. Can you create the boot partition on an existing machine?
<Tony> The BitLocker team is working on offering solutions to address end-user scenarios that require an updated volume configuration where such configuration is not present.
<Michael> How much do you expect encrypting a drive to effect performance?
<Tony> Currently, on most common configurations, we expect that performance costs not to exceed 5-9%
<Michael> Finally, the second most popular question I’ve heard is what should Universities be thinking about in regards to drive recovery in unmanaged environments? Professor and student machines are often not in a domain and it is possible they will encrypt a drive and lose their pin number \ startup key, then ask the University for help.
<Tony> When recovery data cannot be stored in AD, users are strongly encouraged to save their recovery key and recovery password on one or more USB thumb drives and store them in a securely. Additionally, users should also print the recovery password and store it – perhaps in their wallet. Microsoft Ultimate Extras also offers a ‘digital locker’ that is being integrated with BitLocker such that a user may store his password online using this secure web service.
Thanks very much Tony, for your time. BitLocker will be an important tool for educators and it is really nice to have these concerns addressed. Drive encryption is critical in today’s IT environments especially for mobile users that have a risk of losing critical data after a laptop loss or theft. The schools and universities that embrace and plan for technical advancements such as this will have an edge on their competitors and will be prepared for students, faculty, and staff who choose to be early adopters of new tools and technologies in Windows Vista.
How to separate 1.5 GB system partition for storing boot information unencrypted?
Hi Jessica, you'll find if you load a test copy of Vista and go in to disk management, one of your options when you right-click on the volume is "shrink volume". This can also be done via the diskpart utility. So in the event you don't have 1.5 GB of available free space on the drive to create a new volume, you can shrink your existing volume (assuming you have 1.5 GB of free space available on the existing volume). For documentation on this and information on what files to move, see the BitLocker step-by-step guide on TechNet.