A. BitLocker Drive Encryption is an integral security feature for Windows computers. It provides protection for your computer's operating system as well as the data stored it, ensuring that the data remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against "offline attacks," those made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately. Show
Q. Who should be using Bitlocker?A. ISG recommends that faculty and staff enable BitLocker if they use laptops containing data with a risk of Level 2 or 3 (especially frequent travelers). Q. How can I obtain it?A. BitLocker is built into the Windows operating system, but is not enabled by default. Your IT Support Professional will determine if you need BitLocker enabled and perform the necessary steps. Q. How do I use BitLocker to encrypt my laptop?A. Your IT Support Professional will enable BitLocker. Q. Where can I find written documentation?A. Microsoft provides an overview and guide for using BitLocker with Windows 7, 8.1, 10 and 10 Mobile. Q. What should I know about decryption?A. In the event that you feel your computer needs to be decrypted contact your IT Support Professional, or if none, the IT Service Center. Note that the decryption process will take about the same length of time as encryption did. Q. I have a computer encrypted but when I start it up, I get a Bitlocker screen about: A. Bitlocker has detected that something with your computer hardware has changed. This is a security feature designed to protect your data. For example, someone could have stolen your computer and is attempting to bypass the normal startup sequence. Follow the step below to obtain a recovery password. Please note, you will need access to another device with a web browser.
Q. What restrictions are there when traveling out of the country with an encrypted laptop?A. U.S. federal regulations control the export of "encryption commodities, software and technology" (see Code of Federal Regulations, Title 15, Section 740.17). There are, however, license exceptions that allow taking encrypted laptops, provided that the traveler returns within the year and "retains effective control and ownership." This coverage is global except for a handful embargoed and sanctioned countries designated by the U.S. government. Travel to any of these countries requires that you remove any encryption technology from your laptop before entering it. In addition, since laws can change at any time and some countries ban or severely regulate the use of encryption, you should consult country-specific information before traveling with an encrypted laptop to verify that your information is still current. In addition, any faculty, post-docs, graduate students and PI's should check-in with OVPR, read its International Travel page as well as that of the Office of Insurance and Purchasing Services , and contact the Chief Information Security Officer before travelling overseas. Finally, note that many nations do not recognize a "personal use exemption." Before traveling to these countries with an encrypted laptop, you will need to apply to their specified governmental agency for an import license. Additional information about international encryption controls can be found at the following websites: The Wassenaar Arrangement Bureau of Industry and Security of the U.S. Department of Commerce - Export Administration Regulations Securing data is more important than ever before. The information you hold is often more valuable than the device itself and can cause massive loss to you as an individual or the organization to which the device belongs. It goes without saying that protecting it in every way possible is a must. There are many programs to help you protect from online attacks like hacking but, BitLocker is one of the few ways to protect your data in offline attack situations. Manage BitLocker with Hexnode UEMTable of Contents
What exactly is the BitLocker?If a person manages to steal your hard drive, they could gain access to all the sensitive data in it, even if it is password protected. With BitLocker, you can avoid such scenarios. BitLocker device encryption protects all the data by encrypting the entire hard drive. As a result, no one can access the data without an encryption key. The key gets generated during disk encryption. Needless to say, this key must be kept safe. BitLocker keeps the data safe from theftsBitLocker is available on:
How does it work?The way BitLocker accomplishes this is brilliant. The solution is to encrypt the disk and store the key in a separate physical location other than the disk itself. Let me elaborate on that. Most modern motherboards come with a chip called TPM (Trusted Platform Module) soldered onto them. The TPM stores the encryption key. Every time the device boots, the TPM is accessed for the key to decrypt information. Since the key is physically separate from the main memory, even if someone manages to steal the drive, they cannot access its sensitive content. The TPM is made to work only with that motherboard. If your motherboard doesn’t come with a TPM, you can change some settings to use a password every time the system boots up. However, that defeats the whole purpose of encryption as the password is also stored in the disk somewhere. Alternatively, you could go for the option to use a USB stick as the key. The encryption key is stored in the USB drive of choice which has to be connected to the PC every time the system boots. Trustworthiness of these encryptionsYou might be wondering, it is just encryption, a similar concept that had been in use since world wars and they were proven to be crackable. What makes this any special?
Which option to choose?AES stands for Advanced Encryption Standard, which had been developed initially for protecting/ciphering the US government classified information. It was designed to replace DES (Data Encryption Standard) because it became vulnerable to brute force attacks due to the advances in computational power over the years. Therefore, AES is especially immune to these types of attacks. The attacker or thief might not be able to make sense of the data. However, they can still manipulate it. This can be annoying and most importantly devastating, especially when the user doesn’t realize they got attacked. For example, an attacker might decide to change a few bits of data on your hard drive. This could affect the programs you might want to run or even change a few characters in the spreadsheet you’ve made. The attacker will have no idea what the change accounts for and what’s terrifying is that, neither will you. Since the changes can be so small, you probably won’t be aware of the data tampering. This is where the difference between XTS and CBC comes into the picture. CBC allows for single-bit changes, whereas in XTS you can only change 16 bits at a time. This makes the changes significant, visible, and easy to detect. Microsoft recommends using CBC for non-fixed/removable drives and XTS for fixed and OS drives. There are more technical differences between CBC and XTS related to how they interact with the logic gates. But for our understanding, this should be enough. In Windows 8, only CBC algorithm is available but you get to select whether you want to use a diffuser. Using a diffuser eliminates single-bit changes to some extent. It takes literal supereons to crack.Now, what is the deal with 128 bit and 256-bit encryption keys? To put it simply, the bigger, the better. But you should still be good with a 128-bit key for the most part because, even with the right quantum computer and the best cracking algorithm available today, it will take about 2.61×10^12 years to try every single combination possible. For AES-256, it will be 1.38×10^32 years. If those numbers don’t mean anything to you, the universe is just 1.3×10^10 years old. Take a minute and try to wrap your head around that. Impossible to crack without the encryption keyOrganizations love to use BitLockerI think we established what BitLocker can do. How can this be useful for individuals, especially from an organizational standpoint?
Regular people are susceptible to data thefts as well and it can be very damaging when your passwords, bank info, etc are at risk. Hence, everyone should encrypt their data. How to use it?If the device is a part of an organizational network, only the admin will have access to these changes. Continue with these instructions if you have full administrator access over the device. Changes to BitLocker configurations on the Operating system and fixed drives require admin access. Standard users can turn on or off the BitLocker for removable drives unless the admin disables the access
ConclusionBitLocker is one of the most useful features that benefits any Windows user. Encrypting the whole drive makes all the physical attacks like stealing useless. Since it is impossible for the attacker to brute force their way through the encryption, there’s no reason for the users to not encrypt their drives, especially if they contain sensitive information. BitLocker is easy to set up especially with a UEM like Hexnode and costs almost nothing compared to the risks. Organizations love BitLocker for this exact reason. What are some best practices when using a TPM like BitLocker to encrypt a drive?BitLocker and BitLocker to Go Best Practices and Considerations (.... Use TPM rather than password protectors. ... . Configure hard drives into a single volume rather than OS and data volumes. ... . Allow UEM to manage the full lifecycle of BitLocker on a PC. ... . Avoid end user pre-encryption prior to enrollment.. Which BitLocker encryption method is best?Block write access to fixed data-drives not protected by BitLocker is recommended as it prevents saving data on unencrypted drives, and may be important for compliance reasons. Finally, it's recommended that AES-256-XTS is used as the encryption method.
When should BitLocker be used?BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
Can I use BitLocker on an operating system drive without a TPM?BitLocker can also be used without a TPM by reconfiguring the default BitLocker settings. BitLocker will then store the encryption keys on a separate USB flash drive which must be inserted each time before you start the computer.
|