Expand Menus:
Hide Menus:

Stanford Windows Infrastructure - BitLocker Key Escrow

BitLocker the the name of the Microsoft full-volume encryption technology that has been added to Windows Vista and Windows 7 in the Enterprise and Ultimate editions of the OS and Windows Server 2008 / 2008 R2. It is intended to protect the system partition from tampering while the system is turned off, but will also protect data that is stored on the system partition from offline access. Windows 7 and Windows Server 2008 R2 add additional tools and capabilities, including "BitLocker to Go" and smartcard support.

ITS provides PGP whole disk encryption as a service for restricted data computers and does not provide direct support for BitLocker


Trusted Platform Module (TPM)

A TPM is a hardware security device that is included in the motherboard chipset of many newer computers. Among other functions, this device provides facilities to securely create and store a cryptographic key as well as controlling access to that key such that it will only be released when the TPM is in the exact same state as it was when the key was generated.

The TPM state is generated from a number of different observations made during system startup. These are the platform configuration registers used by Vista (There are more):

Some of these are specific to the hardware and others are specific to the installed OS. Note that if any of these values change, the TPM will not release the key and the drive will need to be unlocked before continuing. For this reason it is recommended that Bitlocker be turned off if you intend to make changes that would affect these values (Flashing BIOS to a new version, etc.)

Also note that the TPM hardware is often disabled by default in system BIOS, you may have to go in to the BIOS setup for the computer and enable the TPM.

How BitLocker Works

BitLocker requires that a separate boot partition and system partition exist. The boot partition contains files that are required to support BitLocker and the boot loader.

By default, BitLocker uses AES-CBC (128 bit) with Elephant diffuser to encrypt the protected volume. After starting, the code interfaces with the TPM to get the key to unlock the BitLocker encryption key. If additional security checks have been configured, the user will be prompted before the TPM releases the key. After the key is unlocked, BitLocker then operates transparently and the Windows loader takes over.

TPM PIN or Startup Key

For additional security beyond the integrity checks performed by the TPM, a numeric PIN or a startup key can be configured for unlocking the TPM. This adds a verification of the user to the procedure. If a PIN is used, the user will verify his identity by entering the PIN using the "F" (function) keys each time that the computer is started. If a startup key is used, the user must attach the USB device containing the key to the computer each time it is started.

Enabling "Allow enhanced PINs for startup" in Windows 7 changes the behavior to allow alphanumeric PINs. Windows 7 also allows a smart card to be used for unlocking the drive at startup.

In the Windows Infrastructure, the user will be given the option to enable these verification features when BitLocker is turned on or to use just hardware/OS verification.

BitLocker Key Recovery/Key Escrow

To allow for recovery in case the TPM module cannot release the key to unlock BitLocker, additional copies of the BitLocker key can be stored. The most common methods are to store a recovery key on a USB device or to store a recovery key protected using a numeric password. If the TPM interaction fails, the user will be asked to provide either the USB device containing the recovery key or the password (Password must be entered using the "F" keys, F1 for 1, F10 for 0, etc.)

For computers that are part of the Stanford Windows Infrastructure, a copy of the recovery password is stored with the computer object as a confidential attribute. By default, only Domain Administrators can see confidential attributes, no matter what access is granted by standard ACLs.

BitLocker can also be configured to use a key stored on a USB device instead of a TPM, but this configuration does not allow for all of the tamper protections of the TPM. This mode of operation is not allowed by default.

Using BitLocker to secure your system

    Open the BitLocker control panel (Control Panel -> Security -> BitLocker). If your system does not meet the prerequisites, you will see an error indicating that fact. Otherwise you will see the option to turn on BitLocker.

If this is the first time enabling BitLocker, you will probably be asked to initialize the TPM. If you initialize the TPM here you will probably be asked for confirmation the next time the system starts.

If you store a recovery key or password, make sure that they are not kept on the computer or with the computer.

BitLocker provides no protection to a running computer. If you leave a running computer (including  Standby or Hibernate mode) make sure that you lock the system.