I will start with a disclaimer. I know, not a good way to start a post…
I intend to write a series of posts about Bitlocker, starting with the theory and turning
that theory into practical implementation. I am writing these posts based on my own personal
research and knowledge. I have no connection to the people that wrote Bitlocker so I may
make mistakes here…If I do,please send me a message or leave a comment pointing out
the mistakes and I will make sure to fix them.
I decided to write these posts since I couldn’t find any documentation about how Bitlocker
is supposed to work, how it’s implemented and how it behaves in different scenarios. The
majority of articles I found, provided good background information some usage tips and
that’s it… Now it’s my turn to give it a shot.
What is Bitlocker
Bitlocker is a technology released with Windows Vista(Enterprise and Ultimate) that enables the
users to encrypt the contents of a volume. Bitlocker’s role, in the pre-SP1 era, is to protect the
the system volume of a system by encrypting it. Since the encryption is at the volume level
the information is protected from a parallel installation attack.
The need for an encryption technology that protects a volume grew from the advent of mobile
computing and the threats of data theft (stealing a laptop is easier then stealing a desktop and
threats to a laptop are significantly higher considering that you use it in public places).
Bitlocker provides protection, yet you must remember that all encryption mechanisms can be
decrypted (otherwise we would be in a real bind) thus Bitlocker will slow down a potential data
thief not stop him.
You may be asking yourself at this stage what is the big deal here? Bitlocker is not the first
encryption technology to be released for Windows. Previous encryption mechanisms include the
Encrypting File System(EFS). How is Bitlocker different?
Bitlocker vs EFS
- Bitlocker encrypts volumes (as one unit),EFS encrypts files and directories
- Bitlocker encrypts system files,EFS can not encrypt system files
- Bitlocker uses symmetric encryption while EFS uses asymmetric encryption
- Bitlocker does not protect your data while a system is turned on, EFS does
Looking at this comparison, I hope that it is obvious to you that Bitlocker and
EFS are not adversaries or substitutes. Bitlocker and EFS are two technologies that can provide a
layered defense against data theft. That is if they are used correctly and together(hence the layered).
Since this post does not deal with data protection but with a specific part of it,namely
Bitlocker, lets continue by trying to understand what Bitlocker can do for you and what it can’t.
What Bitlocker can do
Bitlocker can do the following things:
- It makes it relatively very difficult to access data on a stolen disk or computer
- It can encrypt the entire contents of a volume, including OS files, paging files, hibernation files
and temporary files
- Post SP1 it can also encrypt additional volumes not only the system volume
- Allows you to deploy and remove itself without destroying the data on the volume
What Bitlocker can’t do
Bitlocker will not do the following things:
- It does not protect the system from a network attack
- It does not protect the data while a system is on (read-has electricity, including standby)
How does Bitlocker work – Booting an encrypted OS
Ok,now that we have the formalities out of the way, lets try to understand how does Bitlocker achieve
what it does. Once enabled Bitlocker starts an encryption process that obscures the data on the volume
it is applied to. The first volume that must be encrypted is the system volume and thus arises the problem
of the chicken and the egg:
If Bitlocker is a mechanism used by the OS to encrypt data, to be able to decrypt(access) the data
the OS has to be loaded (or at least part of it) but since we encrypt its volume it can not load because
it is encrypted…
To solve this problem, an additional volume has to be created(which should not store user data).This volume will not
be encrypted and will provide enough OS code to decrypt the system volume.Since in this part of the post
we are only discussing theory, take this as a given, an additional volume is created-the system boots from there
decrypts the encrypted volumes and allows the rest of the OS to boot.
How does Bitlocker work – Encrypting a Volume
Bitlocker encrypts a volume using a symmetric algorithm (Advanced Encryption Standard (AES) algorithm with
128-bit keys). The key length is controllable and their size can be increase to 256-bit yet that may cause performance
The encryption process begins, and a key is created- this key is called the Full Volume Encryption Key (FVEK). The
FVEK is used to encrypt and decrypt the data. The FVEK is stored on the volume as part of the volumes metadata.
But wait-if the symmetric key that is used to encrypt/decrypt the data is stored on the volume it is meant to
protect what prevents a thief from picking it up and decrypting it…this sounds like locking a door and leaving the key
in the lock,from the outside…
To be honest, the door analogy is quite close to what happens with one small but major difference, instead of leaving
the key in the door, the key is placed inside a locked box that is welded to the door. In other words the FVEK, is
encrypted by an additional key called the Volume Master Key (VMK).
How does Bitlocker work – Decrypting a Volume
To decrypt a volume, you need to take the process used to encrypt it and reverse it (due to the use of symmetric
algorithm used): the OS boots, identifies the usage of Bitlocker, requests the VMK and uses it to access the FVEK
which in turn provides access to the encrypted data.
How does Bitlocker work – protecting the VMK (The Protectors!)
As you can see once you have access to the VMK, the game is over. Due to it’s importance the VMK has to be
closely guarded. The measures used to protect the VMK are called ‘protectors’. The role of the protectors is to prevent
unauthorized access to the VMK and it is assumed that if you have access to a protector you are authorized to use it
(this is a huge assumption but as the saying goes:”Who will guard the guards?”).
There are several protectors that can be used to store the VMK:
- Trusted Platform Module – A secure storage built into the system board that will store the VMK and release
it for use only if an additional authenticator(such as a PIN) is provided and no major changes to the system
have been identified.
- External media – This may be a disk on key upon which the startup key is stored.
- Recovery key – A manual process of entering 48 numbers to release the VMK.
More about the protectors in the second part of the Bitlocker series posts that will deal with implementation.
How does Bitlocker work – Why two keys?
There is one major reason for this-in the case of moving a hard drive to a different system or losing a protector
there is no need to re-encrypt the volume (a lengthy process). It is simply enough to re-key the FVEK by creating
a new VMK. In theory this is true, yet I have not found a way to do this.
Conclusion of part one
Bitlocker is part of a layered strategy to protect data from theft. The aim of this post was to lay down
foundations that will help with the implementation of Bitlocker. You should now be able to understand
the role of Bitlocker and it’s abilities and shortcomings.
The second part of the series will describe the methods to implement Bitlocker.