BitLocker is a new drive encryption technology introduced with the Vista operating system. With BitLocker enabled, all files on a personal computer’s hard disk drive are automatically encrypted helping to prevent information from being read by others if a computer is lost, stolen or sold. BitLocker is included in the Enterprise and Ultimate editions of Vista and is disabled by default.
BitLocker adds a layer of security to help prevent private information stored on notebooks and PCs from ending up in the wrong people’s hands. For businesses, this can reduce the risk of employee and customer data being stolen resulting in lawsuits and lost customer trust. For individual consumers, BitLocker can reduce the risk of identity theft resulting from personal information being lifted from a stolen or sold PC.
BitLocker encrypts an entire volume using one of three distinct modes for storing the encryption key. The first two require a Trusted Platform Module (TPM) to store the key.
Transparent operation mode - This mode makes use of TPM hardware to provide a transparent user experience. The user simply logs onto Windows Vista at which point the encryption key is retrieved from the TPM hardware, which is used to decrypt the files on the volume. TPM seals the key so that it is virtually impossible to retrieve without knowing the password.
User Authentication mode - This mode requires additional authentication information in the form of a user entered PIN or a USB device with the startup key to boot the OS. This provides an additional layer of authentication security.
USB Key - This mode does not require TPM hardware. The user inserts a USB device (a thumb drive, for example) that contains the startup key.
For more information on how BitLocker works see Wikipedia and Microsoft
BitLocker encrypts data using the Advanced Encryption Standard (AES) with key lengths of 128 or 256 bits plus an optional diffuser. The default encryption setting is AES 128 with the Elephant diffuser. Microsoft claims that it does not provide a backdoor for use by government authorities. AES provides significant protection against hackers, but given enough time and resources any encryption algorithm can be broken. BitLocker is also new and unproven, so it is unknown if there are flaws in the implementation that could be exploited by an attacker. And, it does not appear that any third party has tested and validated BitLocker security. Regardless, it is far better to have the data encrypted than stored in the clear, and Microsoft has chosen solid encryption technology for the BitLocker implementation.
The biggest issue with any file encryption technology is handling the headaches associated with a lost or forgotten key. In addition, any changes to the OS, BIOS, and hardware could be an attempt to attack a stolen hard drive, so there needs to be a secure way to deal with changes to the system configuration. BitLocker provides a recovery password as a way to resolve both of these issues. When BitLocker is enabled the user is prompted to save the recovery password by printing it, saving it as a data file on removable media, or saving it in a folder. The recovery password should obviously be stored away from the computer it protects. In the event that a user has forgotten their password or PIN, lost their USB device, or if they changed their system configuration, the recovery password needs to be submitted either by providing the recovery password file or by typing in the 48-digit recovery password.
BitLocker is only included in the Enterprise and Ultimate editions of Vista, which means it is not part of the Home Basic, Home Premium, or Business editions. When using the modes that require TPM, a TPM microchip, version 1.2, needs to be available and enabled along with a Trusted Computing Group (TCG)-compliant BIOS. Two NTFS drive partitions are required, one for the system and one for the operating system. The system partition must be at least 1.5 gigabytes.
All BitLocker encryption is done in the background and all decryption is done as blocks are requested. And, BitLocker uses the AES algorithm in-part because of its fast performance. According to Microsoft, BitLocker imposes a single-digit percentage performance overhead. No third parties appear to have validated the performance impact of BitLocker.