Windows Advisor
Understanding and Configuring BitLocker with TPM
Vista SP1 has a greatly improved BitLocker. Still, use BitLocker with a Trusted Platform Module for best results.
I wrote about the BitLocker feature in Microsoft Windows Vista almost two years ago, when Vista had just been released. With Vista Service Pack 1 (SP1), Microsoft implemented a few enhancements to the BitLocker feature and also made available three new tools for its management and repair.
Though BitLocker can be used with or without a Trusted Platform Module (TPM) chip, TPM offers an additional level of security and is the preferred way to use BitLocker in Vista or Windows Server 2008. In this article, I'll discuss a few important concepts that will help you understand how TPM and BitLocker work together on a Vista computer that has a TPM chip installed. I'll also show you how to configure the Basic Input Output System (BIOS) and the operating system properly to get BitLocker working.
In our scenario, we'll assume that you have a Vista laptop with a TPM chip installed on the motherboard. In order to get BitLocker working, you'll first need to configure the TPM settings in the laptop's BIOS, and then configure BitLocker in the OS. But before we get started, let's get go over certain important concepts.
Trusted Module Platform
The TPM is a microchip that supports several advanced security features, such as storing encryption keys, digital certificates and passwords. The BitLocker feature in Vista works with the TPM chip. Depending on your BIOS and manufacturer, TPM Security may be set to OFF in the BIOS by default, meaning TPM can't be used. For example, my test computer was a Dell Latitude D630 and had the TPM functionality turned off. More specifically, there were two settings for TPM in the BIOS on my computer -- TPM Security and TPM Activation -- and they were both turned off by default.
Enabling TPM Security is very simple: Go into BIOS and set it to ON. To turn on TPM Activation, you first need to set TPM Security to ON, save the changes in the BIOS setup, reboot the computer, and then reenter BIOS setup to activate TPM.
Once this is done, you're ready to configure BitLocker in the OS.
BitLocker System Requirements
Before you get started, make sure that your computer meets the minimum system requirements. Here are the system requirements for BitLocker:
- Two partitions -- one for the system volume (e.g., Drive D) and one for the OS volume (e.g., Drive C).
- The system partition (Drive D) is unencrypted and the OS volume (Drive C) is encrypted.
- The system partition (Drive D) is at least 1.5GB and is set as the active partition.
Keep in mind that these are the minimum system requirements; you can encrypt more than one volume in Vista (for example, both Drive C and Drive D can be protected with BitLocker). Also, note that the BIOS setting should be configured to start up with the hard drive, not with the CD or USB drive.
To install Vista, you may need to configure the system to boot from the CD/DVD drive first, but after the installation Microsoft recommends that you configure the BIOS to boot from the hard drive to use BitLocker. If you're working on a computer that already has Vista installed, you don't need to reinstall the operating system. You can simply use the new BitLocker Drive Preparation Tool (which I'll discuss later in this article) to configure your drives to work properly with BitLocker.
(A word of caution: Microsoft warns that you should never run a kernel debugger
while BitLocker is enabled because it's possible to access encryption keys and
other sensitive data with the debugger.)
Drive Partitions and BitLocker Considerations
Depending on whether you have Vista already installed or you're setting up a
new laptop with no OS, there are certain considerations that are important to
note. For one, the only versions of Vista that support BitLocker are Vista Ultimate
and Vista Enterprise.
And for another, most vendors sell laptops with an OS already installed. Usually,
major vendors don't offer you the choice to purchase a computer with only the
software you want. Instead, they install other software without your go-ahead
-- and whether you like it or not.
Chances are, you've decided to use BitLocker because you're concerned about
security. Considering all that unwanted software installed on your newly purchased
laptop -- software that's been optimized in a way that benefits the seller,
not you -- I encourage you to wipe out the computer completely and start from
scratch. The preferred method is to delete the existing partitions and recreate
them, rather than just formatting the drive on a newly purchased computer.
New BitLocker Enhancements and Tools
Perhaps the most significant enhancement to BitLocker with Vista SP1 is the
ability to encrypt all local drives -- not just the Windows partition, as was
the case with before SP1. SP1 also allows multi-factor authentication via USB,
PIN and TPM.
And as I mentioned earlier, for users who are already running Vista and don't
want to re-install it just to benefit from the BitLocker feature, Microsoft
offers the BitLocker Drive Preparation Tool, which works great.
Vista SP1 also means three new tools for BitLocker. While they're not included
in SP1, they can be downloaded from Microsoft's Web site. The new BitLocker
tools are:
- BitLocker
Repair Tool
This tool comes handy if your hard drive is physically damaged and you need
to recover data. However, it won't recover data without a recovery key or
password.
- The aforementioned BitLocker
Drive Preparation Tool (BdeHdCfg.exe)
This tool allows you to create additional volumes, if needed, and can move
the boot files to the appropriate volume. It also helps manage the volumes
so they're correctly marked active on the startup drive to ensure proper BitLocker
operation.
- BitLocker
Recovery Password Viewer for Active Directory Users and Computers Tool
This tool lets you locate and view recovery passwords that are stored in the
Active Directory.
Verifying the Existence of a TPM Chip
If you're not sure whether you have the TPM chip installed on your computer,
you can find out easily enough. Go to Control Panel, Security, BitLocker Drive
Encryption and see if there's a link in the lower left-hand pane that says "TPM
Administration," as shown in Figure 1. If there's a link, you have the
TPM chip installed.
[Click on image for larger view.] |
Figure 1. Verifying
the existence of a TPM chip. |
If you don't see the TPM link but you expect your system to have a TPM chip,
you may need to configure the computer's BIOS so that the TPM is enabled. As
I mentioned earlier, on a Dell Latitude D630, TPM Security and TPM Activation
Level must be enabled in the BIOS setup before Vista can use BitLocker (they're
both turned off by default). The BIOS settings and configuration options on
other computers may be slightly different.
Enabling TPM in Vista
Even when the computer BIOS is configured to use TPM, you may need to initialize
TPM before you can use BitLocker. By initializing, you essentially take ownership
of TPM and then turn on TPM to secure your drive. The initialization process
will create new root keys that are used by TPM.
The process of initialization and management of TPM can vary depending on the
hardware manufacturer and the type of BIOS you're using. In general, though,
you can initialize TPM by using the TPM Management Console, which you can start
by going through the Control Panel or by typing "tpm.msc" at Start,
Run.
[Click on image for larger view.] |
Figure 2. TPM Management
Console. |
In Figure 2, notice the options in the right-hand pane: Initialize TPM,
Turn TPM On, Turn TPM Off, Change Owner Password and Clear
TPM. Unless TPM is initialized, the rest of the options are grayed out.
Once the initialization wizard is started, you're given the option to create
a password. The recommended method is to let the wizard automatically create
the password for you (see Figure 3).
[Click on image for larger view.] |
Figure 3. Creating
the TPM Owner Password. |
Only after the password is created does the initialization option become available
in the wizard. The actual hardware initialization takes a few minutes and then
the TPM is turned on. The options to turn TPM off, change the owner password
and clear TPM become available in the Management Console at that point. The
Clear TPM option removes the ownership and resets the TPM to the factory
defaults.
Remember, it's very important to keep the TPM owner password in a secure location.
Even if you delete the partitions and reinstall Vista, you'll need the TPM owner
password to configure and use BitLocker. This password is different than the
BitLocker password associated with the individual drives.
BitLocker Recovery Password
The wizard prompts you to save the recovery password, as shown in Figure 4.
The recovery password can be useful in various situations -- for instance, if
BitLocker prevents your computer from starting. For example, if you make changes
to the BIOS or any startup files, BitLocker may keep you from accessing the
drive. You can use your recovery password to unlock the drive. Also, if you
decide at a later point to install your hard drive in a different computer,
you must use the recovery password to access the drive.
[Click on image for larger view.] |
Figure 4. Saving
the recovery password. |
It's a good idea to back up your recovery password and store it in a safe place.
In fact, you should back it up in multiple places. You may also want to print
it out and store it in your safe deposit box at your bank or at another secure
location. Microsoft warns that in some situations, you may need to have multiple
copies of the recovery password in your possession. So you get the idea -- keep
multiple copies of your recovery password as a safety measure.
You can use the Manage BitLocker Keys option in BitLocker to back up your keys.
You can store it on a removable device, such as a USB flash drive, floppy disk
or CD-ROM. You can also store it on a fixed drive. When you enable BitLocker
on a volume (Drive C), you're given the option of saving the password on a USB
drive or on a folder (which must not be on an encrypted volume), or of
printing out the password so you can keep it in a safe place. If one of your
drives is unencrypted, you could possibly save the recovery password on Drive
D as long as you save it to a folder. In other words, you can't save it to the
root of a drive, but you can create a folder under the root and save it there.
Keep in mind that if you rename a computer after the BitLocker recovery password
was saved, you won't be able to use the recovery password to locate the computer
with the BitLocker Recovery Password Viewer tool in Active Directory Users and
Computers. This is because the drive label information contains the original
computer name, which no longer exists. However, you can still use the password
ID to search for the recovery password. Renaming a computer itself doesn't affect
the BitLocker feature in any negative way.
Here's a sample recovery password file:
The recovery
password is used to recover the data on a BitLocker protected
drive.
Recovery Password:
357808-457932-467098-234789-924167-923762-098732-447278
To verify that this is the correct recovery password compare
these tags with tags presented on the recovery screen.
Drive Label: MY-PC C: 8/14/2008.
Password ID: {65425BD4-D0C5-3C6A-BDC2-06782C7CF68}.
|
|
|
Don't confuse the Drive Label in the recovery password with disk label, which
you can use to label a disk in DOS or in Windows. The Drive Label is the computer
name at the time you encrypted the drive with BitLocker. Even after you change
the computer's name at a later time, the Drive Label will always stay the same
in the recovery password file.
Once the wizard is complete, you can go to BitLocker Encryption in Control
Panel and enable BitLocker for any partition you want. With SP1, you can encrypt
not just the Windows partition but other partitions, as well, as shown in Figure
5.
[Click on image for larger view.] |
Figure 5. Encrypting
multiple drives with BitLocker in SP1. |
Note: If you have two volumes (e.g., Drive C and Drive D), you may see the
option to turn on BitLocker for only Drive C and not for Drive D. Simply turn
on BitLocker for Drive C first; you'll then see the option to turn on BitLocker
for Drive D.
Reconfiguring Partitions with BitLocker Drive Preparation
Tool
You're likely to run into this problem on an existing Vista installation: Even
after you've initialized TPM and turned it on, BitLocker reports that your hard
drive configuration is unsuitable for BitLocker and that it needs to be reconfigured
(Figure 1). This is where the BitLocker Drive Preparation Tool comes handy.
If you already have Vista drives partitioned and BitLocker is warning you that
the drives need to be reconfigured, download and install the BitLocker
Drive Preparation Tool. Once installed, you can find it under Start, All
Programs, Accessories, System Tools, BitLocker folder.
The BitLocker Drive Preparation Tool is wizard-driven; Figure 6 pretty much
sums up what it tool does. It creates a new active drive S: using the free space
on drive C: if it exists. If it doesn't, it will shrink the drive C: and create
a new 1.5GB active, system, primary partition. It will then move the boot files
to this active partition. The drive S: can't be encrypted but you can encrypt
all other drives. (It's best that you leave drive S: alone and don't use it
for any other purpose, such as storing data or installing applications.)
[Click on image for larger view.] |
Figure 6. The BitLocker
Drive Preparation Tool wizard. |
When you press Continue, the tool will prepare your computer drive as I explained,
then prompt you to restart the computer. The drive configuration shown in the
Disk Management Console (see Figure 7) is helpful to see how BitLocker Disk
Preparation Tool configures the drives. Notice that the 1.46GB system partition
is on drive S: and it's the only active partition. Drive C: is 35.76GB and is
the boot partition that contains the Vista files. Drive D: is another 37.22GB
partition that can be used for data or applications. All three partitions are
formatted with NTFS. However, drive S: is the only partition that can't be protected
with BitLocker.
[Click on image for larger view.] |
Figure 7. Hard
drive configuration after using BitLocker Drive Preparation Tool. |
Multi-Factor Authentication
BitLocker can be configured in TPM-only authentication mode where no startup
key or PIN is required. This is the simplest and most transparent configuration
but it's also the least secure.
The recommended method is to use a multi-factor authentication, which requires
a USB startup key or a PIN. If you want to configure your system to use a PIN
or a USB startup key, you need to specify that during TPM initialization. This
can be accomplished either with the BitLocker setup wizard or through scripting.
For example, if you decide to use multi-factor authentication with TPM and
a USB startup key, you'll start the TPM initialization process. During initialization,
BitLocker will generate a startup key that you'll save to your USB flash drive.
When you boot your computer, you'll be required to provide the startup key on
the USB flash drive to unlock the BitLocker encrypted volume(s).
Conclusion
The release of Vista SP1 enhances BitLocker drive encryption so you can now
encrypt volumes other than the Windows volume on Vista Ultimate or Vista Enterprise.
SP1 also allows multi-factor authentication so you can use TPM along with a
USB drive to store your password. And with the availability of three new BitLocker
tools, you can recover data from physically damaged hard drives, manage the
volumes to ensure proper BitLocker operation, and locate and view recovery passwords
that are stored in the Active Directory.
In particular, the BitLocker Drive Preparation Tool is very helpful. It's a
simple yet amazingly powerful tool that automatically configures your drive
partitions for you and makes working with BitLocker straightforward. Personally,
I prefer to use this tool rather than manually configure the partitions and
boot drive; it performs all the necessary steps for me in a much cleaner way.
If you haven't used the BitLocker feature in Vista before because it was too
cumbersome to work with the TPM and were disappointed that you could only encrypt
the boot partition, check out the SP1 enhancements and the new BitLocker tools.
You might be pleasantly surprised with the results.