What is BitLocker?
BitLocker lets you encrypt the hard drive(s) on your Windows 7 and Vista Enterprise, Windows 7 and Vista Ultimate or Windows Server 2008 and R2. BitLocker will not encrypt hard drives for Windows XP, Windows 2000 or Windows 2003. Only Windows 7, Vista and Server 2008 include BitLocker. BitLocker drives can be encrypted with 128 bit or 256 bit encryption, this is plenty strong to protect your data in the event the computer is lost or stolen. BitLocker protects your hard drive from offline attack. This is the type of attack where a malicious user will take the hard drive from your mobile machine and connect it to another machine so they can harvest your data. BitLocker also protects your data if a malicious user boots from an alternate Operating System. With either attack method, BitLocker encrypts the hard drive so that when someone has physical access to the drive, the drive is unreadable. Now if you are a network admin and you need to harvest data from a hard drive when a machine fails, our tools include the functionality to prompt the admin for the recovery key so the hard drive can be accessed. We've done a good job at ensuring the data does not end up in the wrong hands, while making it easy for authorized users to access the data in the event of a failure.
What does BitLocker do?
Again, BitLocker encrypts the hard drive(s) to protect the Operating System from offline attacks. Server 2008, 2008 R2, Windows 7 Enterprise, Windows 7 Ultimate, Windows Vista Enterprise, and Windows Vista Ultimate all include BitLocker functionality. Windows 7 Professional and Windows Vista Business Edition and the Home Editions do not include BitLocker. The RTM versions of Vista only allow BitLocker encryption of the C: drive. SP1 for Vista, and Windows 7 include the ability to encrypt all of the hard drives belonging to the Vista and Windows 7 machine. Server 2008 (and R2) include the ability to encrypt all of its attached hard drives as well. BitLocker on a Server 2008 (and R2) server might not make sense for your servers in the Data Center, but using BitLocker on servers in remote offices makes a lot of sense. How many remote offices have their servers in secure Data Centers? They don't! If you're lucky, your server sits in a locked closet. If you're unlucky, it sits under someone's desk. Deploying BitLocker to these machines makes perfect sense because if those machines are stolen, their data is encrypted and protected from the types of attacks that they would be exposed to. Another piece to protect these remote servers is the Read Only Domain Controller functionality. I won't go into it here, but it gives you the ability to provide fast logon experiences for your remote users while ensuring that all of the domain credentials are not stored on these remote office servers.
Windows 7 extends BitLocker functionality to removable drives, we call that functionality BitLocker to Go. BitLocker to Go gives you the ability to encrypt your thumb drives and even USB hard drives. You even have the ability to enforce BitLocker to Go via Group Policy, this Group Policy can ensure that users can only store corporate data on encrypted drives.
What does BitLocker not do?
BitLocker does not protect the computers contents while Windows is running. Again, BitLocker is built for offline attacks, once the operating system is up and running. Windows 7 and Vista will protect your data from unauthorized access. When 7 (and Vista) is up and running, unauthorized access can come in the form of:
Other ways to protect your data:
RMS, EFS, IPSec. I'll give you more detail in my next post.
Until next time!
Rob