Reasons Why Bitlocker Encryption is Essential

If someone steals your laptop, having a safe and protected drive can make the difference between a data breach and a disaster. Microsoft gives you BitLocker as a way to protect the info on your computer's hard drive.

The computer starts using safety features as soon as the power button is pressed. These features keep the computer safe while it is starting up. A firmware called Secure Boot makes sure that all the software that starts up is trusted by the Original Equipment Manufacturer. Another feature called Measured Boot measures different parts (boot start drivers, firmware, etc.) and stores the sizes in the Trusted Platform Module (TPM) so that antimalware software can test them remotely. The Microsoft device's files are protected by the Encrypting File System (EFS), a part of the New Technological File System (NTFS), once the Operating System (OS) is up and running. While the OS is running, these steps keep the data on the drive safe.

However, EFS doesn't secure whole drives or partitions. This means that files can be accessed by anyone who gets into the computer maliciously. With a brute force attack, the files encrypted by the EFS could be read if the drive is taken out of its original computer and put into a new one.

This is a problem—how can the whole drive be kept safe from someone who wants to do harm, not just a few files?

This is where BitLocker comes in.

What is BitLocker Encryption?

When the OS is not online, BitLocker protects data on drives with Volume Encryption. The enhanced protection keeps data safe on devices that are at greater risk of being breached by an unauthorized user due to being lost or stolen.

Incorporating BitLocker and EFS creates a multi-level defense system. While the working system is running, BitLocker protects data and EFS protected files. Simple, right?

However, a savvy reader may notice that this answer is not as clear cut as it may first appear. If the full drive is encrypted while the computer is not running, how will it be decrypted to start the OS?

Dividends

Partitions are the solution to this query. Partitions divide a single drive into several portions, each of which operates as a separate drive. Partitions are used by BitLocker to ensure that the operating system may start up without decrypting the remaining data on the device.

The BitLocker requires at least four partitions in order to function properly:

An Extensible Firmware Interface (EFI) System Partition containing the Operating System Boot Manager

Microsoft Exclusive Partition

Formatted operating system volume partition to NTFS

files required to launch the Windows Recovery Environment in a recovery partition

These are the partitions that BitLocker needs to function. BitLocker has the ability to create and encrypt extra partitions for device storage!

By default, BitLocker only encrypts the Operating System Volume; it won't encrypt any other volumes that:

not sufficient room

Is not in a format that supports it.

Has a dynamic volume

Is a partition within the system

We will store the Boot Manager in the encrypted EFI System Partition. The division is this:

Distinct from the Windows section

Set up to be active

Not to be utilized for user file storage; at least 250 MB of capacity

perhaps shared alongside a recovery partition

The EFI Partition can be used as the starting point for the Boot Process if certain conditions are met, preventing the need to decrypt any other device components.

Measured Boot, Trusted Platform Modules, and Keys

The present version of BitLocker functions best when enabled with Windows Measured Boot in addition to a TPM. Cryptographic keys generated by a TPM are only useable once the TPM has decrypted them. We refer to this as binding or wrapping the key. The TPM binds its key using its own Storage Root Key (SRK), which is configured to be specific to the drive's owner.

The TPM will also link the encryption key using the original boot measurements as specified in Measured Boot, thus certain components must be the same size before the key can be used. This is known as sealing the key to the TPM. In layman's terms, this means that if the computer attempting to start up has been altered or is not the same machine that encrypted the disk originally, the individual will be unable to decrypt the drive.

If something has changed, the TPM will not unseal the key, and the drive will remain encrypted. Users will be directed to the BitLocker Recovery screen, where they will be prompted to enter their recovery key. This will happen regardless of which machine a malicious actor inserts the drive in, even if the operating system is not functioning.

Keys and Protectors

The disk sectors and raw data are encrypted by BitLocker using a Full Volume Encryption Key (FVEK). In XTS mode, BitLocker defaults to the AES Encryption Algorithm with a key length of 128 bits. There are two ways to configure encryption: modern administration with InTune or conventional management through Group Policy. BitLocker encrypts the FVEK with a 265-bit Volume Master Key (VMK).

Because the FVEK is protected by the VMK, anyone who has access to the VMK can decrypt it and gain access to the drive. Bitlocker adds an extra degree of security to the VMK by using key protectors to keep unauthorized eyes out. A key protector is essentially a password that provides security by requiring the user to submit verification that they are permitted to access the machine.

Key protectors for TPM 1.2 or 2.0 are available in a range of options, including:

TPM is the default unless there is a superior policy.

TPM with a numerical PIN.

TPM using a USB Drive Startup Key.

TPM with a USB Drive Startup Key and a numerical PIN.

If the machine does not have a compatible TPM, a USB Drive Startup Key can be used as a key protector.

The default ties the VMK to the TPM using the RSA encryption technique (named after inventors Ron Rivest, Adi Shamir, and Leonard Adleman). The encryption key is associated with a'set of predicted Platform Configuration Register (PCR) values.'

Encryption Conundrum

But, wait! How can someone decode anything on a computer if the keys to do so are encrypted and saved on the BitLocker encrypted volume? That is analogous to protecting automobile keys by locking them inside the car. Although the keys are safe, the car remains unusable...or is it? BitLocker encrypts an entire volume, with the exception of the sectors required by the operating system to boot up. To make this work, the FVE Metadata Block Header replaces the regular NTFS partition header. (The FVE-FS- signature at the beginning indicates that the volume is encrypted with BitLocker.) The VMK and FVEK are stored in three FVE metadata blocks.

Keys are protected by encrypting them with key protectors, which are then encrypted with the key. Both the key and the key protector are saved in the FVE metadata. BitLocker employs the Advanced Encryption Standard (AES) to encrypt a key/key protector combination.

Symmetry and Encryption

There are two types of encryption: symmetric and asymmetric. Symmetric encryption uses the same key to encrypt and decrypt data. Asymmetric encryption means that the key used to encrypt data is not the same as the key used to decrypt it.

The Advanced Encryption Standard (AES) is utilized to generate FVEKs and VMKs. Because AES generates symmetrical keys, both the FVEK and the VMK use an encryption technique in which the same key protects the data whether it is encrypted or decrypted.

BitLocker also has an asymmetrical aspect. The SRK is asymmetric, employing the RSA method to generate a public-private key pair, with the private key kept in the TPM. This signifies that the VMK's encryption key differs from its decryption key. BitLocker is a hybrid of symmetric and asymmetric encryption since it uses both during boot-up.

Windows Recovery Mode

BitLocker will generate a recovery password that can be used in the event that Recovery Mode is triggered. This password is a 48-digit key. On a home computer, BitLocker will prompt the user to save the Recovery Password. If a device is joined to an Active Directory (AD) or Azure AD domain, it can have its Recovery Password backed up through AD. Recovery Mode will activate for a variety of reasons, including entering a wrong PIN too many times, deactivating the TPM, or transferring the encrypted drive to a new computer.

Note that in Recovery Mode, there is no TPM required as a second layer of security. A malicious actor who has the Recovery Password and has physical control of the machine has the ability to access the drive.

Booting Up With BitLocker

Because the EFI System Partition is not encrypted, the system can initiate its normal startup routine. When you start the boot process, the Unified Extensible Firmware Interface (UEFI) firmware launches the Windows Boot Manager. If the system has been turned off, the Boot Manager looks for the Operating System Loader, or if the device is asleep or hibernating, the Boot Manager.

Both the Operating System Loader and the Boot Manager are stored in the BitLocker encrypted Operating System Volume partition with the FVE-FS signature. The FVE-FS cannot directly access the Operating System Boot Loader or Operating System Resume Loader, ensuring that the OS is protected while offline.

During this early boot phase, the operating system kernel is not active. While the Kernel is being initialized, the filesystem driver will become operational. The Windows Boot Manager's low-level BitLocker algorithm analyzes the operating system's FVE Metadata Header block to offset the first FVE metadata block. Once there, it determines the authentication method used. Similarly, the Windows Boot Manager implements low-level TPM operating code to facilitate TPM actions. In TPM-only mode, the TPM obtains the VMK from the FVE Metadata. 

The TPM will verify that the current Platform Measurement is identical to the measurement taken when the key was sealed. If there are any changes, the TPM will not unseal the VMK, and Recovery Mode will be activated.

Even if the unencrypted Operating System Boot Manager on the System Partition is compromised, BitLocker will still safeguard the drive.

If the PCR measurement is equal to the VMK sealing measurement, the TPM will utilize its private key to decrypt the VMK for the Boot Manager. Using the VMK, the Boot Manager decrypts the FVEK to gain access to the Operating System Boot Loader or Resume Loader, depending on the scenario.

Note : BitLocker only decrypts sectors required to read and write requests from the Input and Output Managers.

Measured Boot determines the size of the Operating System Loader before it is enabled. If the measurements alter or there is any indication that this is not the intended Loader, the device will enter BitLocker Recovery Mode.

If it is the correct OS, Bitlocker has completed its task, and the computer will resume normal operation.

Data protection

Everyone is responsible for protecting their data, and BitLocker encryption is one of the most effective ways to do it on a Windows PC. This series of keys, both asymmetric and symmetric, work together to safeguard susceptible devices while providing a streamlined user experience. Data is best protected by combining as many protective technologies as possible; activate BitLocker today!

About BLR Tools

BLR Bitlocker recovery tool is an all-in-one endpoint security solution that integrates Remote Locate, Lock, and Wipe services with Encryption management in one secure online console. Begin defending your data today with mass deployment options for phones, tablets, and computers on any operating system. Start your Free Trial and begin protecting data today with BLR Data Recovery Software!

Also Read : Setting Up Bitlocker Management in SCCM | Ultimate Guide