Search Stanford:
 

About this Service

• Overview
• News
• Service Summary
• Administrative Guide
• Migration
• Client List

Documentation

• Decision Maker
• IT Implementer
• End User

Service List

• Authentication
• Authorization
• Directory
• Exchange
• DFS
• BitLocker Key Escrow

Contacts

• Administrator List
• Email Lists
• Windows Systems Group

Related Services

• Managed Server Hosting
• BigFix Patch Management
• ITSS Contract Support
• Essential Stanford Software

Tools

• Password Reset Tool
• StanfordYou
• Workgroup Manager

• IT Services
• Stanford Windows Infrastructure
• BitLocker

Stanford Windows Infrastructure - BitLocker Key Escrow

BitLocker the the name of the Microsoft full-volume encryption technology that has been added to Windows Vista in the Enterprise and Ultimate editions of the OS and will be available in Windows Server 2008. It is intended to protect the system partition from tampering while the system is turned off, but will also protect data that is stored on the system partition from offline access.

Trusted Platform Module (TPM)

A TPM is a hardware security device that is included in the motherboard chipset of many newer computers. Among other functions, this device provides facilities to securely create and store a cryptographic key as well as controlling access to that key such that it will only be released when the TPM is in the exact same state as it was when the key was generated.

The TPM state is generated from a number of different observations made during system startup. These are the platform configuration registers used by Vista (There are more):

• BIOS
• Option ROM Code
• Master Boot Record (MBR) Code
• NTFS Boot Sector
• NTFS Boot Block
• Boot Manager
• BitLocker Access Control

Some of these are specific to the hardware and others are specific to the installed OS. Note that if any of these values change, the TPM will not release the key and the drive will need to be unlocked before continuing. For this reason it is recommended that Bitlocker be turned off if you intend to make changes that would affect these values (Flashing BIOS to a new version, etc.)

Also note that the TPM hardware is often disabled by default in system BIOS, you may have to go in to the BIOS setup for the computer and enable the TPM.

How BitLocker Works

BitLocker requires that a separate boot partition and system partition exist. The boot partition contains files that are required to support BitLocker and the boot loader.

By default, BitLocker uses AES-CBC (128 bit) with Elephant diffuser to encrypt the protected volume. After starting, the code interfaces with the TPM to get the key to unlock the BitLocker encryption key. If additional security checks have been configured, the user will be prompted before the TPM releases the key. After the key is unlocked, BitLocker then operates transparently and the Windows loader takes over.

TPM PIN or Startup Key

For additional security beyond the integrity checks performed by the TPM, a numeric PIN or a startup key can be configured for unlocking the TPM. This adds a verification of the user to the procedure. If a PIN is used, the user will verify his identity by entering the PIN using the "F" (function) keys each time that the computer is started. If a startup key is used, the user must attach the USB device containing the key to the computer each time it is started.

In the Windows Infrastructure, the user will be given the option to enable these verification features when BitLocker is turned on or to use just hardware/OS verification.

BitLocker Key Recovery/Key Escrow

To allow for recovery in case the TPM module cannot release the key to unlock BitLocker, additional copies of the BitLocker key can be stored. The most common methods are to store a recovery key on a USB device or to store a recovery key protected using a numeric password. If the TPM interaction fails, the user will be asked to provide either the USB device containing the recovery key or the password (Password must be entered using the "F" keys, F1 for 1, F10 for 0, etc.)

For computers that are part of the Stanford Windows Infrastructure, a copy of the recovery password is stored with the computer object as a confidential attribute. By default, only Domain Administrators can see confidential attributes, no matter what access is granted by standard ACLs.

BitLocker can also be configured to use a key stored on a USB device instead of a TPM, but this configuration does not allow for all of the tamper protections of the TPM. This mode of operation is not allowed by default.

Using BitLocker to Secure Your System

• Your system must have a TPM 1.2 module, enabled in the system BIOS
• Your system must have 2 NTFS-formatted partitions, the boot (active) partition must be at least 1.5GB.
  • If you have not yet installed Vista, you can create two partitions, set one active and install on the other.
  • If Vista is already running, you can use the Vista BitLocker Drive Preparation tool to create the boot partition
• Join the computer to the Stanford Windows Infrastructure and move the computer object out of CN=Computers before enabling BitLocker to allow Key Escrow into AD.

    Open the BitLocker control panel (Control Panel -> Security -> BitLocker). If your system does not meet the prerequisites, you will see an error indicating that fact. Otherwise you will see the option to turn on BitLocker.

If this is the first time enabling BitLocker, you will probably be asked to initialize the TPM. If you initialize the TPM here you will probably be asked for confirmation the next time the system starts.

• By Stanford Windows Infrastructure default, you will first be asked if you would like to enable a TPM PIN or startup key for additional security. Enable based on your security needs.
• You will then be prompted to create recovery keys. You can do this now or you can come back to the BitLocker control panel later. In either case, a recovery password will automatically be stored in AD.
• On the last page of the wizard, "Encrypt the selected disk volume", make sure to check the "Run BitLocker System Check" checkbox and continue. After a restart, BitLocker will start to encrypt the volume.

If you store a recovery key or password, make sure that they are not kept on the computer or with the computer.

BitLocker provides no protection to a running computer. If you leave a running computer (including  Standby or Hibernate mode) make sure that you lock the system.