Vista's BitLocker Encryption: All It's Cracked Up to Be?

Microsoft's boot-drive encryption works best with specialized hardware and requires some effort to set up and run. After all that, does it work?

1 2 3 4 Page 2
Page 2 of 4

There are three possible ways to implement BitLocker on a given system, each with its own benefits and drawbacks:

On a computer with TPM hardware, Revision 1.2: The TPM chip stores BitLocker's decryption keys, so any attempt to reverse-engineer a key through tampering will leave the system unbootable (and the drive unreadable). Any attempts to tamper with the unencrypted boot loader will cause the system to fail.

TPM, however, is not something that can be added to a PC after the fact -- it's something that has to be included in its design from the ground up. It's difficult to determine exactly how much TPM adds to the cost of a notebook, because TPM hardware is typically offered as part of a bundle of features in "business-class" machines. But at this point, the cost premium doesn't appear to be a lot.

Dell, for example, typically includes TPM as a feature in its business-class notebooks, which cost about $250 more than their consumer-class counterparts but appear to make up the cost with a different mix of hardware. Consequently, an exact comparison can be somewhat difficult to figure. For instance, I priced out a business-class Dell Latitude D630 (which features TPM) at $849. A consumer-class Dell Inspiron 1420 (with no TPM, but with the same CPU, hard drive and so forth) came to $899 -- with 1GB of RAM and a 160GB SATA drive added "free." In short, whatever affects most of the cost differences between systems, it's not likely to be TPM. (A Dell spokeswoman maintains that the cost of including TPM hardware on a given system is effectively zero because it doesn't add anything in a way that has to be offset by raising the retail price.)

On a system without TPM hardware that boots from an external USB drive: In this scenario, the system's boot key is stored on an external drive. The system boots from that drive first, which then supplies the decryption key that allows the rest of the system to boot.

However, this plan will not work on a system that does not support booting from a USB device, and by no means do all business-class machines support that capability. The USB boot device itself also can be stolen -- and leaving the USB drive plugged in while the system is running (as many people are wont to do) is on the order of unlocking the front door of your house and leaving the key in the lock.

For this reason, using the USB drive method is probably not suitable for corporate deployments, although it's a useful way to allow an individual to use BitLocker.

On a system without TPM, no additional hardware required: You can opt to have users enter a 48-digit PIN number at boot time, though they may find that process cumbersome and slow. Because the PIN cannot be set by the user and is difficult to memorize, most people will be inclined to write it down -- another security breach waiting to happen. In light of all this, it's clear that adding BitLocker to an existing system, with the possible risks of USB drive loss or the inconvenience of a 48-digit PIN, is inferior to using a TPM-enabled system from the outset. Running BitLocker transparently over TPM is the best option but also the most costly to implement, since in many instances it entails buying a new computer.

Whatever method you choose, when setting up BitLocker policies for your organization, be sure to enable encryption key recovery through Active Directory. When a BitLocker computer is configured, the administrator can (and should) make a backup of the encryption key into an AD repository. This way, if the key is lost but the data itself is not -- for instance, if you're using a USB drive and it goes missing -- any needed data can be recovered from the system without declaring the whole thing scorched earth.

Scope of Protection


So, how well does BitLocker succeed in its stated goal of functioning as a "seamless, secure and easily manageable data protection solution for the enterprise"? It all hinges on the scope of the protection it provides.

On the plus side, BitLocker thoroughly encrypts something that has traditionally not been encryptable in Windows without the aid of third-party software: the operating system itself. An encrypted drive will remain unreadable even if mounted in another computer. This is crucially important with notebook computers, since it's trivially easy for an attacker to gain physical access to a system and remove the hard drive.

1 2 3 4 Page 2
Page 2 of 4
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon