Martin has 16 years experience in Human Resources Information Systems, has a PhD in Information Technology Management, and a degree in Information Systems Management. He is an adjunct professor of computer science and computer programming.
BitLocker drive encryption
Take your bits and lock them up!
BitLocker is a security feature added in Windows Vista (also available in any higher version) that protects a computer's file system. BitLocker encrypts disk drives and their contents. When encrypted, others cannot see your files even if the computer had been stolen or the hard disk was taken. BitLocker also works on removable storage drives. In order to access an encrypted drive, users must authenticate/login to access the data.
Windows also use the Trusted Platform Module (TPM) to determine if any of the computer's startup processes have been altered. The Trusted Platform Module Manager was also introduced with Windows Vista. The TPM is a microchip added to the machine to provide security functions, mainly focused on encryption of data. By leveraging both BitLocker and TPM, data is locked until the right credentials are passed to the machine.
In addition to a login/password, a PIN or startup key can be used to prevent unauthorized access to the data on the drive; on either type of drive (fixed or removable), users can login to BitLocker-protected data by using a password or smart card.
As mentioned previously, BitLocker secures the operating system and the drives of computers. It does this by performing the following system integrity processes:
- Check the integrity of the startup files of the operating system
- Ensure that software on the machine (e.g., malware or other malicious tools) cannot interfere with the startup process or operating system drive
- Lock the system if anything is altered. The system will not start; instead, it goes to a simple recovery process.
Setting up BitLocker
The BitLocker setup wizard is available in either Windows Explorer or the Control Panel. Remember, the operating system should also have the Trusted Platform Module (TPM) to fully take advantage of the encryption features.
Unlocking BitLocker-protected drives
There are four methods to unlock data that has been encrypted with BitLocker: (1) TPM-only, (2) TPM with startup key, (3) TPM with PIN, and (4) TPM with both startup key and PIN. These methods only work with TPM-compatible computers (Windows Vista and higher):
This is the most transparent option, meaning the user only needs to login to the computer. If BitLocker detects that there are changes to operating system startup files, it triggers a recovery mode, and a recovery password is needed to gain access.
TPM with startup key
Part of the encryption key is stored on a USB drive (the startup key). Not only must a user login to the computer but insert the external USB drive in order to authenticate.
TPM with PIN
In addition to logging into the system, a user must provide a PIN; data on the encrypted drive is inaccessible without the correct PIN.
TPM with both startup key and PIN
This is considered multi-factor authentication because both the PIN and the USB drive (key) are required to login to the encrypted drive(s).
Using BitLocker without TPM
Not all machines will have TPM; since it is a microchip, simply upgrading an old computer to a newer version of Windows can't also install hardware! For computers that do not have TPM, the only option is the startup key.
Since the computer cannot leverage TPM, all of the encryption key information has to be stored on the USB drive. The drive is inserted during startup, and the key on the drive unlocks the protected device. Again, ALL of the key information is on the flash drive! This provides protection, but if both the computer and drive were stolen, a criminal has full access to the machine and its data!
Using BitLocker on removable drives
BitLocker can also be used to protect removable drives (external hard drives, USB drives, etc.) through the following: Password, smart card, or automatically unlock.
A password is created to allow access to the removable (e.g., USB drive), or internal drives. It is suggested that a strong password is used: one with special characters, numbers, and a mix of lower- and upper-case letters.
A smart card is a small card that has a computer chip. Many credit cards today are enabled with a chip for smart card readers. In order for them to work on a Windows machine, you need a smart card reader (a small device that is connected via USB).
In order for the smart card to work, you must have a valid certificate on the smart card; BitLocker will choose the correct one. When you login to the computer, the smart card is required to complete the login process and allow access to the drive.
Note: Even though the smart card holds the key to the drive, there is some unencrypted data stored on the drive. While it does not mean a hacker could figure out the exact certificate, it could provide them with enough to eventually break into the system.
This is perhaps the most user-friendly option. BitLocker can be set to automatically unlock the drive when the user logs into Windows. However, if hackers gained access to your PC and figured out the password, they have full access to your information.
This lesson has provided an overview of BitLocker Encryption, which is available in Windows Vista and later operating systems. The tool can leverage the Trusted Platform Module (TPM) and require that users enter a PIN, or use a startup key (USB drive), both PIN and Startup, or a plain password. BitLocker makes sure that the operating system files have not been altered and will lock the machine if it detects foul play.
To unlock this lesson you must be a Study.com Member.
Create your account
Register to view this lesson
Unlock Your Education
See for yourself why 30 million people use Study.com
Become a Study.com member and start learning now.Become a Member
Already a member? Log InBack