Disk encryption with Microsoft's Vista

Multiple keys
Bitlocker’s encryption is sector-based, and multiple levels of protection, each with their own keys, prevent unauthorised access to the data on the drive.

The basis of the protection is provided by the Full Volume Encryption Key (FVEK), which encrypts the data on the hard disk. Bitlocker currently supports between 128-bit and 512-bit encryption. The default encryption uses a 128-bit AES algorithm.

The FVEK is encrypted by the Volume Master Key (VMK). The order in which the data is encrypted is shown in the pdf download bitlocker-user-and-kernal-mode.

To access encrypted data if Bitlocker has been deactivated, there is also what is known as a ‘Clear Key’. This is stored (unencrypted) on the hard disk and uses the VMK and FVEK to allow continued access to encrypted data after deactivation of Bitlocker. If the system is activated again, there’s no longer any access to a Clear Key.

In addition to the keys that are tied to the TPM, you can store a Startup Key on a USB stick. This has to be plugged in while booting and provides a second level of authentication in addition to the TPM.

Rescue strategy included
Encryption is always a risky thing. If you misplace the key for decrypting the data, it’s completely lost.

There are other circumstances where your data would be permanently lost, were it not for the Bitlocker Recovery Console, such as a defective TPM, a damaged or destroyed Startup Key, a forgotten Pin, updated boot components, a new motherboard, or even if you want to use the encrypted drive in a different PC.

Using the Recovery Console and the appropriate Recovery Key, you can always get at your data. When you activate Bitlocker it’s essential that you generate a recovery password.

This 48-character code consists of eight blocks of six characters each. You can view it, print it and store it as a text file; for example, on a USB stick.

Parallel to your password, Bitlocker stores the Recovery Key – the equivalent of the Startup Key.

For its part, the Recovery Key decrypts a copy of the encrypted VMK-BLOB (Binary Large Object), which makes access to the data possible. If you move a Bitlocker-protected drive to another PC, then all you have to do to make the encrypted partition accessible is to plug in the USB stick with the Recovery Key on it.

Remember the restoration codes allow access to all encrypted data independently of the TPM.

To be prepared for all eventualities, you can also copy your Recovery Key to a further USB stick and store it in a different location. Administrators can, however, use a Group Policy to prevent the creation of Recovery Keys.

As we’ve already mentioned, drive encryption is also supported on Longhorn Server, which is also able to encrypt data partitions, unlike the client variant. These are then protected by different keys to the system partition, but mounted normally by Longhorn.

The keys for the data volumes are stored on the system volume. An External Wrapping Key (EWK) using 256-bit AES encryption protects the data VMKs, and a feature called Auto Unlock takes care of automatically decrypting the data drives.

This function independently copies the EWK into the operating system partition Registry. Because of this the data volumes can only be used if the OS volume starts smoothly. The copied EWK deletes the system again if Bitlocker is deactivated on the system drive.

In this case, the Administrator will have to enter the Restoration Key by hand so that the data can be accessed. Correspondingly, a copy of the EWK has to be kept on a USB stick for a data partition recovery scenario.

Free alternatives

Free Compusec 4.21 SP2
A complete security suite from CE-Infosys, Free Compusec lets you encrypt whole hard disks, including the OS and hibernation mode files. It supports Windows 2000/XP, as well as Red Hat and Suse Linux.

You can also encrypt CDs, DVDs, diskettes, USB sticks and network folders. VoIP encryption is now included in the form of Closedtalk. There’s a built-in password manager, which encrypts your passwords using a secure 128-bit AES algorithm.

You can even specify a user/password to enablepre-boot authentication.

Abylon Cryptdrive 6.0
Cryptdrive will let you set up 448-bit or 256-bit encrypted drives that are protected against unauthorised access.

It will automatically encrypt data that is copied to an encrypted drive. Each client can have up to 10 128GB containers. It supports Windows NT4/2000/XP and Server 2003.

GNU Privacy Guard 1.4.4
This is an open-source tool for encrypting data sent to one or more recipients. Signatures are integrated to verify the integrity of the data, and keys are verified using a mutually trusted network.

GnuPG makes use of an asymmetric encryption process which consists of a private, password-protected key and a public key.