Windows Advisor

Understanding and Configuring BitLocker with TPM

Vista SP1 has a greatly improved BitLocker. Still, use BitLocker with a Trusted Platform Module for best results.

I wrote about the BitLocker feature in Microsoft Windows Vista almost two years ago, when Vista had just been released. With Vista Service Pack 1 (SP1), Microsoft implemented a few enhancements to the BitLocker feature and also made available three new tools for its management and repair.

Though BitLocker can be used with or without a Trusted Platform Module (TPM) chip, TPM offers an additional level of security and is the preferred way to use BitLocker in Vista or Windows Server 2008. In this article, I'll discuss a few important concepts that will help you understand how TPM and BitLocker work together on a Vista computer that has a TPM chip installed. I'll also show you how to configure the Basic Input Output System (BIOS) and the operating system properly to get BitLocker working.

In our scenario, we'll assume that you have a Vista laptop with a TPM chip installed on the motherboard. In order to get BitLocker working, you'll first need to configure the TPM settings in the laptop's BIOS, and then configure BitLocker in the OS. But before we get started, let's get go over certain important concepts.

Trusted Module Platform
The TPM is a microchip that supports several advanced security features, such as storing encryption keys, digital certificates and passwords. The BitLocker feature in Vista works with the TPM chip. Depending on your BIOS and manufacturer, TPM Security may be set to OFF in the BIOS by default, meaning TPM can't be used. For example, my test computer was a Dell Latitude D630 and had the TPM functionality turned off. More specifically, there were two settings for TPM in the BIOS on my computer -- TPM Security and TPM Activation -- and they were both turned off by default.

Enabling TPM Security is very simple: Go into BIOS and set it to ON. To turn on TPM Activation, you first need to set TPM Security to ON, save the changes in the BIOS setup, reboot the computer, and then reenter BIOS setup to activate TPM.

Once this is done, you're ready to configure BitLocker in the OS.

BitLocker System Requirements
Before you get started, make sure that your computer meets the minimum system requirements. Here are the system requirements for BitLocker:

  • Two partitions -- one for the system volume (e.g., Drive D) and one for the OS volume (e.g., Drive C).
  • The system partition (Drive D) is unencrypted and the OS volume (Drive C) is encrypted.
  • The system partition (Drive D) is at least 1.5GB and is set as the active partition.

Keep in mind that these are the minimum system requirements; you can encrypt more than one volume in Vista (for example, both Drive C and Drive D can be protected with BitLocker). Also, note that the BIOS setting should be configured to start up with the hard drive, not with the CD or USB drive.

To install Vista, you may need to configure the system to boot from the CD/DVD drive first, but after the installation Microsoft recommends that you configure the BIOS to boot from the hard drive to use BitLocker. If you're working on a computer that already has Vista installed, you don't need to reinstall the operating system. You can simply use the new BitLocker Drive Preparation Tool (which I'll discuss later in this article) to configure your drives to work properly with BitLocker.

(A word of caution: Microsoft warns that you should never run a kernel debugger while BitLocker is enabled because it's possible to access encryption keys and other sensitive data with the debugger.)

Drive Partitions and BitLocker Considerations
Depending on whether you have Vista already installed or you're setting up a new laptop with no OS, there are certain considerations that are important to note. For one, the only versions of Vista that support BitLocker are Vista Ultimate and Vista Enterprise.

And for another, most vendors sell laptops with an OS already installed. Usually, major vendors don't offer you the choice to purchase a computer with only the software you want. Instead, they install other software without your go-ahead -- and whether you like it or not.

Chances are, you've decided to use BitLocker because you're concerned about security. Considering all that unwanted software installed on your newly purchased laptop -- software that's been optimized in a way that benefits the seller, not you -- I encourage you to wipe out the computer completely and start from scratch. The preferred method is to delete the existing partitions and recreate them, rather than just formatting the drive on a newly purchased computer.

New BitLocker Enhancements and Tools
Perhaps the most significant enhancement to BitLocker with Vista SP1 is the ability to encrypt all local drives -- not just the Windows partition, as was the case with before SP1. SP1 also allows multi-factor authentication via USB, PIN and TPM.

And as I mentioned earlier, for users who are already running Vista and don't want to re-install it just to benefit from the BitLocker feature, Microsoft offers the BitLocker Drive Preparation Tool, which works great.

Vista SP1 also means three new tools for BitLocker. While they're not included in SP1, they can be downloaded from Microsoft's Web site. The new BitLocker tools are:

  1. BitLocker Repair Tool
    This tool comes handy if your hard drive is physically damaged and you need to recover data. However, it won't recover data without a recovery key or password.

  2. The aforementioned BitLocker Drive Preparation Tool (BdeHdCfg.exe)
    This tool allows you to create additional volumes, if needed, and can move the boot files to the appropriate volume. It also helps manage the volumes so they're correctly marked active on the startup drive to ensure proper BitLocker operation.

  3. BitLocker Recovery Password Viewer for Active Directory Users and Computers Tool
    This tool lets you locate and view recovery passwords that are stored in the Active Directory.

Verifying the Existence of a TPM Chip
If you're not sure whether you have the TPM chip installed on your computer, you can find out easily enough. Go to Control Panel, Security, BitLocker Drive Encryption and see if there's a link in the lower left-hand pane that says "TPM Administration," as shown in Figure 1. If there's a link, you have the TPM chip installed.

Figure 1
[Click on image for larger view.]
Figure 1. Verifying the existence of a TPM chip.

If you don't see the TPM link but you expect your system to have a TPM chip, you may need to configure the computer's BIOS so that the TPM is enabled. As I mentioned earlier, on a Dell Latitude D630, TPM Security and TPM Activation Level must be enabled in the BIOS setup before Vista can use BitLocker (they're both turned off by default). The BIOS settings and configuration options on other computers may be slightly different.

Enabling TPM in Vista
Even when the computer BIOS is configured to use TPM, you may need to initialize TPM before you can use BitLocker. By initializing, you essentially take ownership of TPM and then turn on TPM to secure your drive. The initialization process will create new root keys that are used by TPM.

The process of initialization and management of TPM can vary depending on the hardware manufacturer and the type of BIOS you're using. In general, though, you can initialize TPM by using the TPM Management Console, which you can start by going through the Control Panel or by typing "tpm.msc" at Start, Run.

Figure 2
[Click on image for larger view.]
Figure 2. TPM Management Console.

In Figure 2, notice the options in the right-hand pane: Initialize TPM, Turn TPM On, Turn TPM Off, Change Owner Password and Clear TPM. Unless TPM is initialized, the rest of the options are grayed out.

Once the initialization wizard is started, you're given the option to create a password. The recommended method is to let the wizard automatically create the password for you (see Figure 3).

Figure 3
[Click on image for larger view.]
Figure 3. Creating the TPM Owner Password.

Only after the password is created does the initialization option become available in the wizard. The actual hardware initialization takes a few minutes and then the TPM is turned on. The options to turn TPM off, change the owner password and clear TPM become available in the Management Console at that point. The Clear TPM option removes the ownership and resets the TPM to the factory defaults.

Remember, it's very important to keep the TPM owner password in a secure location. Even if you delete the partitions and reinstall Vista, you'll need the TPM owner password to configure and use BitLocker. This password is different than the BitLocker password associated with the individual drives.

BitLocker Recovery Password
The wizard prompts you to save the recovery password, as shown in Figure 4. The recovery password can be useful in various situations -- for instance, if BitLocker prevents your computer from starting. For example, if you make changes to the BIOS or any startup files, BitLocker may keep you from accessing the drive. You can use your recovery password to unlock the drive. Also, if you decide at a later point to install your hard drive in a different computer, you must use the recovery password to access the drive.

Figure 4
[Click on image for larger view.]
Figure 4. Saving the recovery password.

It's a good idea to back up your recovery password and store it in a safe place. In fact, you should back it up in multiple places. You may also want to print it out and store it in your safe deposit box at your bank or at another secure location. Microsoft warns that in some situations, you may need to have multiple copies of the recovery password in your possession. So you get the idea -- keep multiple copies of your recovery password as a safety measure.

You can use the Manage BitLocker Keys option in BitLocker to back up your keys. You can store it on a removable device, such as a USB flash drive, floppy disk or CD-ROM. You can also store it on a fixed drive. When you enable BitLocker on a volume (Drive C), you're given the option of saving the password on a USB drive or on a folder (which must not be on an encrypted volume), or of printing out the password so you can keep it in a safe place. If one of your drives is unencrypted, you could possibly save the recovery password on Drive D as long as you save it to a folder. In other words, you can't save it to the root of a drive, but you can create a folder under the root and save it there.

Keep in mind that if you rename a computer after the BitLocker recovery password was saved, you won't be able to use the recovery password to locate the computer with the BitLocker Recovery Password Viewer tool in Active Directory Users and Computers. This is because the drive label information contains the original computer name, which no longer exists. However, you can still use the password ID to search for the recovery password. Renaming a computer itself doesn't affect the BitLocker feature in any negative way.

Here's a sample recovery password file:

The recovery password is used to recover the data on a BitLocker protected drive.

Recovery Password:

357808-457932-467098-234789-924167-923762-098732-447278

To verify that this is the correct recovery password compare these tags with tags presented on the recovery screen.

Drive Label: MY-PC C: 8/14/2008.
Password ID: {65425BD4-D0C5-3C6A-BDC2-06782C7CF68}.

Don't confuse the Drive Label in the recovery password with disk label, which you can use to label a disk in DOS or in Windows. The Drive Label is the computer name at the time you encrypted the drive with BitLocker. Even after you change the computer's name at a later time, the Drive Label will always stay the same in the recovery password file.

Once the wizard is complete, you can go to BitLocker Encryption in Control Panel and enable BitLocker for any partition you want. With SP1, you can encrypt not just the Windows partition but other partitions, as well, as shown in Figure 5.

Figure 5
[Click on image for larger view.]
Figure 5. Encrypting multiple drives with BitLocker in SP1.

Note: If you have two volumes (e.g., Drive C and Drive D), you may see the option to turn on BitLocker for only Drive C and not for Drive D. Simply turn on BitLocker for Drive C first; you'll then see the option to turn on BitLocker for Drive D.

Reconfiguring Partitions with BitLocker Drive Preparation Tool
You're likely to run into this problem on an existing Vista installation: Even after you've initialized TPM and turned it on, BitLocker reports that your hard drive configuration is unsuitable for BitLocker and that it needs to be reconfigured (Figure 1). This is where the BitLocker Drive Preparation Tool comes handy.

If you already have Vista drives partitioned and BitLocker is warning you that the drives need to be reconfigured, download and install the BitLocker Drive Preparation Tool. Once installed, you can find it under Start, All Programs, Accessories, System Tools, BitLocker folder.

The BitLocker Drive Preparation Tool is wizard-driven; Figure 6 pretty much sums up what it tool does. It creates a new active drive S: using the free space on drive C: if it exists. If it doesn't, it will shrink the drive C: and create a new 1.5GB active, system, primary partition. It will then move the boot files to this active partition. The drive S: can't be encrypted but you can encrypt all other drives. (It's best that you leave drive S: alone and don't use it for any other purpose, such as storing data or installing applications.)

Figure 6
[Click on image for larger view.]
Figure 6. The BitLocker Drive Preparation Tool wizard.

When you press Continue, the tool will prepare your computer drive as I explained, then prompt you to restart the computer. The drive configuration shown in the Disk Management Console (see Figure 7) is helpful to see how BitLocker Disk Preparation Tool configures the drives. Notice that the 1.46GB system partition is on drive S: and it's the only active partition. Drive C: is 35.76GB and is the boot partition that contains the Vista files. Drive D: is another 37.22GB partition that can be used for data or applications. All three partitions are formatted with NTFS. However, drive S: is the only partition that can't be protected with BitLocker.

Figure 7
[Click on image for larger view.]
Figure 7. Hard drive configuration after using BitLocker Drive Preparation Tool.

Multi-Factor Authentication
BitLocker can be configured in TPM-only authentication mode where no startup key or PIN is required. This is the simplest and most transparent configuration but it's also the least secure.

The recommended method is to use a multi-factor authentication, which requires a USB startup key or a PIN. If you want to configure your system to use a PIN or a USB startup key, you need to specify that during TPM initialization. This can be accomplished either with the BitLocker setup wizard or through scripting.

For example, if you decide to use multi-factor authentication with TPM and a USB startup key, you'll start the TPM initialization process. During initialization, BitLocker will generate a startup key that you'll save to your USB flash drive. When you boot your computer, you'll be required to provide the startup key on the USB flash drive to unlock the BitLocker encrypted volume(s).

Conclusion
The release of Vista SP1 enhances BitLocker drive encryption so you can now encrypt volumes other than the Windows volume on Vista Ultimate or Vista Enterprise. SP1 also allows multi-factor authentication so you can use TPM along with a USB drive to store your password. And with the availability of three new BitLocker tools, you can recover data from physically damaged hard drives, manage the volumes to ensure proper BitLocker operation, and locate and view recovery passwords that are stored in the Active Directory.

In particular, the BitLocker Drive Preparation Tool is very helpful. It's a simple yet amazingly powerful tool that automatically configures your drive partitions for you and makes working with BitLocker straightforward. Personally, I prefer to use this tool rather than manually configure the partitions and boot drive; it performs all the necessary steps for me in a much cleaner way.

If you haven't used the BitLocker feature in Vista before because it was too cumbersome to work with the TPM and were disappointed that you could only encrypt the boot partition, check out the SP1 enhancements and the new BitLocker tools. You might be pleasantly surprised with the results.

comments powered by Disqus
Most   Popular