Learn about the full BitLocker encryption feature for Windows Vista

Long coveted the Windows Vista BitLocker Full volume encryption (short BDE) function, but is not afraid to take the laptop test knife. Recently got the latest Windows Vista CTP 5308 version, incredibly successful in the VMware Virtual machine test! Such good things, Ann can be good from the photo? Write to readers.

BitLocker overview

BitLocker is only Microsoft's "stage name", its original name is secure Startup (safe boot), from its name can be seen that its meaning is to ensure that the system is safe to start.

BitLocker can encrypt an entire Windows volume, including paging files, Sam registry database files, hibernation files, and dump files, which are not protected by EFS encryption (because EFS cannot encrypt system files and all files located in the system directory).

There are two modes of BitLocker encryption:

1. USB flash Drive Mode

The BIOS is required to support booting with a USB flash drive. You can store the relevant keys required for unlocking a disk in a USB flash drive, and you must plug in a USB flash drive to unlock the encrypted Windows volume before you can access Windows Vista properly.

2. TPM Mode

Requires the computer to have a 1.2 version of the TPM chip, the system will unlock the disk required key to store in the TPM chip.

TPM mode can achieve the most stringent security protection measures. In addition to the full volume encryption supported by the USB flash drive mode, the integrity detection of the system boot component is also supported.

This kind of integrity detection is somewhat similar to the activation mechanism of Windows XP. When you set up BitLocker encryption, the system makes a "snapshot" of the Master Boot Record (MBR), the NTFS boot sector, the NTFS boot code, and the key, respectively (presumably by producing the corresponding hash value, respectively), and then saves it in the corresponding register of the TPM chip, each time the system starts, is automatically compared to the original snapshot, which is called a metric (measure).

If these boot components change (usually caused by an attack), the system refuses to release the disk encryption key from the TPM chip! We can specify the boot component of the "metric" of TPM mode in Group Policy, as shown in Figure 1 (shown in the figure, the MBR's "snapshots" are stored in the TPM chip's PCR4 register, and so on).

Figure 1

You can also choose whether to set a startup key to provide additional security protection, as needed.