Understanding Vista BitLocker Disk Encryption technology

The importance of encrypting company data, especially when you may have confidential data in a user's notebook and he is running around with a computer, is becoming more apparent. To encrypt data, you have countless options to choose from and consider. First, you can try to find a way to keep the user from running around with the data, but that's not always possible. Second, you can use Windows XP's own EFS encryption mechanism to encrypt sensitive data, but there are still some vulnerabilities in this approach. (most importantly, EFS does not encrypt the entire volume; It encrypts only those folders and files that specifically specify the use of EFS encryption, and it cannot encrypt the system files, or files located in the root of the system). Third, you can look for a third-party manufacturer to provide the overall encryption technology.

In addition, you have a choice to have your client upgrade his computer to Windows Vista. Windows Vista has a new feature that is enterprise-oriented and helps them protect their private data--windows BitLocker Disk encryption (Drive encryption). BitLocker provides an entire volume of encryption in an "offline" manner. This means that, in any case, if you deploy BitLocker, your system will be dynamically protected by encryption, even if a potential hacker acquires physical access to the system. In addition, the enterprise uses BitLocker, theoretically they will no longer have to worry about, even if the physical hard drive is lost or stolen events. The hard drive will remain encrypted in a protected state.

Technical details

BitLocker is encrypted using 128-bit or 256-bit AES (Advanced Encryption Standard, Advanced encryption Standard), and the encryption level is up to you and can be set through Group Policy. BitLocker is best performed in a system with TPM 1.2 (TPM, trust Platform module, Trusted Platform). One TPM is another chip on the computer's motherboard that is responsible for generating the encryption key--and key is critical to a successful encryption project. According to Microsoft and other independent testers, the impact of using BitLocker in total encryption on system performance can be almost negligible.

However, there are some deficiencies. BitLocker only protects the volume of the operating system on your computer. This is not a problem if you have only one volume in your notebook, but for systems that have multiple volumes or multiple disks, using BitLocker alone will not protect all data. In these cases, Microsoft has been recommending the use of EFS for non-operating system volumes. EFS itself becomes more effective when used in conjunction with BitLocker because the root directory on the operation volume is also overwritten. So once BitLocker is enabled on the operating system volume, the EFS root data will be protected by BitLocker, and the likelihood of tampering will be greatly reduced. In addition, you have solved a problem with the functionality limitations of EFS itself--previously EFS itself was unable to encrypt files in the system's root directory. These files are now protected by BitLocker, while other files are protected by EFS.

Of course, there are also a large number of areas where BitLocker is not protected, and these areas include:

System administrator tampering area: By default, these people generally have carte blanche to the data. Encryption is not designed to exclude those who themselves are supposed to have read rights to data.

An attack from another authorized user: If a system-specific attack uses the correct user credentials, BitLocker will be allowed to access it freely. In short, BitLocker does not protect you from online attacks. The lesson is: it's important to keep multiple layers of protection. Remember to always run firewalls, anti-virus software, and antispyware software to protect your data assets to the fullest extent possible.

Hardware attack: A hacker can insert a special hardware debugger in the system to obtain the relevant read and write access to the data.

Deployment

You should know that you can use two completely different ways to deploy bitlocker--or use TPM 1.2, or not TPM1.2. Using TPM 1.2 provides a high level of security, but not every system can support it. To provide protection for those who do not (or are unwilling) to deploy the TPM, Microsoft also provides a way to deploy without having to deploy the TPM (non-TPM). Non-TPM supports a variety of authentication modes, including starting with a PIN to enter, or requiring that a USB flash drive be plugged in prior to the startup key.

BitLocker is only supported in Vista Enterprise Edition (Enterprise) and Advanced Edition (Ultimate), but BitLocker is also supported on Longhorn servers. Why Microsoft wants to exclude other Vista versions, especially the commercial version, makes me confused. Also, only ultimate version of Vista can run BitLocker independently. Vista Enterprise Edition can only support BitLocker after it has joined a domain. Now, the downside is not as insignificant as it may seem at first glance. Since you can keep BitLocker's recovery key in the Active Directory, this makes sense. You may not want thousands of people to go out with their private recovery key ... In case they lose it, your company's data will be in danger of being unrecoverable.

Summarize

Despite some of its limitations, BitLocker is a popular new member of the family. This tool provides enterprises with additional data protection options to help businesses ensure data security.