Q: (from Anthony)
I want to know the top issues (problems) in BitLocker and their solutions. What should I be aware of from an architectural perspective as well?
I’ve spent a lot of time with BitLocker and I think it has addressed a big need in our industry. With that said, of course BitLocker requires planning, and it has some unique concerns we need to be aware of.
Here are a few past articles that will help set the stage for the value of BitLocker
From an architectural perspective, there are a few things we need to consider. Instead of duplicating all of that here, I’ve listed a few key articles you should review.
- How do I use Active Directory for backup of BitLocker Drive Encryption recovery information?
- Windows Trusted Platform Module Management Step-by-Step Guide
- How can I tell if my BIOS supports BitLocker Drive Encryption?
As far as problems with BitLocker; the biggest problem I’ve seen in past issues is that the recovery key is not properly archived. Without that key, your data is lost in the event of a failure. With the recovery key, BitLocker will not hinder the recovery of data from a hard drive. If your computer is a member of Active Directory, archiving the key is straight forward. If your computer is not part of AD, you need to take some additional steps to either 1) print the recovery key(s) and store them in a safe place or 2) save the recovery key to a USB thumb drive and store the thumb drive in a safe place.
We also have the BitLocker Repair tool, the link to the instructions are here. The Repair tool is included with Windows 7 and Windows Server 2008 R2, for Windows Vista and Windows Server 2008, the tool can be downloaded here. Take note that the Repair Tool will not recover a recover key from a failed drive, it needs this recovery key to assist in troubleshooting.
I found a great article on the BitLicker Architecture:
It’s part of the over all BitLocker Drive Encryption Technical Overview, located here.
Here is a great FAQ on BitLocker, I think this article will address the majority of your concerns.
While all of this information is very useful as you architect your BitLocker solution, please pay special attention to these questions and responses in the FAQ:
Is the BitLocker recovery information stored in plaintext in AD DS?
Yes, the recovery information is stored unencrypted in AD DS, but the entries have access control lists (ACLs) that limit access to only domain administrators.
What if BitLocker is enabled on a computer before the computer has joined the domain?
If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. (read on, this can be mitigated)…
Is Microsoft pursuing any security certification for BitLocker?
BitLocker Drive Encryption in Windows Vista has Federal Information Processing Standard (FIPS) 140-2 certification. BitLocker is included in the Common Criteria (EAL4+) certification process for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. If it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key.
If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. Therefore, we highly recommend that you store the recovery information in AD DS or in another safe location.
When it comes to recovering a hard drive after some type of hardware failure… Simply put, if you don’t have your recovery key, all you have left is a hard drive ready to be reformatted!
We also have a new tool, the BitLocker Administration and Monitoring tool that simplifies the provisioning and deployment of BitLocker.
I hope this helps.
Until next time,Rob