BitLocker to the Rescue?

Microsoft's encryption tool should make it much harder to steal vital business data

Microsoft is making it much more difficult to access and steal a businesss vital data from one of its PCs.

The company will deliver BitLocker, a hard drive encryption tool, as part of its forthcoming Windows Vista operating system. BitLocker, which will come with Windows Vista Enterprise and Ultimate editions, can be used to encrypt an entire hard drive.

Microsoft believes that BitLocker will help companies guard against accidental loss, inappropriate employee access and even theft. "[BitLocker Drive Encryption is] going to secure the information on a hard disk, whether its in a laptop or a desktop PC, and if [a PC] is stolen, nobody can get the data off of it," said Will Poole, senior vice president of Microsofts Market Expansion Group, during a WinHEC keynote address on May 23 in Seattle.

Poole described a recent ruined Saturday wherein a PC containing his personal information had been stolen from a financial services company in New York. BitLocker would have made it harder for someone to access data on the stolen machine, he said.

Despite the fact that hard drive encryption tools already exist, the act of including BitLocker with Windows Vista—and integrating the tool with its Active Directory for functions such as automatically storing backup encryption keys—could get more businesses thinking about encrypting their PC hard drives due to security concerns, industry watchers said.

BitLocker, Microsoft officials said, is capable of working either with or without a TPM (Trusted Platform Module) security chip. But they said that they consider the encryption tool to be at its best when it can take advantage of the combination of a TPM 1.2-specification chip and a secure BIOS.

With a TPM present, BitLocker uses the chip to generate cryptographic keys based on scans of core system files—such as the master boot record—in addition to a key for the hard drive itself. The drives entire volume, including the operating system, page file, temporary files, hibernation volume, user data and blank space, is encrypted by BitLocker, said Shon Eizenhoefer, a Microsoft program manager, during a May 24 presentation at WinHEC.

Later, if one of the core files is discovered to have been changed or replaced—an indication that a machine may have been tampered with or its hard drive removed in an effort to access its data—BitLocker will not release any of the keys in preboot, and, thus, the data stays encrypted, Eizenhoefer said.

"After the first time, every time you turn on a machine, it makes sure that current measurements match, so that if someone tries to hack with a BIOS or an [external] drive … the TPM can detect it and wont release the keys to the rest of the OS," Eizenhoefer said.

Setting up BitLocker requires a few clicks into Vistas security control panel and then a few more to set up the feature. BitLocker allows users to log in and access their machines in several ways, including placing a log-in key on a USB drive, creating a PIN or using only a TPM.

Using a TPM with a USB key is the most secure method—assuming a person doesnt carry that key in the same case as his or her laptop—but pre–sents the possibility of lost or stolen USB keys. PINs also can be lost or stolen. Meanwhile, simply using a TPM is most convenient but more defeatable in that it takes only cracking a systems password to gain access to its data.

To deal with lost or forgotten PINs, BitLocker offers a recovery key, which can be saved to a file, printed, or stored on the Web or in an Active Directory server for domain-joined business machines.

But, despite the advantages of hard drive encryption, there are still some concerns among security experts about BitLocker and how it may be used.

"The fear is this is an entry into a very restrictive DRM [digital rights management] system," said Bruce Schneier, chief technology officer at Counterpane Internet Security, in Mountain View, Calif. "We have to watch and make sure Microsoft cant abuse this technology."

Others are concerned that BitLocker might not follow industry-standard specifications. "My hackles are up just slightly when the industry goes in multiple directions at the same time," said Roger Kay, founder and president of Endpoint Technologies Associates, in Wayland, Mass. "Microsoft is particularly well-known for doing that."

The one-time adoption of a single method by the PC industry would be more favorable. However, there is something to be said for quicker time to market, Kay said. "Theyre not entirely wrong. They put out functionality; they can get it out quickly," he added. "The TCG [Trusted Computing Group] is still sort of fiddling around" with an effort to create a hard drive encryption standard of its own, he said.