What is the best practice for using BitLocker on an operating system drive?

A. BitLocker Drive Encryption is an integral security feature for Windows computers. It provides protection for your computer's operating system as well as the data stored it, ensuring that the data remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against "offline attacks," those made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately. 

Q. Who should be using Bitlocker?

A. ISG recommends that faculty and staff enable BitLocker if they use laptops containing data with a risk of Level 2 or 3 (especially frequent travelers).

Q. How can I obtain it?

A. BitLocker is built into the Windows operating system, but is not enabled by default. Your IT Support Professional will determine if you need BitLocker enabled and perform the necessary steps. 

Q. How do I use BitLocker to encrypt my laptop?

A. Your IT Support Professional will enable BitLocker.

Q. Where can I find written documentation?

A. Microsoft provides an overview and guide for using BitLocker with Windows 7, 8.1, 10 and 10 Mobile.

Q. What should I know about decryption?

A. In the event that you feel your computer needs to be decrypted contact your IT Support Professional, or if none, the IT Service Center. Note that the decryption process will take about the same length of time as encryption did.

Q. I have a computer encrypted but when I start it up, I get a Bitlocker screen about:

A. Bitlocker has detected that something with your computer hardware has changed.  This is a security feature designed to protect your data.  For example, someone could have stolen your computer and is attempting to bypass the normal startup sequence.  Follow the step below to obtain a recovery password.  Please note, you will need access to another device with a web browser.

1. Press any key to continue, the next screen will be similar to this:
   
   
   
   
2. Go to the Self Service Recovery site: https://bitlocker.brown.edu.
3. When prompted, enter your Brown UserID and Password.
4. Check the box next to "I have read and understand the above notice".
5. At this screen, enter the first 8 digits of "Recovery Key ID" from the screen above from your computer:
   
   
   
   
6. Finally, enter the 48-digit code into the recovery screen on your computer.

Q. What restrictions are there when traveling out of the country with an encrypted laptop?

A. U.S. federal regulations control the export of "encryption commodities, software and technology" (see Code of Federal Regulations, Title 15, Section 740.17). There are, however, license exceptions that allow taking encrypted laptops, provided that the traveler returns within the year and "retains effective control and ownership." This coverage is global except for a handful embargoed and sanctioned countries designated by the U.S. government. Travel to any of these countries requires that you remove any encryption technology from your laptop before entering it.

In addition, since laws can change at any time and some countries ban or severely regulate the use of encryption, you should consult country-specific information before traveling with an encrypted laptop to verify that your information is still current. In addition, any faculty, post-docs, graduate students and PI's should check-in with OVPR, read its International Travel page as well as that of the Office of Insurance and Purchasing Services , and contact the Chief Information Security Officer before travelling overseas.

Finally, note that many nations do not recognize a "personal use exemption." Before traveling to these countries with an encrypted laptop, you will need to apply to their specified governmental agency for an import license. Additional information about international encryption controls can be found at the following websites:

The Wassenaar Arrangement

Bureau of Industry and Security of the U.S. Department of Commerce - Export Administration Regulations

Securing data is more important than ever before. The information you hold is often more valuable than the device itself and can cause massive loss to you as an individual or the organization to which the device belongs. It goes without saying that protecting it in every way possible is a must. There are many programs to help you protect from online attacks like hacking but, BitLocker is one of the few ways to protect your data in offline attack situations.

Table of Contents

• What exactly is the BitLocker?
• How does it work?
• Trustworthiness of these encryptions
• Which option to choose?
• It takes literal supereons to crack.
• Organizations love to use BitLocker
• How to use it?
• Conclusion

What exactly is the BitLocker?

If a person manages to steal your hard drive, they could gain access to all the sensitive data in it, even if it is password protected. With BitLocker, you can avoid such scenarios. BitLocker device encryption protects all the data by encrypting the entire hard drive. As a result, no one can access the data without an encryption key. The key gets generated during disk encryption. Needless to say, this key must be kept safe.

BitLocker is available on:

• Ultimate and Enterprise editions of Windows Vista and Windows 7
• Pro and Enterprise editions of Windows 8 and 8.1
• Pro, Enterprise, and Education editions of Windows 10 and Windows 11

How does it work?

The way BitLocker accomplishes this is brilliant. The solution is to encrypt the disk and store the key in a separate physical location other than the disk itself.

Let me elaborate on that. Most modern motherboards come with a chip called TPM (Trusted Platform Module) soldered onto them. The TPM stores the encryption key. Every time the device boots, the TPM is accessed for the key to decrypt information. Since the key is physically separate from the main memory, even if someone manages to steal the drive, they cannot access its sensitive content. The TPM is made to work only with that motherboard.

If your motherboard doesn’t come with a TPM, you can change some settings to use a password every time the system boots up. However, that defeats the whole purpose of encryption as the password is also stored in the disk somewhere. Alternatively, you could go for the option to use a USB stick as the key. The encryption key is stored in the USB drive of choice which has to be connected to the PC every time the system boots.

Trustworthiness of these encryptions

You might be wondering, it is just encryption, a similar concept that had been in use since world wars and they were proven to be crackable. What makes this any special?
Well, no algorithm is indeed 100% foolproof but, algorithms used in BitLocker are much smarter. So far, the only known way to crack the encryption algorithms in BitLocker is to brute force your way into it. I’ll explain in a bit why that is futile. In the case of BitLocker in Windows 10, you typically get to choose between 4 options of encryptions and cipher strengths.

• AES-CBC 128-bit
• AES-CBC 256-bit
• XTS-AES 128-bit (default)
• XTS-AES 256-bi

Which option to choose?

AES stands for Advanced Encryption Standard, which had been developed initially for protecting/ciphering the US government classified information. It was designed to replace DES (Data Encryption Standard) because it became vulnerable to brute force attacks due to the advances in computational power over the years. Therefore, AES is especially immune to these types of attacks.

The attacker or thief might not be able to make sense of the data. However, they can still manipulate it. This can be annoying and most importantly devastating, especially when the user doesn’t realize they got attacked. For example, an attacker might decide to change a few bits of data on your hard drive. This could affect the programs you might want to run or even change a few characters in the spreadsheet you’ve made. The attacker will have no idea what the change accounts for and what’s terrifying is that, neither will you. Since the changes can be so small, you probably won’t be aware of the data tampering.

This is where the difference between XTS and CBC comes into the picture. CBC allows for single-bit changes, whereas in XTS you can only change 16 bits at a time. This makes the changes significant, visible, and easy to detect. Microsoft recommends using CBC for non-fixed/removable drives and XTS for fixed and OS drives.

There are more technical differences between CBC and XTS related to how they interact with the logic gates. But for our understanding, this should be enough. In Windows 8, only CBC algorithm is available but you get to select whether you want to use a diffuser. Using a diffuser eliminates single-bit changes to some extent.

It takes literal supereons to crack.

Now, what is the deal with 128 bit and 256-bit encryption keys? To put it simply, the bigger, the better. But you should still be good with a 128-bit key for the most part because, even with the right quantum computer and the best cracking algorithm available today, it will take about 2.61×10^12 years to try every single combination possible. For AES-256, it will be 1.38×10^32 years. If those numbers don’t mean anything to you, the universe is just 1.3×10^10 years old. Take a minute and try to wrap your head around that.

Organizations love to use BitLocker

I think we established what BitLocker can do. How can this be useful for individuals, especially from an organizational standpoint?
Well, BitLocker is helpful in

• Protecting confidential data:

  More often than not, employees tend to hold a lot of company-specific sensitive information on their own or the devices the organization provides them. They could be phone numbers, emails, passwords, or even the company’s trade secrets. Though the device uses a password, all the information is still available in the drive, making it the only thing between the hacker and your data. BitLocker on the other hand encrypts all the data in your hard drive, essentially making data illegible without the key.

• Enabling BYOD and remote work:

  There had been drastic changes in the way employees work. We see it becoming increasingly digital and remote, especially in the last couple of years. Organizations are also letting employees use the devices of their comfort. This is all good until we factor in the security risks. BitLocker encryption helps eliminate these risks, leading to happy and productive employees.
  Regular people are susceptible to data thefts as well and it can be very damaging when your passwords, bank info, etc are at risk. Hence, everyone should encrypt their data.

Regular people are susceptible to data thefts as well and it can be very damaging when your passwords, bank info, etc are at risk. Hence, everyone should encrypt their data.

How to use it?

If the device is a part of an organizational network, only the admin will have access to these changes. Continue with these instructions if you have full administrator access over the device.

Changes to BitLocker configurations on the Operating system and fixed drives require admin access. Standard users can turn on or off the BitLocker for removable drives unless the admin disables the access

1. Check for TPM

   Press win + R and type “tpm.msc”. You will find the TPM manufacturer information and the status of it. It is recommended to go for hardware-based encryption if the TPM module is present in your device.
   If the status is not “ready for use” then you need to enable TPM. Check out this document by Microsoft on how to enable TPM. Else, it is already enabled and you can move to step 2.
   In case you don’t see any of those, TPM doesn’t exist in your device so opt for software-based encryption.

2. Configure BitLocker

   Before enabling BitLocker, you need to disable BitLocker if required drives are already encrypted and configure a few settings like encryption type, cipher strength, recovery key storage location, etc.
   To disable BitLocker go to step 4.
   Open group policy editor (press win+R and type “gpedit.msc”)/ Computer Configuration/ Administrative Templates/ Windows Components/ BitLocker Device Encryption and make the necessary changes
   If TPM is not there in your device

   1. Go to BitLocker Device Encryption/ Operating system drives/Require additional authentication at the startup
   2. Enable it
   3. Check the Allow bit locker without a compatible TPM, later while enabling BitLocker you have to choose between giving a password or using a USB to unlock your device.

   This process can be simplified to a great extent if the device is managed by your organization using a capable UEM like Hexnode. From Hexnode’s console you can

   • Prompt the user for device encryption
   • Select the required encryption method for operating, fixed and removable drives separately.
   • Configure the recovery options for each drive.
   • Configure start-up authentication and the minimum password length for an additional layer of security.

   All of this can be done just with a single policy. Remotely associate the policy to multiple devices in bulk, which in process, saves a lot of time and effort for the IT team.

3. Enable BitLocker

   Go to Control panel > Systems and Security > BitLocker Device Encryption > Turn BitLocker on.
   You may get a few prompts. Answer them according to your needs and the encryption process begins.
   After all the prompts hit Continue and then Restart now. Even after the restart, it might still be in the process of encrypting the drive. It is advisable to keep the device plugged in as it takes a bit of time.

4. Disable Bitlocker

   This is an optional step, useful when you want to change the already existing configurations.
   Go to Control panel > Systems and Security > BitLocker Device Encryption > Turn BitLocker off.
   Make sure you have the administrator credentials to remove Bitlocker.
   Go back to step 2 to continue making changes in the configuration.

Conclusion

BitLocker is one of the most useful features that benefits any Windows user. Encrypting the whole drive makes all the physical attacks like stealing useless. Since it is impossible for the attacker to brute force their way through the encryption, there’s no reason for the users to not encrypt their drives, especially if they contain sensitive information. BitLocker is easy to set up especially with a UEM like Hexnode and costs almost nothing compared to the risks. Organizations love BitLocker for this exact reason.

What are some best practices when using a TPM like BitLocker to encrypt a drive?

Which BitLocker encryption method is best?

When should BitLocker be used?

Can I use BitLocker on an operating system drive without a TPM?