BitLocker™ Drive EncryptionA look under the covers Steve Lamb Technical Security Advisor, Microsoft UK http://blogs.technet.com/steve_lamb Stephen.email@example.com
Agenda • Is EFS Dead? • A quick review • What threats does it mitigate? • What threats ARE NOT mitigated • Enhancements @ Vista SP1 • To Gain Access We Need • Deployment Considerations • Resources
A Quick Review BitLocker
What threats does it mitigate? • Data @ rest • Over-riding Access Controls
What threats ARE NOT mitigated? • Stupid User! • Stupid Admin! • Removable Media • Weak Passwords
Enhancements @ SP1 • Multi-volume support • Key Rolling
What Is A Trusted Platform Module ? TPM 1.2 spec: www.trustedcomputinggroup.org
Secure the pre-boot environment • Measure EVERYTHING
To gain access we need • Full Volume Encryption Key • Volume Master Key • Multiple places to store it
3 4 TPM VMK 2 1 FVEK DATA Keys and Protectors (“Authenticators”) Where’s the Encryption Key? Data is encrypted with the FVEK The FVEK is encrypted with the VMK and then stored in the volume metadata. The VMK is encrypted by one or more key protectors, then stored in the volume metadata. The Trusted Platform Module will not decrypt the VMK if the system integrity check fails. USB Key(Recovery or Non-TPM) TPM+PIN TPM+USB 123456-789012-345678- Recovery Password(48 Digits)
Disk Configuration • Partitioning guidelines:
Understanding the Options with the Windows Vista Security Guide Unique GPO Accelerator tool deploys security configurations in minutes vs. hours Tested guidance by Windows Vista Security Experts Preconfigured, customizable security settings Windows Vista Security Guide provides customers with best practices and automated tools to help them quickly and easily deploy Windows Vista, and provides tested guidance to balance their needs for security and functionality SOLUTIONACCELERATORS Act faster. Go further.
Resources • Data Encryption Toolkit for Mobile PCs • Bitlocker Drive Encryption Technical Overview • Keys to Protecting Data with Bitlocker Drive Encryption • Developing Credential Providers for Windows Vista • Create Custom Login Experiences With Credential Providers For Windows Vista
Resources • Technical Communities, Webcasts, Blogs, Chats & User Groupshttp://www.microsoft.com/communities/default.mspx • Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx • Microsoft Developer Network (MSDN) & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet • Trial Software and Virtual Labshttp://www.microsoft.com/technet/downloads/trials/default.mspx Visit TechNet in the ATE Pavilion and get a FREE 60-day subscription to TechNet Plus!
© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.