Today at the IT Conference I got to see a very knowledgeable and popular speaker. He knows everything about Microsoft and happens to be delivering the keynote address at the conference as well. His name is Mark Minasi and today he spoke about Vista Security using BitLocker Technology.
BitLocker: “How to lose your laptop… without losing your data.”
According to Mr. Minasi, Windows XP Service Pack 2 solved a lot of security issues about Windows. That said, he told us that with BitLocker, your data is secure like never before.
The reason for BitLocker (BL) came about because of the security risks to Microsoft’s top customers – The Fortune 500. On average, about 1 million laptops are lost or stolen in the USA alone each year. I think some students at various Universities and Colleges may want this technology, but I also thought that some professors, doctors, research scientists may need this when migrating to Windows Vista. I know many schools in my area that have serious research going on and I’m sure they would like to know just how secure they can make their data – whether it is on a laptop or a desktop! Before Microsoft would hide the security key on the same computer and it was eventually found by hackers – now with BL Technology, it is a separate piece of hardware holding the key. A TPM (Trusted Platform Module) chip holds the security key in something called the PCR (Platform Configuration Register). This is where BL holds the key.
How BitLocker starts up on a TPM System:
O/S Boot Code hashes the code – driver talks to TPM (Trusted Platform Module) chip and drops that in PCR 0. Then it hashes the ROM (Random Access Memory) PCR 2 towards Boot Manager and PCR 10. BitLocker Access Control = PCR 11. That is when it takes over and encrypts your data on the Hard Drive from what Mr. Minasi explained this morning. It’s basically like a Real Estate Lock Box… but with even more layers of protection.
If there is no TPM chip, the other way to store data using BitLocker is with a USB Stick. It’s less secure, so PLEASE make sure you don’t put the USB Stick in the same bag as the laptop. Put it somewhere safe and secure! Either way, you can still set up a PIN (Personal Information Number) just like an ATM Bank. It would be an extra setup before the system boots. The demo was difficult, but I think with practice, it is something I could learn to do – but more importantly, it is something I could help clients with if called upon to do so…
1.5 GB is needed to use as reserve space for BitLocker. If you forget to – or don’t know how to partition – a Wizard can be run that will assist in partitioning out the necessary 1.5 GB needed.
On a Windows Server using AD (Active Directory), users can now back up the encryption keys for laptops that are Domain Members (AD).
Setup for BitLocker:
1. It wipes drive C: clean
2. Boot from Vista DVD
3. Click Next at ‘Pick Language / Keyboard’ page…
4. It takes you to…
5. Install Now. Do Not do this! – Instead, click Repair Computer.
6. Choose System Recovery Options
7. Choose Command prompt
8. Type: diskpart
9. Type: select disk 0
10. Type: clean (cannot go back at this point)
11. Type: create partition primary
12. Type: assign letter=c
13. Type: shrink minimum=1500 (1.5 GB)
14. Type: create partition primary
15. Type: active
16. Type: assign letter=p
17. Type: exit (takes user out of command line)
18. Type: format c: /y /q /fs:NTFS
19. Type: format p: /y /q/fs:NTFS
20. Type: exit
21. Press ESC (Escape) to return to the “Install Now” screen in Vista.
22. Install Vista as usual.
BitLocker encrypts the entire C Drive. (only available with Enterprise or Ultimate – why not Business?) Longhorn Server will also have the ability to use BitLocker. BitLocker partitions the C drive in one large BLOB (Binary Large OBject). If I hack or steal your laptop, I will see a volume, but will not have the opportunity to view it’s contents. Thieves can go no further.
Remember – In order to make BitLocker work – Make sure it boots the O/S (HDD) first.
BitLocker: “How to lose your laptop… without losing your data.”
According to Mr. Minasi, Windows XP Service Pack 2 solved a lot of security issues about Windows. That said, he told us that with BitLocker, your data is secure like never before.
The reason for BitLocker (BL) came about because of the security risks to Microsoft’s top customers – The Fortune 500. On average, about 1 million laptops are lost or stolen in the USA alone each year. I think some students at various Universities and Colleges may want this technology, but I also thought that some professors, doctors, research scientists may need this when migrating to Windows Vista. I know many schools in my area that have serious research going on and I’m sure they would like to know just how secure they can make their data – whether it is on a laptop or a desktop! Before Microsoft would hide the security key on the same computer and it was eventually found by hackers – now with BL Technology, it is a separate piece of hardware holding the key. A TPM (Trusted Platform Module) chip holds the security key in something called the PCR (Platform Configuration Register). This is where BL holds the key.
How BitLocker starts up on a TPM System:
O/S Boot Code hashes the code – driver talks to TPM (Trusted Platform Module) chip and drops that in PCR 0. Then it hashes the ROM (Random Access Memory) PCR 2 towards Boot Manager and PCR 10. BitLocker Access Control = PCR 11. That is when it takes over and encrypts your data on the Hard Drive from what Mr. Minasi explained this morning. It’s basically like a Real Estate Lock Box… but with even more layers of protection.
If there is no TPM chip, the other way to store data using BitLocker is with a USB Stick. It’s less secure, so PLEASE make sure you don’t put the USB Stick in the same bag as the laptop. Put it somewhere safe and secure! Either way, you can still set up a PIN (Personal Information Number) just like an ATM Bank. It would be an extra setup before the system boots. The demo was difficult, but I think with practice, it is something I could learn to do – but more importantly, it is something I could help clients with if called upon to do so…
1.5 GB is needed to use as reserve space for BitLocker. If you forget to – or don’t know how to partition – a Wizard can be run that will assist in partitioning out the necessary 1.5 GB needed.
On a Windows Server using AD (Active Directory), users can now back up the encryption keys for laptops that are Domain Members (AD).
Setup for BitLocker:
1. It wipes drive C: clean
2. Boot from Vista DVD
3. Click Next at ‘Pick Language / Keyboard’ page…
4. It takes you to…
5. Install Now. Do Not do this! – Instead, click Repair Computer.
6. Choose System Recovery Options
7. Choose Command prompt
8. Type: diskpart
9. Type: select disk 0
10. Type: clean (cannot go back at this point)
11. Type: create partition primary
12. Type: assign letter=c
13. Type: shrink minimum=1500 (1.5 GB)
14. Type: create partition primary
15. Type: active
16. Type: assign letter=p
17. Type: exit (takes user out of command line)
18. Type: format c: /y /q /fs:NTFS
19. Type: format p: /y /q/fs:NTFS
20. Type: exit
21. Press ESC (Escape) to return to the “Install Now” screen in Vista.
22. Install Vista as usual.
BitLocker encrypts the entire C Drive. (only available with Enterprise or Ultimate – why not Business?) Longhorn Server will also have the ability to use BitLocker. BitLocker partitions the C drive in one large BLOB (Binary Large OBject). If I hack or steal your laptop, I will see a volume, but will not have the opportunity to view it’s contents. Thieves can go no further.
Remember – In order to make BitLocker work – Make sure it boots the O/S (HDD) first.
