12.8 File Encryption & BitLocker
BitLocker partition
*Implementing BitLocker requires two NTFS partitions:* -The system partition is a 100 MB volume that contains the boot files. This partition is set to active and is not encrypted by the BitLocker process. -The operating system partition must be large enough for the operating system files. This partition is encrypted by BitLocker. *Be aware of the following:* -A new Windows installation creates both partitions prior to the installation of the operating system files. -For operating systems already installed on a single partition, you may need to resize the existing partition and create the system partition required by BitLocker.
Non-TPM Security
*You have the following options for implementing BitLocker on systems without a TPM chip:* -You can save the BitLocker key on a USB device. The USB device is inserted before starting the computer and provides authentication before the operating system drive is decrypted. *The BIOS must support reading USB devices during startup.* -Windows 8 and later allows you to configure an unlock password for the operating system drive. To use this feature, enable Configure Use Of Passwords For Operating System Drives policy in the Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives node of Computer Configuration. -Windows supports authentication using a smart card certificate. The smart card certificate is stored on a USB device and is used similarly to the BitLocker key on a USB device.
BitLocker differs from the Encrypting File System (EFS) in the following ways:
-BitLocker encrypts the entire volume. EFS encrypts individual files. -BitLocker encrypts the volume for use on the computer, regardless of the user. Any user who has the PIN or startup key and who can successfully log on can access a BitLocker volume. With EFS, only the user who encrypted the file can access the file unless access has been granted to other users. -BitLocker protects files against offline access only. If the computer boots successfully, any authorized user who can log on can access the volume and its data. EFS protects against offline access as well as online access for unauthorized users. EFS does not provide online protection if an authorized user's credentials are compromised.
Trusted Platform Module (TPM)
A Trusted Platform Module (TPM) is a special hardware chip included on the computer motherboard that contains software in firmware that generates and stores cryptographic keys. *The TPM chip must be enabled in the BIOS/UEFI.* *The TPM chip* stores the BitLocker key that is used to unlock the disk partitions and stores information about the system to verify the integrity of the system hardware. The TPM ensures system integrity as follows: 1) The TPM examines the startup components present on the unencrypted partition. 2) Based on the hardware and system components, a system identifier is generated and saved in the TPM. 3) At startup, components are examined and a new system identifier is generated. 4) The new identifier is compared to the saved identifier. If the identifiers match, the system is allowed to boot.
BitLocker
BitLocker protects against unauthorized data access on lost or stolen laptops and on other compromised systems. -BitLocker encrypts the entire contents of the operating system partition, including operating system files, swap files, hibernation files, and all user files. A special BitLocker key is required to access the contents of the encrypted volume. -BitLocker uses integrity checking early in the boot process to ensure that the drive contents have not been altered, and that the drive is in the original computer. If any problems are found, the system will not boot, and the drive contents remain encrypted. The integrity check prevents hackers from moving the hard disk to another system in order to try to gain access to its contents. -BitLocker requires data to be decrypted before it can be used, which reduces disk I/O throughput. -BitLocker is only available on Ultimate and Enterprise editions of Windows. -In Windows 8 and later, you can choose to encrypt the entire volume or just the used space on the volume.
Data transmission encryption
Data that is sent through a network can potentially be intercepted and read by an attacker. Use some form of encryption to protect data sent through a network. You should be aware of the following solutions to protect data communications. -A virtual private network (VPN) uses an encryption protocol to establish a secure communication channel between two hosts, or between one site and another site. Data that passes through the unsecured network is encrypted and protected. -IPSec, PPTP, and L2TP are common protocols used for establishing a VPN. -Secure Sockets Layer (SSL) is a protocol that can be added to other protocols to provide security and encryption. For example, HTTPS uses SSL to secure Web transactions. -Use WPA, WPA2, or WEP to secure wireless communications, which is highly susceptible to eavesdropping (data interception). WEP, WPA Personal, and WPA2 Personal use a common shared key configured on the wireless access point and on all wireless clients. -When implementing network services, do not use protocols such as FTP or Telnet that pass logon credentials and data in clear text. Instead, use a secure alternative such as FTP-S or SSH.
File encryption
File encryption encrypts individual files so that only the user who created the file can open it. -The Encrypting File Service (EFS) on Windows systems encrypts individual files. Windows automatically decrypts a file when the file owner accesses it. -With EFS, you can add other users who are also allowed to access the encrypted file. -EFS is only available on NTFS partitions. Moving an encrypted file to a non-NTFS partition removes the encryption. -Files remain encrypted and inaccessible even when the drive is moved to another computer or if another operating system is used. This is because the encryption keys needed to decrypt the file do not exist on these other systems. -Encryption cannot be used together with compression (you can use either, but not both).
Whole Disk encryption
Whole disk encryption encrypts the entire contents of a hard drive, protecting all files on the disk. -During system startup, a special key is required to unlock the hard disk. Without the key, data on the drive is inaccessible. Providing the key allows the system to decrypt files on the hard drive. -You cannot access the contents of an encrypted drive by moving it to another computer because the encryption keys needed to decrypt the data do not exist on the other computer system. -Most solutions provide for a backup recovery key that can be used to unlock the drive if the original key is lost. If both the encryption key and the recovery key are lost, data cannot be retrieved. -BitLocker is a Microsoft solution that provides whole disk encryption. BitLocker is supported on Ultimate or Enterprise editions of Windows. *You can implement BitLocker with or without a Trusted Platform Module (TPM).* -When using BitLocker with a TPM, the key required to use the disk can be stored in the TPM. -This means that the computer can boot without a prompt as long as the hard drive is in the original computer. -Without a TPM, the startup key must be stored on a USB drive. *On Windows 10, you can also supply a password at system boot to unlock a BitLocker-encrypted drive.* -When the startup key is saved in the TPM, you can require an additional PIN or startup key that must be used to start the system. -You can use BitLocker to encrypt removable storage devices (such as USB flash drives).