ARTICLES IN THE BOOK
A GUIDE TO WINDOWS VISTA
This article is from:
All text is available under the terms of the GNU Free Documentation License: http://en.wikipedia.org/wiki/Wikipedia:Text_of_the_GNU_Free_Documentation_License
BitLocker Drive Encryption is a data protection feature integrated into Microsoft's Windows Vista operating system that provides encryption for the entire OS volume. BitLocker is included in the Enterprise and Ultimate editions of Vista. By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional security.
BitLocker provides three modes of operation. The first two modes require a cryptographic hardware chip called a Trusted Platform Module (version 1.2 or later) and a compatible BIOS:
The final mode does not require a TPM chip:
In order for BitLocker to operate, the hard disk requires at least two NTFS-formatted volumes: a "system volume" with a minimum size of 1.5GB, and the "boot volume" which contains Windows Vista. Note: The system volume BitLocker is installed on is not encrypted, so it should not be used to store confidential information. Unlike previous versions of Windows, Vista's diskpart command-line tool includes the ability to shrink the size of an NTFS volume so that the system volume for BitLocker can be created.
On client versions of Vista, only the operating system volume can be encrypted with BitLocker. Encrypting File System continues to be the recommended solution for real-time encryption of data on an NTFS partition. Encrypting File System support is also highly recommended in addition to BitLocker since BitLocker protection effectively ends once the OS kernel has been loaded. Both can be seen as protections against different classes of attacks.
At WinHEC 2006, Microsoft demonstrated "Longhorn" Server which contained support for BitLocker protected data volumes in addition to the operating system volume protection.
In domain environments, BitLocker supports key escrow to Active Directory, as well as a WMI interface for remote administration of the feature. An example of how to use the WMI interface is the script manage-bde.wsf (installed in Vista by default in \%Windir\System32), that can be used to setup and manage BitLocker from the command line.
According to Microsoft sources,  BitLocker does not contain a backdoor; there is no way for law enforcement to have a guaranteed passage to the data on the users drives. This has been one of the main concerns among power-users since the announcement of built-in encryption in Vista.
It should be noted that contrary to the official name, BitLocker Drive Encryption is logical volume encryption. A volume may or may not be an entire drive, or can be one or more drives. Using built-in command-line tools, BitLocker can be used to encrypt more than just the boot volume, but additional volumes cannot be encrypted using the GUI. Future Windows versions (e.g. Longhorn server) are expected to support additional volume encryption using the GUI. Also, when enabled TPM/Bitlocker also ensures the integrity of the trusted boot path (e.g. BIOS, boot sector, etc.), in order to prevent offline physical attacks, boot sector malware, etc.
Categories: Windows Vista | Cryptographic software