Condividi tramite


BitLocker Drive Encryption Technical Overview

Applies To: Windows Server 2008, Windows Vista

Windows® BitLocker™ Drive Encryption (BitLocker) is a data protection feature available in Windows Vista® Enterprise and Windows Vista® Ultimate for client computers, and in Windows Server® 2008. BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned personal computers by providing a closely integrated solution in Windows Vista.

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing Windows Vista file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.

This document describes BitLocker, including its life cycle on an enterprise computer. The information in this paper applies to Windows versions with BitLocker. For server-specific information, see Implementing BitLocker on Servers.

Topics in this Technical Overview

This technical overview includes the following topics:

  • BitLocker Concepts

  • BitLocker Benefits

  • BitLocker Security Considerations

  • Implementing BitLocker on Servers

  • Hardware, Firmware, and Software Requirements

  • BitLocker Architecture

  • BitLocker Life Cycle

  • System Recovery

BitLocker Concepts

BitLocker helps prevent unauthorized access to data on lost or stolen computers by combining two major data-protection procedures:

  • Encrypting the entire Windows operating system volume on the hard disk and any associated data volumes.

  • Verifying the integrity of early boot components and boot configuration data.

The most secure implementation of BitLocker leverages the enhanced security capabilities of a Trusted Platform Module (TPM) version 1.2. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer running Windows Vista has not been tampered with while the system was offline.

In addition, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.

On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and does not provide the pre-startup system integrity verification offered by BitLocker working with a TPM.

Offline data enhancements

BitLocker helps protect data while the system is offline by:

  • Encrypting the entire Windows operating system volume, including both user data and system files, the hibernation file, the page file, and temporary files.

  • Providing an umbrella protection for non-Microsoft applications, which benefit automatically when installed on the encrypted volume.

System integrity verification

BitLocker uses the TPM to verify the integrity of early boot components and boot configuration data. This helps ensure that BitLocker makes the encrypted volume accessible only if those components have not been tampered with and the encrypted drive is located in the original computer.

BitLocker helps ensure the integrity of the startup process by:

  • Providing a method to check that early boot file integrity has been maintained, and help ensure that there has been no adversarial modification of those files, such as with boot sector viruses or rootkits.

  • Enhancing protection to mitigate offline software-based attacks. Any alternative software that might start the system does not have access to the decryption keys for the Windows operating system volume.

  • Locking the system when tampered with. If any monitored files have been tampered with, the system does not start. This alerts the user to the tampering, since the system fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery process.

BitLocker Benefits

BitLocker benefits include enhancements for ease of use, enterprise implementation, and computer decommissioning or recycling.

Ease of use

In day-to-day use, BitLocker protection is virtually transparent to the user. And in the event that system lockout occurs—for example, due to hardware failure, hardware changes, or an attempted security breach—BitLocker offers a simple, efficient recovery process.

Enterprise implementation

BitLocker is tightly integrated into Windows Vista and provides enterprises with a seamless and easily manageable data protection solution. For example, BitLocker can utilize an enterprise’s existing Active Directory® Domain Services (AD DS) infrastructure to remotely escrow recovery keys. BitLocker provides a wizard for setup and management, as well as extensibility and manageability through a Windows Management Instrumentation (WMI) interface with scripting support. BitLocker also has a recovery console integrated into the early boot process to enable the user or helpdesk personnel to regain access to a locked computer.

For more information about writing scripts for BitLocker, see Win32_EncryptableVolume (https://go.microsoft.com/fwlink/?LinkId=85983).

Computer decommissioning or recycling

BitLocker simplifies the process of decommissioning or recycling computers. Data in the encrypted volume can be rendered inaccessible by deleting the BitLocker keys that are required to access the volume.

BitLocker Security Considerations

Because security is a process of risk management, it is important to be aware that BitLocker cannot protect a computer against all possible attacks. For example, if malicious users, or programs such as viruses or rootkits, have access to the computer before it is lost or stolen, they might be able to introduce weaknesses through which they can later access encrypted data. And BitLocker protection can be compromised if the USB startup key is left in the computer, or the PIN or Windows logon password are not kept secret.

The TPM-only authentication mode (that is, no startup key or PIN) provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. The TPM-only mode is easiest to deploy, manage, and use. It might also be more appropriate for computers that are unattended or must restart while unattended.

However, the TPM-only mode offers the least amount of data protection. This mode protects against some attacks that modify early boot components, but the level of protection can be affected by potential security weaknesses in the operating system, hardware, or BIOS. The addition of a PIN or USB startup key can help mitigate many of these attacks. If parts of your organization have data that is considered highly sensitive on mobile computers, consider deploying BitLocker with multifactor authentication on those computers.

For more information about BitLocker security considerations, see Data Encryption Toolkit for Mobile PCs (https://go.microsoft.com/fwlink/?LinkId=85982).

Implementing BitLocker on Servers

For Windows Server 2008 servers in a shared or potentially non-secure environment, such as a branch office location, BitLocker can offer the same level of data protection that it offers on client computers. This additional feature, which is available for Windows Server 2008, enables an IT administrator to encrypt both the operating system volume and additional data volumes on the same server.

By default, BitLocker is not installed with Windows Server 2008. Add BitLocker from the Windows Server 2008 Server Manager page. After BitLocker is installed, setup and maintenance are performed as described later in this document. You must restart after installing BitLocker on a server. Using WMI, you can enable BitLocker remotely.

PIN support

It might not be desirable to enable the PIN feature on a server where startup speed is a factor or where human intervention in case of a restart is not possible. In many server environments, uptime and remote management are critical. One feasible deployment scenario is to enable BitLocker with PIN authentication in branch offices where an employee must turn on the server at the start of every work shift. In this scenario, the individual responsible would know and enter the PIN at startup.

Startup key support

USB startup keys are supported for servers, but they only increase data protection if they are not left in the server after startup. Therefore, to maximize data protection, someone must manually insert the startup key at each server restart and then remove the key until needed again.

Extensible Firmware Interface support

BitLocker is supported on Extensible Firmware Interface (EFI) servers using a 64-bit processor architecture installed with Windows Server 2008.

Data volumes

Volumes other than the operating system volume and the system volume are called data volumes. BitLocker encryption of data volumes is supported only in Windows Server 2008. BitLocker encrypts Windows Server 2008 data volumes the same way that it encrypts the operating system volume. The operating system can read a BitLocker-protected data volume as normal.

Automatic unlock

You can configure BitLocker to unlock mounted data volumes automatically during startup, without human interaction. BitLocker accomplishes this by encrypting a data volume's volume master key with an external wrapping key, and then storing a plaintext copy of the external wrapping key in the registry of the encrypted operating system volume. Because the external wrapping key is stored within the encrypted operating system volume, it is protected by BitLocker as well as by the Windows Server 2008 operating system itself. If the operating system enters recovery mode, the data volumes remain protected.

If you enable automatic unlock, turning off BitLocker has the same effect on data volumes as it does on the operating system volume:

  • If you decrypt the operating system volume, BitLocker will also decrypt the protected data volumes and remove all automatic unlock keys from the registry.

  • If you temporarily disable BitLocker, the operating system volume and data volumes will remain encrypted; however, the key protecting the operating system volume will be accessible until you turn BitLocker back on.

Using a scriptable WMI interface, a system administrator can enable or disable automatic unlocking for each server. To maintain a high level of protection for data volumes, you cannot enable automatic unlocking unless BitLocker is enabled for the operating system volume and the volume is encrypted.

Cluster configurations

BitLocker does not support cluster configurations.

Data volume recovery

The recovery of a data volume is similar to recovery for an operating system volume. A copy of the recovery key must be stored on other media prior to a failure (preferably at the time of setup). If the data volume is moved to a new server, or if the operating system cannot retrieve the external wrapping key to automatically unlock the data volume, then a user must insert the media containing the recovery key.

Recovery of data volumes is supported by the BitLocker control panel and the WMI provider.

Hardware, Firmware, and Software Requirements

To use BitLocker, a computer must satisfy certain requirements that are specified by the BitLocker Windows Vista system logo requirements.

  • For BitLocker to take advantage of the system integrity check provided by a TPM, the computer must have a TPM version 1.2. If your computer does not have a TPM, enabling BitLocker will require you to save a startup key on a removable USB device such as a flash drive. For more information about using BitLocker on a non-TPM computer, see Startup key-only scenario (no TPM).

  • A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS. The BIOS establishes a chain of trust for pre-operating system startup, and must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require a TCG-compliant BIOS.

  • The system BIOS (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating-system environment. For more information about USB, see the USB Mass Storage Bulk-Only and the Mass Storage UFI Command specifications on the USB Web site (https://go.microsoft.com/fwlink/?LinkId=83120).

  • The hard disk must be partitioned with at least two volumes:

    • The operating system volume (or boot volume) contains the Windows Vista operating system and its support files; it must be formatted with the NTFS file system. BitLocker is enabled on this volume.

    • The system volume contains the files that are needed to load Windows after the BIOS has booted the platform. BitLocker is not enabled on this volume. For BitLocker to work, the system volume must not be encrypted, must differ from the operating system volume, and must be formatted with the NTFS file system. The system volume should be at least 1.5 gigabytes (GBs).

BitLocker Architecture

BitLocker helps protect the operating system volume of the hard disk from unauthorized access while the computer is offline. To achieve this, BitLocker uses full-volume encryption and the security enhancements offered by the TPM. On computers that have a TPM, BitLocker also supports multifactor authentication.

BitLocker uses the TPM to perform system integrity checks on critical early boot components. The TPM collects and stores measurements from multiple early boot components and boot configuration data to create a system identifier for that computer, much like a fingerprint. If the early boot components are changed or tampered with, such as by changing the BIOS, changing the master boot record (MBR), or moving the hard disk to a different computer, the TPM prevents BitLocker from unlocking the encrypted volume and the computer enters recovery mode. If the TPM verifies system integrity, BitLocker unlocks the protected volume. The operating system then starts and system protection becomes the responsibility of the user and the operating system.

Figure 1 shows how the BitLocker-protected volume is encrypted with a full volume encryption key, which in turn is encrypted with a volume master key. Securing the volume master key is an indirect way of protecting data on the volume: the addition of the volume master key allows the system to be re-keyed easily when keys upstream in the trust chain are lost or compromised. This ability to re-key the system saves the expense of decrypting and encrypting the entire volume again.

Once BitLocker authenticates access to the protected operating system volume, a filter driver in the Windows Vista file system stack encrypts and decrypts disk sectors transparently as data is written to and read from the protected volume. When the computer hibernates, the hibernation file is saved encrypted to the protected volume. When the computer resumes from hibernation, the encrypted hibernation file is decrypted. After BitLocker encrypts the protected volume during setup, the impact on day-to-day system performance for encryption and decryption is typically minimal.

If you temporarily disable BitLocker (for example, to update the BIOS), the operating system volume remains encrypted, but the volume master key will be encrypted with a "clear key" stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker. When BitLocker is re-enabled, the unencrypted key is removed from the disk, the volume master key is keyed and encrypted again, and BitLocker protection resumes.

IT administrators can configure BitLocker locally through the BitLocker setup wizard, or both locally and remotely with the interfaces exposed by the Win32_EncryptableVolume WMI provider of the Windows Vista operating system. Interfaces include management functionality to begin, pause, and resume encryption of the volume and to configure how the volume is protected.

A management script (manage-bde.wsf), which is available with Windows Vista and Windows Server 2008, provides IT administrators with a simple command-line interface to manage and check BitLocker status. This script is written based on the available WMI providers, and can be modified to help build custom solutions for different enterprise administrative needs. For more information about the BitLocker Drive Encryption Provider, see https://go.microsoft.com/fwlink/?LinkId=80600.

Architectural diagram

Figure 2 shows the overall BitLocker architecture, including its various subcomponents. It displays the user mode and the kernel mode components of BitLocker, including the TPM, and the way they integrate with the different layers of the operating system.

Authentication modes in the boot sequence

BitLocker supports different authentication modes, depending on the computer's hardware capabilities and the desired level of security:

  • BitLocker with a TPM (no additional authentication factors)

  • BitLocker with a TPM and a PIN

  • BitLocker with a TPM and a USB startup key

  • BitLocker without a TPM (USB startup key required)

  • BitLocker with a TPM, a USB startup key, and a PIN

Each time Windows Vista starts up with BitLocker enabled, the boot code performs a sequence of steps based on the volume protections set. These steps can include system integrity checks and other authentication steps (PIN or USB startup key) that must be verified before the protected volume is unlocked.

For recovery purposes, BitLocker uses a recovery key (stored on a USB device) or a recovery password (numerical password), as shown in Figure 1. You create the recovery key or recovery password during BitLocker initialization. Inserting the recovery key or typing the recovery password enables an authorized user to regain access to the encrypted volume in the event of an attempted security breach or system failure.

BitLocker searches for keys in the following sequence:

  1. Clear key: System integrity verification has been disabled and the BitLocker volume master key is freely accessible. No authentication is necessary.

  2. Recovery key or startup key (if present): If a recovery key or startup key is present, BitLocker will use that key immediately and will not attempt other means of unlocking the volume.

  3. Authentication

    1. TPM: The TPM successfully validates early boot components to unseal the volume master key.

    2. TPM + startup key: The TPM successfully validates early boot components and a USB flash drive containing the correct startup key has been inserted.

    3. TPM + PIN: The TPM successfully validates early boot components and the user enters the correct PIN.

    4. TPM + PIN + startup key: The TPM successfully validates early boot components, the user enters the correct PIN, and a USB flash drive containing the correct startup key has been inserted.

  4. Recovery

    1. Recovery password: The user must enter the correct recovery password.

    2. Recovery key: If none of the above steps successfully unlocks the drive, the user is prompted to insert the USB flash drive that holds the recovery key, and then restart the computer.

Foreign volumes

Foreign volumes are operating system volumes that were BitLocker-enabled on another computer and have been transferred to a different Windows Vista computer. Transferring a foreign volume to another Windows Vista computer is a quick and straightforward procedure to recover BitLocker-protected data from a broken computer. The only authentication operation available on such a volume is recovery, which requires a recovery key or recovery password. For more information about recovery, see System Recovery.

BitLocker Life Cycle

There are four major stages in the BitLocker life cycle, as shown in Figure 3. Those stages include installation, initialization, daily use, and computer decommissioning or recycling.

  1. Installation: BitLocker is installed as part of Windows Vista or added as an option for Windows Server 2008.

  2. Initialization: BitLocker is initialized and enabled.

  3. Daily use: The computer is used in everyday scenarios. BitLocker provides a level of protection based on the authentication option selected during initialization.

  4. Computer decommissioning and recycling: A BitLocker-enabled computer needs to be decommissioned or recycled.

The following sections describe each of these stages. For a detailed architectural diagram, see the Architectural diagram.

Installation

For Windows Vista Enterprise and Windows Vista Ultimate, BitLocker is installed automatically as part of the operating system installation. However, BitLocker is not enabled until it is turned on using the BitLocker control panel.

Initialization

At any time after installation and initial operating system setup, the system administrator can use the Control Panel in Windows Vista to initialize BitLocker. There are two steps in the initialization process:

  1. On computers that have a TPM, initialize the TPM by using the TPM Initialization Wizard, the BitLocker control panel, or by running a script designed to initialize it. The TPM Initialization Wizard is accessible through the TPM Management Console Wizard, which is started from a link in the BitLocker control panel. Opening the BitLocker control panel will automatically start TPM initialization, if necessary. Remote initialization of the TPM is also supported. Although physical presence is generally required to initialize a computer's TPM, if a computer is shipped with the TPM already turned on, then physical presence is not required. The TPM services component of BitLocker includes a management API that allows scripting the initialization procedures — including setting an owner and creating the TPM administration password.

  2. Set up BitLocker. Access the BitLocker setup wizard from the Windows Vista Control Panel, which guides you through setup and presents advanced authentication options.

Warning

When a local administrator initializes BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive may be inaccessible and unrecoverable if there is a problem with the operating system volume.

BitLocker and TPM initialization must be performed by a member of the local Administrators group on the computer. A non-administrator user benefits from BitLocker data protection, but cannot enable or disable it.

For detailed information about configuring and deploying BitLocker on Windows Vista, see Windows BitLocker Drive Encryption Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=53779).

Daily use

Once BitLocker has been initialized and the volume encrypted, a user encounters it only during authentication and occasional administrative tasks.

BitLocker supports four different authentication modes, depending on the computer's hardware capabilities and the desired level of security:

  • BitLocker with a TPM

  • BitLocker with a TPM and a PIN

  • BitLocker with a TPM and a USB startup key

  • BitLocker without a TPM (USB startup key required)

BitLocker-enabled computers that rely solely on a TPM for authentication, with no additional BitLocker authentication factors, can be used just like any other computer. Users start Windows and are prompted for their user name and password, which is a normal logon experience. Unless informed about BitLocker, users are likely unaware that their computers include an extra level of data protection.

If BitLocker is configured for enhanced security, the user is required to enter a PIN or insert a USB startup key in order to start Windows Vista. In this case, the normal startup flow or resume flow is modified to prompt for the additional authentication factor.

For detailed information about BitLocker authentication modes, see Windows BitLocker Drive Encryption Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=53779).

TPM-only scenario

In this scenario, BitLocker is enabled on a computer that has a TPM, but no additional authentication factors have been enabled. The hard disk is partitioned with two volumes:

  1. The system volume

  2. The Windows Vista operating system volume

As shown in Figure 4, BitLocker encrypts the operating system volume with a full volume encryption key. This key is itself encrypted with the volume master key, which, in turn, is encrypted by the TPM.

This scenario can be enabled or disabled by the local administrator using the Security item in Control Panel in Windows Vista. Turning BitLocker off decrypts the volume and removes all keys. New keys are created once BitLocker is turned back on at a later time.

Warning

When a local administrator turns on BitLocker, the administrator should also create a recovery password or a recovery key. Without a recovery key or recovery password, all data on the encrypted drive might be inaccessible and unrecoverable if there is a problem with the operating system volume.

Enhanced authentication scenarios

These scenarios add additional authentication factors to the basic scenario described previously. As shown in Figure 5, using BitLocker on a computer that has a TPM offers two multifactor authentication options:

  • The TPM plus a PIN (system integrity check plus something the user knows)

  • The TPM plus a startup key stored on a USB flash drive (system integrity check plus something the user has)

The advantage of these scenarios is that not all key material is stored on the local computer.

PIN authentication

In this scenario, the administrator sets up a numeric PIN during BitLocker initialization. BitLocker hashes the PIN using SHA-256 and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key. The volume master key is now protected by both the TPM and the PIN. To unseal the volume master key, the user will be required to enter the PIN each time the computer starts up or resumes from hibernation.

Note

For server implementations, it might not be desirable to enable PIN authentication where startup speed is a factor or where human intervention in case of a restart is not possible.

Startup key authentication

In this scenario, the administrator creates a startup key during BitLocker initialization. The key is stored on any BIOS-enumerated storage device such as a pluggable USB flash drive, and the user must insert that device in the computer each time the computer starts up or resumes from hibernation. While the USB flash drive holding the startup key must be plugged into the computer from power up through startup, it should be removed after Windows is loaded.

Startup key-only scenario (no TPM)

In this scenario, the administrator enables BitLocker on a computer that does not contain a TPM. The computer user must insert the USB flash drive containing a startup key each time the computer starts or resumes from hibernation.

Note

The security profile of a system using a startup key-only scenario will be different from the security profile of a system using a TPM; the integrity of the early boot components will not be validated on the non-TPM system.

The startup key for a non-TPM computer must be created during BitLocker initialization, either through the BitLocker setup wizard or through scripting. BitLocker generates the startup key, the user inserts a USB flash drive, and the system stores the startup key on that device.

Using the BitLocker Control Panel item, the user can create a backup copy of the startup key. The startup key is saved unencrypted, in a “.bek” file as raw binary data. In the case of a lost startup key, the volume must be recovered by using the recovery key or the recovery password and a new startup key must be generated (this process will revoke the original startup key). All other volumes also using the lost startup key must go through a similar procedure, to ensure that the lost startup key is not used by an unauthorized user.

Administration

The administrator can manage BitLocker using the BitLocker control panel, accessible from the Security item in the Windows Vista Control Panel. A command-line management tool, manage-bde.wsf, is also available for IT administrators to perform scripting functionality remotely.

For detailed information about configuring and deploying BitLocker on Windows Vista, see Windows BitLocker Drive Encryption Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=53779).

Key management

Once the volume has been encrypted and protected with BitLocker, the Manage Keys page in the BitLocker control panel enables local and domain administrators to duplicate keys and reset the PIN.

BitLocker configuration and TPM management

The BitLocker control panel, accessible from the Security item in the Windows Vista Control Panel, displays BitLocker status and provides the functionality to enable or disable BitLocker. If BitLocker is actively encrypting or decrypting data due to a recent installation or uninstall request, the progress status appears. An administrator can also use the BitLocker control panel to access the TPM management MMC. For more information, see Initialization.

Computer updates and upgrades: disabling BitLocker protection

An administrator may want to temporarily disable BitLocker in certain scenarios, such as:

  • Restarting the computer for maintenance without requiring user input (for example, a PIN or startup key).

  • Updating the BIOS

  • Upgrading critical early boot components without triggering BitLocker recovery. For example:

    • Installing a different version of the operating system or another operating system, which might change the master boot record (MBR).

    • Repartitioning the disk, which might change the partition table.

    • Performing other system tasks that change the boot components validated by the TPM.

  • Upgrading the motherboard to replace or remove the TPM without triggering BitLocker recovery.

  • Turning off (disabling) or clearing the TPM without triggering BitLocker recovery.

  • Moving a BitLocker-protected disk volume to another computer without triggering BitLocker recovery.

These scenarios are collectively referred to as the computer upgrade scenario. BitLocker can be enabled or disabled through the BitLocker item in Control Panel in Windows.

The following steps are necessary to upgrade a BitLocker-enabled computer.

  1. Temporarily turn off BitLocker by placing it into disabled mode.

  2. Upgrade the system or the BIOS.

  3. Turn BitLocker back on.

Forcing BitLocker into disabled mode will keep the volume encrypted, but the volume master key will be encrypted with a symmetric key stored unencrypted on the hard disk. The availability of this unencrypted key disables the data protection offered by BitLocker, but ensures that subsequent computer startups succeed without further user input. When BitLocker is re-enabled, the unencrypted key is removed from the disk and BitLocker protection is turned back on. Additionally, the volume master key is keyed and encrypted again.

Moving the encrypted volume (that is, the physical disk) to another BitLocker-enabled computer does not require any additional steps because the key protecting the volume master key is stored unencrypted on the disk.

Warning

Exposing the volume master key even for a brief period is a security risk, because it is possible that an attacker might have accessed the volume master key and full volume encryption key when these keys were exposed by the clear key.

For detailed information about disabling BitLocker, see Windows BitLocker Drive Encryption Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=53779).

Computer decommissioning and recycling

Many personal computers today are reused by people other than the computer's initial owner or user. In enterprise scenarios, computers may be redeployed to other departments, or they might leave the company as part of a standard computer hardware refresh cycle.

On unencrypted drives, data may remain readable even after the drive has been formatted. Enterprises often make use of multiple overwrites or physical destruction to reduce the risk of exposing data on decommissioned drives.

BitLocker can help create a simple, cost-effective decommissioning process. By leaving data encrypted by BitLocker and then removing the keys, an enterprise can permanently reduce the risk of exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all BitLocker keys because this would require cracking 128-bit or 256-bit AES encryption.

Warning

Perform the procedures described in this section only if you do not want or need the data in the future. The data in the encrypted volume will not be recoverable.

An administrator can remove a volume’s BitLocker keys by formatting that volume from Windows Vista. The “format” command has been updated to support this operation. To format the operating system volume, you can open a command prompt using the recovery environment included in the Windows Vista installation DVD.

Alternatively, an administrator can create a script that effectively removes all BitLocker key protectors. Running such a script will leave all BitLocker-encrypted data unrecoverable when you restart the computer. As a safety measure, BitLocker requires that an encrypted volume have at least one key protector. Given this requirement, you can decommission the drive by creating a new external key protector, avoid saving the created external key information, and then removing all other key protectors on the volume. For more information about writing scripts for BitLocker, see Win32_EncryptableVolume (https://go.microsoft.com/fwlink/?LinkId=85983).

Once the BitLocker keys have been removed from the volume, follow-up tasks are needed to complete the decommissioning process. For example: reset the TPM to its factory defaults by clearing the TPM, and discard saved recovery information for the volume such as printouts, files stored on USB devices, and information stored in Active Directory.

System Recovery

A number of scenarios can trigger a recovery process, for example:

  • Moving the BitLocker-protected drive into a new computer.

  • Installing a new motherboard with a new TPM.

  • Turning off, disabling, or clearing the TPM.

  • Updating the BIOS

  • Updating optional read-only memory (option ROM)

  • Upgrading critical early boot components that cause system integrity validation to fail.

  • Forgetting the PIN when PIN authentication has been enabled.

  • Losing the USB flash drive containing the startup key when startup key authentication has been enabled.

An administrator can also trigger recovery as an access control mechanism (for example, during computer redeployment). An administrator may decide to lock down an encrypted drive and require that users obtain BitLocker recovery information to unlock the drive

If BitLocker enters recovery mode, the data in the encrypted volume can be recovered through a process that requires minimal setup. For detailed information, see Windows BitLocker Drive Encryption Step-by-Step Guide (https://go.microsoft.com/fwlink/?LinkID=53779).

Recovery setup

Using Group Policy, an IT administrator can choose what recovery methods to require, deny, or make optional for users who enable BitLocker. The recovery password can be stored in Active Directory Domain Services (AD DS), and the administrator can make this option mandatory, prohibited, or optional for each user of the computer. Additionally, the recovery data can be stored on a USB flash drive.

Recovery scenarios

In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password. The TPM is not involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.

Recovery password

The recovery password is a 48-digit, randomly-generated number that can be created during BitLocker setup. If the computer enters recovery mode, the user will be prompted to type this password using the function keys (F0 through F9). The recovery password can be managed and copied after BitLocker is enabled. Using the BitLocker control panel, the recovery password can be printed or saved to a file for future use.

A domain administrator can configure Group Policy to generate recovery passwords automatically and transparently back them up to AD DS as soon as BitLocker is enabled. The domain administrator can also choose to prevent BitLocker from encrypting a drive unless the computer is connected to the network and AD DS backup of the recovery password is successful.

Recovery key

The recovery key can be created and saved to a USB flash drive during BitLocker setup; it can also be managed and copied after BitLocker is enabled. If the computer enters recovery mode, the user will be prompted to insert the recovery key into the computer.