Hopefully everyone is already aware of the benefits of using passwords to protect data held on computers, however passwords are all well and good until someone has physical access to the computer – at which point all your confidential data belongs to them whether they already know your password or not. It really isn’t difficult to bypass windows security once you have physical access.
Consider your laptop being stolen or accidently left on the train, perhaps it contained confidential client data? The sort of data that if “found” would cause significant embarrassment to your company, damage client relationships and on a personal note may put your job in jeopardy.
These days it is just not good enough for this data to be merely password protected. Given physical access to your computer a malicious person has numerous ways to gain access, such as booting from a Linux boot disk with tools to reset the local administrator password. Once they have administrative access on your machine the game is pretty much over – but that is outside of the scope of this blog. What I want to do here is talk about how to prevent someone from getting to that point by using full drive encryption to render those lost hard disks expensive paperweights.
There are many full drive encryption solutions out there, however for the purposes of this blog I will talk about Microsoft’s own BitLocker Solution. The main reason for this is its excellent Active Directory integration and that fact it comes built in (free!) to the windows client editions that business use (Vista:Business/Ultimate/Enterprise & Windows7:Professional/Ultimate/Enterprise).
Setting up Bitlocker is considerably easier with Windows7 than its Vista counterpart. With Vista you might remember a “Bitlocker Preparation Tool” that you needed to run and setup the drive partitions. The reason for this is the boot sector cannot be encrypted, it needs to sit on a separate unencrypted partition to allow the computer to know there is something to boot and prompt for the key. This is no-longer needed with Windows7 as it separates the boot sector onto its own partition by default (this is the small 100MB partition you might have noticed at OS installation). No data is held on this boot partition and it isn’t mounted in the operating system.
BitLocker works by encrypting/decrypting on the fly, meaning your drive is always encrypted apart from the items currently in use. The official performance impact of this is stated to be in the single digits, but in my experience it is generally around the 3-5% mark. Not really a noticeable hit considering the obvious security benefits.
Protection and Recovery Methods
Before you jump in and setup BitLocker, there are some important setup/recovery considerations:
The first choice you must make is what encryption method to use. This is dictated almost entirely on whether your computer has a TPM chip installed. Most recent enterprise grade laptops will have a TPM chip, but sadly the majority of small business grade laptops still lack it. Essentially it is a factory installed physical chip tied to the specific hardware in you machine that generates a complex encryption key from a simple pass code which is then entered to boot the drive. Removing the disk and placing it into another computer with a different TPM will result in a different encryption key being generated from the same pass code and prevent decryption. This is the easiest way to setup BitLocker and is both the most secure and Microsoft best practice.
If you don’t have a TPM then its not the end of the world, but you will need to make a few group policy changes to allow BitLocker encryption without it and use a USB stick to store the encryption key. This USB stick will need to be inserted at every boot/resume or the system will be unable to boot.
If you are anything like me, you are now imagining the problem scenarios:
- The TPM enabled laptop hardware breaks.
- The USB stick containing the encryption key is permanently lost/destroyed
- That fateful morning when you get on the train ready to settle in to some work only to realise you have left the USB stick containing your decryption key on your desk.
Well the good news is that part of the best practice is to prevent any encryption from taking place until BitLocker can backup the recovery key to the associated computer account in Active Directory. The recovery key allows emergency drive decryption and in the event of a problem your system admin can provide you with recovery key (ie – read it to you over the phone if you are remote) so you can boot and regenerate your key to a new USB stick or to the current TPM hardware.
NOTE – This BitLocker tab is optional and for it to show up you will need to install the RSAT optional BitLocker management tools as shown below:
The good news is that if your laptop has been lost/stolen (or bad news if you have just misplaced your USB stick!) is that until this recovery key is entered your laptop is just a big paperweight and your data is secure. Congratulations
IMPORTANT – This sort of protection is very effective and definitely worth doing, however the obvious mistake is to leave the USB stick containing the key or a post-it with the TPM passcode in the bag with the laptop. If you have left your laptop on the train then there is a good chance the two are lost “together” and the protection you have put in place is null and void. Don’t do it! Personally I keep my USB key on my keyring which I keep on me at all times. For reference I have:
Go forth and encrypt!
- Lost/stolen disks are paperweights and your data is secure.
- Excellent recovery options in the event of accidental loss of the USB stick or TPM hardware failure.
- Small performance hit due to the on the fly decrypt/encrypt (official figures state single digits)
- If you don’t have a TPM (which most people won’t) then you will need to carry a USB stick.
- Losing the stick while on travels will result in a phone call to IT for your recovery key.
- Unable to use the Sleep function. Will have to use hibernate instead which takes a little longer.
Microsoft best practice policy for Windows7: