10 Things you don’t want to know about Bitlocker…
Nov 2015 Update – It seems bitlocker sans pre-boot has been trivially insecure for some time according to Synopsys hacker Ian Hakan, who found a simple way to change the Windows password and thus allow access to data even while Bitlocker was active.
So, with the forthcoming release of Windows 7, the ugly beast known as “Bitlocker” has reared its head again.
For those of you who were around during the original release of Bitlocker, or as it was known then “Secure Startup”, you’ll remember that it was meant to completely eliminate the necessity for third party security software. Yes, Bitlocker was going to secure our machines against all forms of attack and make sure we never lost data again.
What happened?
Bitlocker was/is actually pretty good – it’s nicely integrated into Vista, it does its job well, and is really simple to operate. As it was designed to “protect the integrity of the operating system”, most who use it implemented it in “TPM Mode”, where no user involvement is required to boot the machine..
And that’s where problems started.
Hands up how many people have a TPM chip on their laptop?
Everyone I bet – it’s a ubiquitous piece of hardware nowadays. Ok, another show of hands please for those who’ve enabled, and taken ownership of the chip? “Taken ownership?” – yes, you remember going through the personalization phase of the chip, enabling it in the BIOS etc? Remember, all TPM’s are shipped disabled and deactivated.
What? You didn’t go through that yet? You didn’t do that before you deployed your laptops? Oh well, Bitlocker’s going to be a bit of a struggle for you isn’t it?
Fact 1. To use Bitlocker without adding additional authentication, you need an enabled, owned TPM1.2+ hardware chip.
Ok, For those of you who did go through this I congratulate your foresight. The only problem of course is:
Fact 2. Bitlocker with TPM-Only protection is vulnerable to Cold Boot, Firewire and BIOS Keyboard Buffer attacks.
Damn! Sorry to tell you this but there are some pretty simple attacks on your TPM-only machines – Do a google search for “Bitlocker Firewire” or “Bitlocker Cold Boot” or”BIOS keyboard” and you’ll find lots of research, and even a few tools which will unlock your nice “protected” machine and recover the data.
To make a machine secure, and by that I mean give you protection against having to disclose loss of personal information to all your customers if the machine goes missing, you need to use some form of pre-windows authentication (with or without TPM as well – it makes no difference). Microsoft themselves recommend this mode of operation.
For Bitlocker, turning on authentication gives you a couple of choices, you can set a pin for the machine, and also if you want, you can use a USB storage device (a memory stick, NOT a smart card) as a token. Yes, I did say a pin, and I certainly did not say “your Windows user ID and password” In fact I didn’t mention users at all. Bitlocker officially supports ONE login, so if more than one person uses a machine, you’re going to have to share that with everyone.
I feel some facts coming on…
Fact 3. Bitlocker is only secure if you use a pin or USBstick for authentication
Fact 4. There’s no link between your Windows credentials and Bitlocker Credentials
Fact 5. Bitlocker does not support the concept of more than one user
Even Microsoft’s official advice tells you to use a 6+char pin, plus TPM for authentication – no using it in TPM only mode now!
Ok, so now your lucky Bitlocker users have pc’s protected, maybe with a TPM, but certainly with some form of authentication which is shared between the owner of the machine, and probably you (as administrator), and the system guys etc. Hey – you probably have an excel spreadsheet with everyone’s pin’s written down?
I hope so, because when those users start forgetting their pins, who’s at the end of the phone? The good news is the pin never changes – there’s no forced change or lifetime.
What do you mean, that doesn’t fit with your password policy? Did I mention yet that the PIN can only be made from the Fn keys, not the normal letter keys unless you configure a special “Enhanced Pin” mode which does not work on non-USA keyboards? Did I mention there’s no complexity or content rules apart from Length?
Fact 6. Bitlocker PIN’s are usually FN key based. Bitlocker does not support non-US Keyboards
Hands up again all of you who’ve implemented PKI smart cards, or bought laptops with fingerprint sensors, or who have tokens such as ActivIdentity, CAC, PIV, eToken Keys, DataKey cards, SafeNet cards etc? You’d like to be able to use them for authentication to your PC’s wouldn’t you?
Fact 7. Bitlocker only supports USB STORAGE devices and PINs – no integration with any other token
And of course, you want users to be able to reset these credentials when they forget them without calling you, or your overworked, understaffed helpdesk? Sorry. No can do.
Fact 8. There’s no built in self-service pin recovery for Bitlocker users
There are Active Directory based methods, the GPO settings will let you store the (fixed) recovery key in your AD. I’m not sure how you feel about that getting propagated to every controller in your forest, but I’m sure you know and trust EVERY AD administrator in your organization who (now) have access to those keys. I mean, if someone was to dump out those keys and then quit, what would you do? It’s not as if the key ever expires. I guess you could write a program and then run it on every machine to recreate the keys, or write the recovery key down and give it to the user to hold on to?
Going back a bit, let’s review why we are going through this effort in the first place. I know the flippant answer is “because we were told to secure our machines”, but what does that mean? Most likely your company falls under one of the 250+ global laws defining and mandating the protection of peoples personal data, social security numbers, health information, credit card numbers etc. Regulations such as PCI, HIPPA, HITECH, SOX etc. You’re wanting to use Bitlocker to encrypt your machines because then, WHEN they get lost or stolen, you won’t have to pay fines, or tell everyone you lost their data, because to be honest, you didn’t did you? You lost the machine sure, but as the data was encrypted, no one can get access to it.
To use this “get out of jail” card you need to be able to prove a couple of things:
- That the data was indeed protected at time of loss
- That the protection method was appropriate given the type of data.
So, applying those tests, a rule appears.
Fact 9. You need extra software to PROVE Bitlocker was enabled and protecting the drive at time of theft to claim protection from PII laws
Personally, I know how to set GPO’s etc to mandate the use of Bitlocker, but I also know how easy it is for a user to turn it off. I don’t know of anything in Active Directory which gives me a definitive answer as to the state of protection of a given machine. There’s even a command line tool which can be run to completely (un)configure it. We need something that reports on the state of protection of a lost machine – just saying “well,. the policy says it should be encrypted” is not enough. Perhaps a reader can help out?
Ok, let’s finally take a look at implementing this solution. Now, you do have a 100% Vista Ultimate / Windows7 Enterprise environment don’t you? What? You still have some XP and Vista Business out there? Are you going to leave those machines unprotected, or are you planning to run a mix of third party software and Bitlocker?
Fact 10. Bitlocker only supports Windows7 Ultimate/Enterprise and Vista Ultimate.
It may come across that I’m not a great fan of Bitlocker – that’s far from the truth. I would use it (personally), and would recommend it to my friends etc. I see it as REALLY good for technical, trustworthy end users. But, that’s not the market it’s being promoted for is it? Nothing fills me with dread more than an enterprise product which requires yet another password, require specific hardware which is not enabled by default, presents a black screen with white text to users (urgh! So archaic), does not conform to our recognized password/pin lifetime policies, does not work on non-USA machines, and does not have audit-friendly output for the main purpose it serves, i.e. tell me if this stolen machine is a liabiltiy or not. Come on now – it’s 2009! Don’t we deserve better?
I actually like it because of the following 10 reasons:
- Only 1 of the 3 machines I use has a USA keyboard, so I can use FN mode Pins
- It never forces me to change my Pin
- I can turn it on and off whenever I like without my corporate IT people knowing.
- I get to use the TPM chip, even though it took me a whole day to work out how to enable it
- I can write fancy scripts to turn it on and off (I’m a closet programmer)
- I get a nice dos-like screen when I turn my machine on, just like 20 years ago
- Bitlocker is mostly controlled through a command line script (manage-bde)
- My local IT team can’t come and use my machine, or see what’s stored on it without me knowing
- I know that no one will be able to recover my data if I leave McAfee
- I just like things to be done the hard way
Leave a Reply
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Comments
 | Christopher Burgess on How not to implement smarthome… |
 | Mike on Is Encryption enough? Why just… |
 | Simon Hunt on Is Encryption enough? Why just… |
| Mike on Is Encryption enough? Why just… |
 | Stéphane Pautrel on New S.M.A.R.T Monitor Tool for… |
Simon Says - Musings of a Technology CTO 
But Bitlocker is supported on servers – unlike Safeboot.
Technically bitlocker and “SafeBoot” (McAfee Endpoint Encryption) support exactly the same platforms. McAfee simply don’t believe that recovery can be guarenteed on EVERY server style storage array. Do Microsoft say you can recover a bitlocker encrypted crashed RAID array? If you just want to encrypt the local boot drives SafeBoot has been proven to work perfectly.
Not my point. Bitlocker is officially supported by Microsoft for use with Windows servers. As I understand it, Safeboot/McAfee Endpoint Encryption isn’t. Are you saying that I am misunderstanding that and McAfee DO officially support EEPC on Windows Server 2003/2008?
No,we don’t offer support for encryption of server OS’s, but that’s very different from “does the program support server os’s?” (which it does). You might want to confirm with M$ that Bitlocker can be used on server class storage, and of course, that your virtualized servers have virtualized TPM chips for security, and that you are happy to run around your data center logging in your servers when they restart etc (no remote desktop to the bitlocker authentication screen remember!)
A quick search for “bitlocker raid” shows that BitLocker, like McAfee EEPC, is not supported on software RAID.
quote: The partition is not using software spanning, software mirroring, or software RAID.
http://support.microsoft.com/kb/933246
So let’s say you have a hardware raid and you encrypt it with bitlocker. What are you going to do when a drive dies? You’re going to call Microsoft support and they are going to say “sorry sir, you are screwed”. Maybe if you get a good tech, they’ll tell you to send the drive to a recovery service. Then you can say “thank you for the support, my issue is resolved, please close the ticket.”
I find it interesting that many of the “Facts” here are misleading or false altogether. What few limitations you have identified that are correct also exist in Safeboot and any other similar encryption software.
Fact 1: these chips have been in enterprise hw for 4+ years.
Fact 2: same is true for Safeboot, or any other system encryption sw
Fact 3: Not true. These do make it easier to recover your data if needed. (If the machine is stolen – doesn’t make much of a difference, huh, unless the thief has the PIN or USB drive too, huh?)
Fact 4: False. BitLocker is linked to machine credentials in AD for manageability. Since it is pre-boot, user credentials would be redundant and useless.
Fact 5: Since it is pre-boot, users are not a factor. Users do not need their PINs to boot – only to recover their data if necessary. PINs can & should be managed by IT Security. You can have as many users on the machine as you want. Again, not an issue for lost/stolen hardware.
Fact 6: Actually only relevant if the keyboard has no numeric keys, but wait, you still have that USB stick…
Fact 7: Actually you CAN use smartcards for non-OS volumes, which is where data should reside anyway. Since an OS can be reinstalled, there should be no need to recover that volume.
Fact 8: Orgs can delegate PIN reset authority to a web-based tool if they so choose. As far as DC’s walking off, I think you’d be more worried about the loss of user and machine account data since that AD Admin could steal it all…
Fact 9: Actually, yes, this info is reported through WMI (tools you already have) and encryption can be enforced via Windows policy. Oh, and it’s free, unlike Safeboot’s management tools to accomplish the same thing. (FYI – users really shouldn’t be admins in this day and age, anyway – most security experts know that. That is the access level required to disable BitLocker.)
Fact 10: Wait, earlier Simon says it should all be tied to user login, which would require a pre-boot login in addition to domain authentication, adding another password prompt. Most security experts know that the recovery PIN is system only and really should not be managed by users any differently than their login passwords. IT is most likely to perform a disk recovery if necessary, anyway.
Simon, of course you’re not a fan of BitLocker – you’re trying to sell McAfee’s product! But really, you shouldn’t mislead your readers to accomplish that.
I (as everyone will expect) disagree with most of the above – the main reason is that like most people, I don’t consider Bitlocker a viable security system unless the user has a pin, or a usb stick to authenticate – without that it’s so open to attack as to be worthless. Also there’s a lot of “shoulds” – like users should not be local admins (well, too often they are), Data should be on a 2nd volume (are you serious? find me one system with PROVABLY nothing sensitive on the OS volume at all).
Which ever way you spin it you MUST have some pre-boot input, either a pin or stick to be secure, so any system which needs some credentials and makes no effort to unify them with the Windows login creds is, in my opinion, fundamentally unsuitable for any enterprise situation. Just because it’s “free” does not mean it’s any good I’m afraid.
As with everything related to security there is no black and white. Any solution has it’s pros and cons. I am not a hard core security pro, and have a lighter take on security. For me it is not about absolutes, as you can never guarantee security you can only mitigate security risk. Security pros will of course freak out at the concept, but one must sometimes think whether a solution is “good enough.” The majority of laptop thefts target the hardware for resale and not the data. And if you’re really worried about the data itself, why go through all the trouble of tight control over disk encryption but not implement DRM on the actual data? And if you have tight DRM over the the data, why bother with disk encryption?
There are tangible business benefits that are overlooked with Bitlocker. Unlike Safeboot where there is no support for WinPE, Bitlocker allows for hard link migration available in USMT with Windows 7. This drastically reduces the amount of time required to migrate user data in an OS upgrade. For some, this is enough to tip the scale.
So I guess, is it flawless? No. Does Safeboot have some challenges as well? Yes. Is it good enough for some? Yes – especially technologists that do not just work with absolutes and must balance business value every day.
Bitlocker is not “free” it is a feature you pay for with an Enterprise or Ultimate edition of Windows 7. What is free is the use of existing infrastructure that any microsoft shop has already invested in: Active Directory, Microsoft Deployment Toolkit, SCCM…
Great comment Alfredo, but, don’t get distracted by security – often companies implement solutions like bitlocker and “SafeBoot” not to secure the data, but to protect themselves from data-disclosure regulations. For that to work you have to have reasonable level of proof that the data cannot be exposed to unauthorized users, so it’s not about whether the theft was for the device or not, it’s about the possibility of data leaking out into the wild.
It’s a sad thing to say, but companies are more pressured to protect themselves from regulatory compliance issues, than protect our personal data from identity theft thieves.
As for the whole DRM/Encryption route, I totally agree with you that people need to think about both. 25% of data breaches (if I remember right) are through unintentional user actions, like sending things to the wrong email address, loosing DVDs, USB sticks etc, or printouts. These can’t be solved by endpoint encryption, but can somewhat with DRM/DLP type technologies.
A response to the points above
1. False: a USB key can be used to hold the keys on a non-TPM enabled machine; this is not recommended, but may be the way forward in areas where legislation proscribes the use of TPM.
2. True: this plagues many (if not all) full disk encryption solutions and is a primary reason why Microsoft recommends TPM + PIN authentication
3. BitLocker is more secure if you use a PIN or USB startup key: in the first case, the TPM’s “anti-hammering” technology provides defense against brute force attacks on the PIN, in the second case the physical token (USB key) is required to unlock without performing a recovery operation.
4. True: there is no direct link, this multiple secret model can be considered a defense in depth measure (multiple secrets need to be stolen to fully compromise a machine). BitLocker is not the only solution to do this.
5. True.
6. False: any limitations in this regard for using enhanced PINs are limitations inherent in some system BIOS’ inability to recognise a localised keyboard, not any shortcomings of BitLocker
7. True for the OS volumes on Windows 7: BitLocker currently does not support smart cards for pre-boot authentication. Microsoft points to fragmented SC standards as the reason for this.
False in the case of removable media and other fixed data volumes: BitLocker and BitLocker to Go support the use of smart cards in these instances.
8. True: BitLocker can back up recovery information to the Active Directory and can be access by administrators and/or service desk staff with the proper delegated rights. Recovery information can also be stored on a local network file system location. These options for backing up recovery information are configurable through Group Policy.
9. True: there are a number of options for capturing the state of a protected volume at a given point in time (WMI scripts, SCCM DCM Pack for Security Compliance), but there are no guarantees for verifying the state of a remote machine in real time. The SCCM DCM solution by default evaluates compliance with the established baseline every 7 days, but can be set to evaluate hourly if desired/required. A Native Mode SCCM implementation can receive compliance information from clients over the public internet via a secure channel.
10. You forgot Vista Enterprise. And aren’t the Ultimate editions targeted to power users?
A response to the 10 things you like:
1. Not true with Windows 7, see 6 above.
2. True, cannot argue with that
3. As mentioned above, there are compliance reporting solutions to track this. So I’ll say false to this.
4. For home/unmanaged deployments, I will grant that this can be a pain. In a managed environment, activating the TPM should be part of the deployment process.
5. You could use Google (or Bing if you will) and find the sample code published like the rest of us. Again, for an enterprise deployment, is this really that onerous an item?
6. Yeah, it’s ugly.
7. It can be all about manage-bde. There are also some right-click options in explorer and a control panel applet. Use what works for you.
8. Again, depends… if your organization has a Data Recovery Agent set up, or they have access to the recovery password, or your machine is on and connected to the network then their ability to access is increased.
9. Uh, no. See the bits above re: recovery information in the AD and DRAs.
10. You say hard way, I see an opportunity for shops with a heavy investment in MS Management Solutions to reduce the number of server and administrative tools (and reporting interfaces).
re 1, surely a USB key IS additional authentication? 😉
re 6, yes, it’s a limit of the BIOS, but surely that’s therefore a limitation of Bitlocker? Other FDE systems don’t have this limitation, so why should we accept it from Microsoft?
thanks Tadd for your comment though – great information and shows another side to the story.
Re re 1: In a TPM-free scenario, the USB startup key may be the ONLY authentication.
Re re 6: Yes and no… the BitLocker environment exists in preboot; this incidentally allows BitLocker to offer trusted boot; something that solutions not leveraging a TPM cannot offer. I’ll still lay the blame on the BIOS for this though.
re re 6 – so do all other FDE products, and most of them provide support for rich keyboards, for example, the McAfee one can support full Japanese and Chinese despite any limitations of the BIOS. Don’t think this is a hard technical challenge, it’s annoying for sure, but it’s entirely possible. Re the trusted root though, it’s to do with the Bitlocker>OS handover, Microsoft own that and I know of no way for third party products to make use of it. It’s a bit of a red herring though because you can easily trojan the bitlocker PBA, as shown in the Evil Maid attacks.
Well TPM just got hacked (Computerworld 2010-02-03) which does show the point that trusting something that relies on a fixed piece of HW is not the way forward where security is concerned.
See http://www.computerworld.com/s/article/9151158/Black_Hat_Researcher_claims_hack_of_chip_used_to_secure_computers_smartcards?source=CTWNLE_nlt_security_2010-02-03
Hi Simon –
Our company recently puchased MDOP with the intentions of using the MS DaRT. Our laptops are encrypted with McAfee Endpoint and the tools won’t work on our laptops. Do you know where I can find information on how to make the two programs play nice, or if that is even a possibility ?
Thanks
Jeff
I use SafeBoot on servers and it works, we have over 1000 servers encrypted!