Back Up Your BitLocker Keys - Create a Security Policy
As you know from reading this blog on a regular basis, BitLocker is a volume encryption application included with Windows Vista and Windows Server 2008. With Windows Vista SP1, you'll be able to encrypt both the Windows boot volume and any data volume. Without SP1, Vista machines can only encrypt the Windows boot volume. Windows Server 2008 can use BitLocker to encrypt both the Windows boot volume and any data volumes.
A number of keys and passwords are used to help ensure the security of the BitLocker volume. The TPM chip used on BitLocker enabled machines enables the system to check the integrity of boot files and components to make sure they haven't been tampered with. You can use BitLocker using only a TPM without having to enter a PIN or USB key. However, for better security, you should use a TPM to insure the integrity of the boot components and a PIN or USB key to ensure that only authorized users are allowed to access the information on the encrypted volume.
When you use a TPM together with a log on PIN, the TPM will check the status of the boot components, and if the check shows no tampering, then you can enter a PIN that you created when you enabled BitLocker on the volume. The system will boot and access the encrypted volume after entering the correct PIN. For even greater security, instead of a PIN, you can require that the user plug in a USB key that contains the decryption key for the encrypted volumes.
When users enable BitLocker on their computers, they also have the option to to create recovery keys. These recovery keys can be used to access the system in the event that the USB or PIN is lost or otherwise not available. The recovery password is a 48 digit string that can be used to recover the BitLocker protected volume. You can also create a key package that is used together with the recovery password that will enable you to decrypt portions of a BitLocker protected volume if the disk is severely damaged. Other information that you can backup is the TPM owner password hash. When ownership of the TPM is taken a hash of the ownership password can be taken; this information can be used to reset ownership of the TPM.
As you can see, there is a lot of information you need to backup to make sure that users aren't locked out of their computers. Users should be instructed on how to create a recovery package using a USB key, and keep a copy of their recovery password in a safe place, but a place that is accessible in the event that they need to use it.
On an enterprise basis, you should create a policy for backing up this important information. This is a policy that I recommend:
- Always require backup of recovery passwords to AD DS.
- Always require backup of key package data to AD DS.
- Always require backup of TPM owner information to AD DS.
- Use recovery keys along with recovery passwords as a backup or alternate recovery method.
- If you are using TPM + PIN or USB startup keys, change them regularly.
- On TPM-enabled computers, use a BIOS administrator password to prohibit unauthorized access to TPM administrative functions.
- Educate users that they should not store key material such as USB startup keys with the system that such material unlocks.
- If you use recovery keys, store them in a central location for purposes of support and disaster recovery.
- Back up recovery material to secure offline storage for long-term recoverability.
Using such a policy, you won't get stuck with encrypted data that you will never be able to access again. Another recommendation is that you ensure that users always back up important data to a location off the BitLocker encrypted volume. This should be to an encrypted DVD, tape, or remote file share (encrypted or unencrypted) it doesn't matter.
For more information on enabling backup of key and password information to the AD, check out:
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)