It's hard to avoid the flurry of bad press following the recent loss of a laptop by a BP employee. Unfortunately for all concerned, the lost laptop contained the names and personal details of some 13,000 claimants from the Deepwater Horizon spill.
The problem, of course, is not that the laptop was lost (happens all the time, in fact one recent study showed that organizations lose about 2% of their laptops each year). The problem isn't even that the laptop in question contained sensitive information – it's that the information was unencrypted and, therefore, unprotected. Had it been encrypted the loss would have been barely noticeable and certainly wouldn't have merited the finger pointing that's going on right now.
Encryption is something we all know we should do with sensitive information (especially on laptops and removable media), but it is also an area where what we know is a good idea, and what we actually do, sometimes diverge. It's easy to put off deploying enterprise-wide encryption until next year, or 'sometime in the future'. And then a breach occurs and its red-faces all around.
So a lot of organizations have been cautiously pleased, then, to note the presence of encryption technology right there in the Windows operating system (at least if you're on Windows 7 Ultimate or Enterprise edition. Others are required to fend for themselves...). BitLocker, which is the name for the built-in encryption, has actually been around since Windows Vista, but has really started to catch the eye of organizational security and IT operations teams with the Windows 7 release (and Windows Server 2008 and 2008 R2.)
By default it implements AES with a 128 bit key and a Diffuser (be aware of the Diffuser's impact on FIPS compliance if such things are important to you) and it actually does a good job of encryption. However, (we work in the world of information security – there's *always* a 'however') BitLocker does require some careful management to get the most out of it, and there are a number of considerations to take into account to avoid unpleasant phone calls from your users demanding to know "what's this Recovery Password thing and why won't my system boot?"
So, to help, I thought it might be useful to cover some BitLocker basics over the next few weeks and help you avoid some of the pain that others have felt...
First up – What's this TPM and why is it on my PC?
One of the nice things that BitLocker does (and kudos to Microsoft on this) is that it utilizes the Trusted Platform Module (TPM) which is almost certainly built in to your PC if you bought it within the last few years. Specifically it uses the 1.2 version of the TPM to store and protect the encryption key used to decrypt your hard disk. (This is called "sealing the key.") As the system boots, the TPM checks a number of factors to ensure that nothing has changed between boots, which might indicate the system had been compromised. If all looks well, the boot process can proceed and the key to decrypt the contents of the hard drive is unsealed. (Although I've used the phrase 'hard drive', BitLocker is actually a volume-based encryption solution and so technically it decrypts the volume. Extra points for those of you who spotted that.)
So what happens if the TPM *does* detect a change? Metaphorically it starts flailing its arms about and yelling "Danger Will Robinson, DANGER!". Technically this is referred to as entering Recovery Mode. And once in recovery mode, the TPM is going to stop the boot process until the user (or more likely helpdesk staff or administrator) tell it that it's safe to continue. In order to convince the TPM that the sky isn't, in fact, falling, you must enter the recovery password, which is a randomly generated 48 digit string, or insert a USB device with a recovery key file on it. Once you enter the recovery password (or recovery key) the boot process can continue as normal, the TPM takes another snapshot of your system to use in the future, and all is well with the world.
So the role of the TPM in this case is to make sure that nothing bad has happened and it does a good job of this. Actually, it could be argued that it does almost too good a job, since the TPM can enter recovery mode for a lot of reasons. Microsoft lists a lot of them here: http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx#BKMK_HaveTPM. They include such unlikely activities as pressing the F8 key during booting and docking or undocking a portable computer. Yes, you're going to need to know how to deal with a system in recovery mode. Don't say I didn't warn you.
In fact, recovery password/recovery key management is really one of the most important things to get right when deploying BitLocker, which is why I'm going to devote an entire blog post to it next time. Hey – this is encryption – you didn't think you were going to get away without some key management headaches did you?
If you're interested in learning more about the TPM, then the Trusted Computing Group is a good place to start: http://www.trustedcomputinggroup.org/
Next time – recovery keys – what are they, where do I get them, and most importantly, where should I keep them?