Everything about bitlocker encryption, decryption and recovery models.
What is BitLocker : Bit locker is a feature introduce in Microsoft windows Vista for drive encryption.
Why we need bitlocker : Physical security of devices !! Corporates wants, in any case if you loose your device company data must be secure. Data is valuable then the device. Bit locker prevent the offline attack like using live CD’s or mounting disk’s on other system of accessing the data. It can bypass user authentication but can’t bypass the encryption.
How does it works : bitlocker can encrypt your entire hard drive except system partition. If you have only one drive let’s say C drive it will additionally create a system partition and will not encrypt it. System partition not shows in windows explorer.
What are the recovery options: There are 2 basic security keys in bit locker.
Recovery password : 48 digt key
Recovery key : should be in removable media
In corporates we create a data recovery agent or say an user account for recovering data in case of lost keys and passwords. Data recovery agent is configured from Group policy.
What is TPM.: TPM(Specified cast is not valid) is a microprocessor on your mother board to secure hardware by integrating cryptographic keys into devices. What does it mean ? Bitlocker store keys into TPM for checking the keys during boot up process. If it find any thing wrong drive will not decrypted.
What if we dont have TPM in our motherboard : If your motherboard don’t any TPM installed on it you can use USB drive for storing the keys.
Bit locker modes
TPM only : It will only encrypt your disk and only have login level secruity of your sensitiv data. If user changes anything the disk or boot process TPM won’t allow you to decrypt your data.
TPM and PIN : User require to enter PIN and booting time.
TPM and KEY : User have to pass key during the boot process either he can type or can supply via USB key.
TPM with KEY and PIN : User have to enter PIN and also have to supply Key during boot process to decrypt his data.
Without TPM: Cannot provide boot level protection, user only can encrypt his data and use Key or PIN for securing the boot process.
Bit Locker to Go : Bit locker to go is a feature for USB encryption. It will
If your computer was not manufactured with TPM, you can either create a BitLocker startup key using a USB flash drive or can create a startup PIN. You will have to insert the flash drive each time you start the computer. PIN is stored on your computer. You will have to type the PIN each time you start the computer.
+Steps to Configure bit locker:
- Click ‘Start’- ‘Control panel’- ‘System and security’. Choose ‘Bit locker drive encryption’ from ‘System and security’ console. The Bit locker drive encryption console appears.
- Click ‘Turn On bit locker’ to encrypt the corresponding drive on the computer.
- Manage Bit locker allows you to change or print the recovery key of the encrypted drive.
- You can ‘Turn off the bit locker’ if you have the encryption key or PIN. It then decrypts the drive and it is no longer protected.
Encrypt a system drive using bit locker:
- Click ‘Start’ – ‘Computer’. Select the drive which you want to encrypt and right click to select ‘Turn on Bit locker’. It opens ‘Bit locker Drive encryption’ wizard.
- After Bit locker initialization, the ‘Bit locker drive encryption’ wizard opens a new screen to choose a way to unlock your drive. You can enter either a password or can use a smart card. Choose the required option and click ‘Next’.
- It opens a wizard to choose way to store your recovery key. You can ‘Save the Recovery Key’ into a file on your computer or you can ‘Print the recovery key’. Select the required option, Click ‘Next’.
- The wizard appears to store the recovery key. Then it displays a message ‘Are you ready to encrypt your drive’. Click ‘Next’. This will start the encryption. After the encryption is complete you will receive a message as ‘Encryption for selected drive is complete’.
How to enable BitLocker TPM and PIN
- Click Start > Run and type gpedit.msc
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives
- Open Require additional authentication at startup
- set the value Configure TPM startup Pin to Require startup PIN with TPM
- open cmd >manage-bde -protectors -add c: -TPMAndPIN
- Key protectors added : <set your password here>