Why Is BitLocker Encryption Essential?

If a laptop is stolen, having a drive that is secure and encrypted can be the difference between a cybersecurity incident and a catastrophe. BitLocker is one tool Microsoft provides to protect the data stored on each computer’s drive.

As soon as someone pushes the power button, the computer begins utilizing features to make sure that it is protected even as it is booting up. A firmware called Secure Boot is used to make sure that all the software starting is trusted by the Original Equipment Manufacturer, and a feature called Measured Boot takes the measurements of different components (boot start drivers, firmware, etc.) and logs the sizes in the Trusted Platform Module (TPM) to facilitate remote testing by antimalware softwares. Once the Operating System (OS) is running, individual files on the Microsoft device are encrypted by an aspect of the New Technological File System (NTFS) called the Encrypting File System (EFS). These steps protect data on the computer drive as the OS is running.

However, EFS does not encrypt entire partitions or drives, which means that files are vulnerable if a malicious actor gains access to the machine. If the drive is removed from its original computer and placed in a different one, a brute force attack could be utilized to gain information from the files encrypted by the EFS.

This presents a concern — how can an entire drive be protected from a bad actor, not just individual files?

This is where BitLocker comes in.

What is BitLocker Encryption?

BitLocker is a Volume Encryption service that protects data on drives, even when the OS is not online. The enhanced protection keeps data safe on devices that are at increased risk of being breached by an unauthorized user due to being lost or stolen.

By combining BitLocker and EFS, a multi-staged defensive posture is formed. BitLocker protects data when the operating system is not active, and EFS protects files while the operating system is active. Simple, right?

However, a savvy reader may notice that this solution is not as clear cut as it may first appear. If the entire drive is encrypted while the computer is not running, how will it be decrypted to start the OS?

Partitions

The answer to this question is partitions. Partitions segment one drive into multiple sections, with each section functioning as an individual drive. BitLocker uses partitions to make sure that the OS can boot up without decrypting the rest of the data on the drive.

To run correctly, the BitLocker needs at least four partitions:

  • An Extensible Firmware Interface (EFI) System Partition containing the Operating System Boot Manager
  • Microsoft Reserved Partition
  • Operating System Volume Partition formatted to NTFS
  • A Recovery Partition for files needed to run the Windows Recovery Environment

These are the minimum partitions to operate BitLocker. Additional partitions can be created and encrypted by BitLocker for storage on a device!

BitLocker only encrypts the Operating System Volume by default, and will not encrypt any volume that:

  • Does not have enough space
  • Is in an incompatible file format
  • Is a dynamic volume
  • Is a system partition

The encrypted EFI System Partition will store the Boot Manager. This partition is:

  • Separate from the Windows partition
  • Configured as active
  • Sized to hold at least 250 MB
  • Not be used for user file storage
  • Optionally shared with a recovery partition

By meeting these requirements, the Boot Process is able to start from the EFI Partition without the need to decrypt any other part of the device.

Keys, Trusted Platform Modules, and Measured Boot

The current iteration of BitLocker works best when allowed to function with both a TPM and Windows Measured Boot. A TPM creates cryptographic keys that are only usable after being decrypted by the TPM itself. This is called binding or wrapping the key. The TPM uses its unique Storage Root Key (SRK), which is set to be unique to the owner of the drive, to bind its key.

The TPM also will link the encryption key using the original boot measurements per the Measured Boot, so certain components must be the same size before the key will be utilized. This is called sealing the key to the TPM. In layman’s terms, this means that an individual will not be able to decrypt the drive if the computer that is attempting to boot up has been altered or is not the same machine that initially encrypted the device.

If something has changed, the TPM will not unseal the key and the drive will not decrypt. Users will be given a BitLocker Recovery screen, asking for a recovery key. This will happen no matter what machine a nefarious actor places the drive in, despite the fact that the OS is not active.

Keys and Key Protectors

BitLocker encrypts the disk sectors and raw data with a Full Volume Encryption Key (FVEK). BitLocker defaults to an AES Encryption Algorithm in XTS mode with 128-bit key length. There are two ways to configure that encryption: either modern management via InTuneor traditional management using Group Policy. BitLocker also encrypts the FVEK using a 265-bit Volume Master Key (VMK).

Since the VMK is protecting the FVEK, anyone with access to the VMK can decrypt the FVEK and access the drive. To protect the VMK from unauthorized eyes, Bitlocker uses key protectors to provide an additional layer of security. A key protector is a password of sorts that provides security by having the user provide verification that they are authorized to access the machine.

There are several options for key protectors for a TPM 1.2 or 2.0, including:

  • TPM (the default unless there is a superseding policy)
  • TPM with a numeric PIN
  • TPM with a USB Drive Startup Key
  • TPM with a USB Drive Startup Key and a numeric PIN

If the machine does not have a compatible TPM, a USB Drive Startup Key can serve as a key protector.

The default binds the VMK to the TPM with a RSA encryption algorithm (titled for inventors Ron Rivest, Adi Shamir and Leonard Adleman). The encryption key is sealed to a ‘set of expected Platform Configuration Register (PCR) values.’

Encryption Conundrums

But wait! How can someone decrypt anything on a computer when keys to do so are encrypted themselves and stored on the volume that BitLocker is encrypted? That is like protecting the keys to a car by locking them in the car. While the keys are safe, the car is rendered unusable… or is it? To get around the conundrum, BitLocker encrypts an entire volume, except the sectors the OS needs to boot up. For this to work, the FVE Metadata Block Header replaces the standard NTFS partition header. (The FVE-FS- signature at the beginning marks the volume as being encrypted by BitLocker.) The VMK and the FVEK are stored in the three FVE metadata blocks.

Keys are protected by encrypting them with key protectors and encrypting the key protectors with the key. Both the key and the key protector are stored in the FVE metadata. To encrypt a key/key protector combination, BitLocker uses Advanced Encryption Standard (AES).

Symmetry and Encryption

There are two forms of encryption: symmetrical and asymmetrical. Symmetrical encryption means that the same key is used to encrypt and decrypt data. Asymmetrical encryption means that the key used to encrypt the data is not the same key used to decrypt the data.

The Advanced Encryption Standard (AES) is used in the generation of FVEKs and VMKs. AES creates symmetrical keys, so both the FVEK and VMK utilize an encryption process where the same key is used to protect the data whether it is being encrypted or decrypted.

There is an asymmetric aspect to BitLocker as well. The SRK is asymmetric, using the RSA algorithm to create a public-private key pair, with the private key being stored in the TPM. This means the key used to encrypt the VMK is not the same as the one used to decrypt it. With both of these styles of encryption involved in booting up the machine, BitLocker is a hybrid of both symmetric and asymmetric encryption.

Windows Recovery Mode

BitLocker will create a recovery password to be used in case there is ever a situation that triggers Recovery Mode. This password is a numeric, 48 digit key. For a home PC, BitLocker will prompt the user to save the Recovery Password. If a device is joined to an Active Directory (AD) or Azure AD domain, a Recovery Password can be backed up for the device through AD itself. Recovery Mode will activate for any number of reasons, including entering a PIN incorrectly too many times, deactivating the TPM, or moving the encrypted drive to a new computer.

Note that in Recovery Mode, there is no TPM required as a second layer of security. A malicious actor who has the Recovery Password and has physical control of the machine has the ability to access the drive.

Booting Up With BitLocker

Since the EFI System Partition is not encrypted, the machine is capable of starting its normal start-up sequence. Once you start the boot process, the Unified Extensible Firmware Interface (UEFI) firmware triggers the Windows Boot Manager. If the system had been shut down, the Boot Manager checks for the Operating System Loader, or if the device was sleeping or hibernating, the Boot Manager.

Both the Operating System Loader and the Boot Manager are stored in the BitLocker encrypted Operating System Volume partition with the signature FVE-FS. The FVE-FS cannot access the Operating System Boot Loader or Operating System Resume Loader directly, which protects the OS while it is offline.

The Operating System Kernel is not online in this early boot phase. While the Kernel is getting initialized, the filesystem driver will come online. The low-level BitLocker code in the Windows Boot Manager checks the FVE Metadata Header block in the OS to offset the first FVE metadata block. Once there, it learns the authentication type implemented. In a similar way, the TPM actions are facilitated by low-level TPM operation code implemented by the Windows Boot Manager. In TPM-only mode, the TPM will get the VMK from the FVE Metadata. The TPM will verify that the current Platform Measurement is the same as the measurement when the key was sealed. If there are any modifications, the TPM will not unseal the VMK and Recovery Mode will be triggered.

Even if the Operating System Boot Manager, which is unencrypted on the System Partition, is compromised, the drive is still protected by BitLocker.

If the PCR measurement matches the VMK sealing measurement, the TPM will use its private key to decrypt the VMK for the Boot Manager. Using the VMK, the Boot Manager will decrypt the FVEK to access the Operating System Boot Loader or Resume Loader depending on the situation.

Note that BitLocker only decrypts sectors required to read and write requests from the Input and Output Manager

Measured Boot checks the size of the Operating System Loader before it is activated. If there have been any changes in the measurements, or any indication that it is not the intended Loader, the device will enter BitLocker Recovery Mode.

If it is the correct OS, Bitlocker has done its job and the computer will commence normal operation.

Data Protection

It is everyone’s responsibility to protect their data, and BitLocker encryption is one of the best ways to do that on a Windows computer. This series of keys, both asymmetric and symmetric, fit together to protect devices vulnerable to attack, while maintaining a streamlined user experience. Data is best protected by layering as many defensive tools as possible; activate BitLocker today!

About DriveStrike

DriveStrike is an all-in-one endpoint security solution that integrates Remote Locate, Lock, and Wipe services with Encryption management in one secure online console. Begin defending your data today with mass deployment options for phones, tablets, and computers on any operating system. Start your 30 Day Free Trial and begin protecting data today with DriveStrike!