· Alex · security  · 8 min read

What is BitLocker Drive Encryption

The ins and outs of drive encryption using BitLocker

The ins and outs of drive encryption using BitLocker

What is BitLocker Drive Encryption

It’s a full disk encryption feature that’s integrated into certain versions of Windows (we’ll get to the specifics in a bit). What this means is that BitLocker encrypts the entire drive, including the operating system, applications, and data files, ensuring that all your valuable information is secure from unauthorized access. There are two main components to understand here: the encryption algorithms and key management.

  1. Encryption algorithms: BitLocker relies on the Advanced Encryption Standard (AES) algorithm, which is a widely recognized and trusted encryption method. By default, it uses AES with a 128-bit key length, but you can also choose to use a 256-bit key for even greater security. Regardless of the key length, AES ensures that your data is encrypted in a way that makes it virtually impossible for anyone to access without the correct decryption key (well, no exactly, there are attacks that allow dumping the Bitlocker key while having access to hardware).
  2. Key management: When you enable BitLocker on a drive, it generates a unique encryption key, known as the Full Volume Encryption Key (FVEK). This key is responsible for encrypting and decrypting your data. However, the FVEK is further encrypted by the Volume Master Key (VMK), which is stored on your computer. To access the drive, BitLocker requires the VMK, which can be unlocked using a password, PIN, USB key, or even a combination of these methods. This multi-layered approach to key management makes it incredibly challenging for unauthorized users to access your encrypted data.

Now, let’s discuss which platforms support BitLocker and the system requirements you’ll need to meet. BitLocker is available in certain editions of Windows, such as:

  • Windows Vista (Enterprise and Ultimate editions)
  • Windows 7 (Enterprise and Ultimate editions)
  • Windows 8/8.1 (Pro and Enterprise editions)
  • Windows 10 (Pro, Enterprise, and Education editions)
  • Windows 11 (Pro, Enterprise, and Education editions)

As for system requirements, there are a few key things you’ll need:

  • A compatible version of Windows (as mentioned above)
  • A computer with a Trusted Platform Module (TPM) chip (version 1.2 or higher) or the ability to use a USB flash drive as a startup key
  • A hard drive with at least two partitions (one for the operating system and another for the encrypted data)
  • BIOS or UEFI firmware that supports Secure Boot (recommended, but not strictly required)

Setting up BitLocker Drive Encryption

Preparing your system:

Before we start enabling BitLocker, we need to ensure that your system is ready for action.

  1. System requirements and compatibility checks: Double-check that your computer meets the system requirements we discussed earlier, such as having a compatible version of Windows and a TPM chip (or the ability to use a USB flash drive as a startup key). You can verify the TPM chip by going to the Device Manager and looking under ‘Security devices’ for a ‘Trusted Platform Module’ entry.
  2. TPM configuration: If your system has a TPM chip, you may need to enable and activate it in your BIOS or UEFI settings. The process varies depending on your computer’s manufacturer, so refer to your device’s documentation or the manufacturer’s website for guidance.

Step-by-step guide to enabling BitLocker:

  1. Using Windows Control Panel or Windows PowerShell: You can enable BitLocker through the Control Panel by navigating to ‘System and Security,’ then ‘BitLocker Drive Encryption,’ and selecting ‘Turn on BitLocker’ for the desired drive. Alternatively, you can use Windows PowerShell by opening it as an administrator and entering the command:
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -PasswordProtector

Replace “C:” with the desired drive letter, and make sure to set a secure password when prompted. 2. Choosing encryption options: During the setup process, you’ll be asked to choose how you want to unlock your drive at startup. You can use a password, a PIN (requires TPM), a USB key, or a combination of these methods. Additionally, you’ll be asked whether you want to encrypt the entire drive or just the used space. Encrypting the entire drive provides maximum security but may take longer, while encrypting only used space is faster but potentially less secure.

Managing recovery keys:

Recovery keys are your lifeline in case you lose access to your drive. Let’s learn how to save and use them in emergencies.

  1. Saving recovery keys: During the BitLocker setup process, you’ll be prompted to save a recovery key. This key is essential in case you forget your password or lose your USB key. You can save it as a file on a separate drive, print it, or even store it in your Microsoft account (if you’re using one).
  2. Retrieving and using recovery keys in case of emergencies: If you ever find yourself locked out of your encrypted drive, don’t panic! You can use your recovery key to regain access. In the Windows login screen, select ‘More options’ and then ‘Enter recovery key.’ Enter your recovery key when prompted, and voilà, you’re back in business! Just remember to reset your password or create a new USB key once you’ve regained access.

Advanced BitLocker Features

BitLocker To Go: Encrypting removable drives

Ever worried about losing a USB stick with sensitive data on it? That’s where BitLocker To Go comes into play. This feature allows you to encrypt removable drives, like USB sticks and external hard drives. Just right-click on the drive in File Explorer, choose ‘Turn on BitLocker,’ and follow the prompts.

Network Unlock: Automatically unlocking BitLocker-protected devices on a corporate network

Now, typing in a password every time you boot up your device can be a bit of a drag, especially in a corporate environment. BitLocker’s Network Unlock feature can help with that. When a BitLocker-protected Windows device is connected to a wired corporate network and a special Network Unlock certificate is available, the encryption is automatically unlocked, and the device boots up without needing user input. Note that this feature requires some setup involving Windows Server and the Windows Deployment Services role.

Group Policy: Managing BitLocker settings in an enterprise environment

If you’re managing multiple machines in a business setting, BitLocker’s Group Policy settings are going to be your best friend. Here, you can manage a whole bunch of BitLocker settings for your organization, like enforcing encryption algorithms, controlling recovery methods, and much more. Just launch the Group Policy Editor, and navigate to ‘Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption’ to start managing.

BitLocker with Azure Active Directory: Cloud-based key management

For those of you living on the cutting edge with Azure Active Directory (AAD), you’ll be glad to know that BitLocker can integrate with it too. When a device is enrolled in AAD, you can automatically escrow (a fancy term for securely storing) BitLocker recovery keys in the cloud. This makes managing recovery keys a breeze, especially for large organizations. Plus, users can retrieve their own recovery keys via the web, which is a nice bonus.

Best Practices for BitLocker Drive Encryption

Using strong passwords and multi-factor authentication:

BitLocker is only as strong as the authentication methods you use. Make sure you’re using a strong, unique password or PIN for unlocking your encrypted drive. If possible, enable multi-factor authentication (MFA) to add an extra layer of security. With MFA, even if someone gets hold of your password, they’ll still need another form of verification (like a USB key or biometric data) to access your data.

Backing up data and recovery keys:

While BitLocker does a great job of protecting your data, it’s not a backup solution. Ensure you regularly back up your important files to a separate, secure location (like an encrypted external drive or a cloud storage service). Also, don’t forget to keep multiple copies of your BitLocker recovery keys in safe places, both physically and digitally. If you lose access to your encrypted drive, these recovery keys will be your saving grace.

Alternatives to BitLocker Drive Encryption

VeraCrypt:

VeraCrypt is an open-source, cross-platform encryption tool that’s built on the foundations of the now-discontinued TrueCrypt. It’s capable of creating encrypted containers and full disk encryption, making it a versatile option for securing your data. One of its standout features is its support for multiple encryption algorithms, giving you the flexibility to choose the one that best suits your needs. The downside? It lacks some of the enterprise-friendly features of BitLocker, like Group Policy integration and Network Unlock.

FileVault 2 (macOS):

If you’re a macOS user, Apple’s built-in encryption solution, FileVault, has got your back. It provides full disk encryption using the AES-XTS mode with a 128-bit key, ensuring your data is well-protected. FileVault is easy to set up and manage, and it integrates seamlessly with macOS features like Time Machine backups and iCloud key storage.

LUKS (Linux):

For the Linux crowd, the Linux Unified Key Setup (LUKS) is a go-to solution for disk encryption. LUKS provides full disk encryption and is built into the popular dm-crypt module in the Linux kernel. Like VeraCrypt, LUKS supports multiple encryption algorithms and is highly customizable.

Conclusion

BitLocker Drive Encryption is a powerful and user-friendly tool that provides full disk encryption for your Windows devices. It comes with advanced features like BitLocker To Go for removable drives, Network Unlock for corporate environments, Group Policy management, and Azure Active Directory integration. All of these features work together to help you keep your data secure and well-protected. In today’s digital age, protecting your sensitive data is more important than ever. Cyber threats are constantly evolving, and data breaches can have severe consequences, both financially and reputation-wise.

About the Author:

Alex

Application Security Engineer and Red-Teamer. Over 15 years of experience in Application Security, Software Engineering and Offensive Security. OSCE3 & OSCP Certified. CTF nerd.

Back to Blog

Related Posts

View All Posts »
PEN-300 & OSEP Exam Review

PEN-300 & OSEP Exam Review

Common questions, my experience, preparation and methodology as well as tips to help you land the OSEP exam