BitLocker Enhancements in Windows Server 2012 and Windows 8 (Part 1) - SED Support and Network Unlock
If you would like to read the other parts in this series please go to
BitLocker Drive Encryption has come a long way, baby, since its introduction in Windows Vista in 2006. Each iteration has offered improvements, and the version of BitLocker in Windows Server 2012 and Windows 8 client is a robust and full featured option for protecting computers from attacks to which a system is vulnerable when the attacker has physical possession. This is particularly important for the mobile devices that have become the computing "weapon of choice" for many of today's on-the-go business users.
Here's the problem: If a laptop containing sensitive information and/or remote connections (such as VPN connections) to the corporate network are lost or stolen, an unauthorized person may be able to access the information on the drive even without knowing or cracking the user's logon password. This can be accomplished via a parallel installation attack, whereby the attacker boots into a different operating system instance. He might remove the hard drive from the system and put it into another computer that already has an OS installed, install another OS in a dual boot configuration, or use an OS that can be booted from an optical drive or USB drive.
To help protect against access to data by an unauthorized person who has obtained physical access to the computer, you can encrypt the data. By going further and encrypting the operating system files as well, you ensure that the unauthorized person won't be able to boot the system and gain access that way. File level encryption such as Microsoft's Encrypting File System (EFS) can be used to encrypt data but does not encrypt the OS files. Importantly, encrypting a data file with EFS doesn't encrypt the copies of that data that might be held in a hibernation file, a temporary file created by the application, or a page file when the data has been swapped out from memory. Data in these hidden locations can be recovered fairly easily by a savvy attacker.
The solution is to encrypt the entire drive or volume. There are a number of full volume encryption programs on the market, some of which have been around for a long time and which include some sophisticated capabilities, such as TrueCrypt, an open source solution for Windows, Linux and Mac OS X that lets you create fixed-size encrypted containers or created encrypted bootable partitions that are hidden.
The Microsoft solution
Microsoft's answer to full drive encryption is BitLocker. When it was initially released as part of Windows Vista, it could be used to encrypt only the partition on which the operating system was installed. Vista Service Pack 1 added the capability to encrypt other volumes on the computer's fixed hard drives. SP1 further improved BitLocker by adding an additional multifactor authentication method (TPM+USB+PIN).
Windows 7 took BitLocker to the next level, with a new feature called BitLocker To Go, which added the ability to use BitLocker encryption on removable drives, including USB flash drives, flash cards and USB hard drives. Windows 7 also made it easier to deploy BitLocker on a clean installation of Windows, as the OS installer automatically prepares the system volume for BitLocker encryption. As with Vista, BitLocker in Windows 7 is available only if you have the Enterprise or Ultimate edition. It was, unfortunately, omitted from Windows 7 Professional. BitLocker was also included in the server operating systems starting with Windows Server 2008.
With Windows 8 and Windows Server 2012, BitLocker has really come into its own. Microsoft added a number of important enhancements that make BitLocker easier to deploy and use in more circumstances than ever before. In addition, now that the number of Windows client editions has been reduced to three (Windows 8, Windows 8 Pro and Windows 8 RT), the Pro version includes BitLocker and BitLocker To Go.
New features: SED Support
In previous versions of BitLocker, the technology did not support the use of a hardware-encrypted hard drive as the boot drive. This has changed, and now you can use drives with built-in hardware encryption (often called Self-encrypting drives or SEDs). A wide variety of drive types are supported, including IDE, ATA, SATA, eSATA, SAS, and SCSI, as well as IEEE 1394 and USB. Windows Server 2012 takes it a step further and supports BitLocker on Fiber Channel and iSCSI drives as well. You can also use BitLocker with hardware-based RAID arrays (but not software-based RAID).
New features: Network Unlock
Another new feature in the Windows 8 and Server 2012 version of BitLocker is network unlock. This feature is aimed at enterprise environments, specifically at systems that belong to a Windows domain. What it does is automatically unlock BitLocker-protected drives when the computer is rebooted if it is connected to the corporate network (this must be a wired connection, not a wi-fi or remote connection).
This avoids the problem of users forgetting their PINs or USB keys, when they're connected to the trusted network (the assumption being that if they are physically on premises with Ethernet plugged in, they are probably the authorized users). It also makes it easier to roll out patches and other updates to unattended desktops that are BitLocker-protected. Of course this is an optional configuration; for better security, organizations can still require that the PIN be entered (and/or USB key inserted) to access the protected drives even when on the corporate network.
Network unlock prerequisites
There are some prerequisites before you can implement network unlock. The BitLocker-protected system must be using UEFI firmware (not legacy BIOS) and it needs to have a DHCP driver in the firmware. The network must have a Windows Server 2012 server operating in the WDS (Windows Deployment Services) role and also a DHCP server that is separate from the WDS server (and separate from the domain controller). Group policy must be configured for network unlock, and the network unlock feature itself must be installed on the Windows Server 2012 server. You do this through Server Manager or with PowerShell; the feature name is BitLocker Network Unlock.
Network unlock uses public key cryptography and a network key that is stored on the system drive. It and a session key that uses 256 bit AES are stored together. The key is encrypted with a 2048 bit RSA public key.
How network unlock works
The client computer's boot manager detects the network unlock key protector. Key protectors are the means by which BitLocker keys are protected, such as a password or PIN, a key file, a smart card, certificate, etc. When the client detects this protector, it uses DHCP (hence the requirement for a DHCP drive in UEFI) to get an IPv4 IP address. Then it sends out a DHCP request with the encrypted network key and session key.
The server has to have a 2048 bit RSA key pair and the clients need to have the public key. The certificate is deployed through the Group Policy Editor on the domain controller. The WDS server decrypts the request with the RSA private key. Then it sends the network key back, encrypted with the session key (also using DHCP).
What happens if the WDS server isn't available or doesn't return the proper key? In that case, the user will be prompted to use the protector that it's configured to use when not on the corporate network (e.g., TPM + PIN). The user will be able to unlock the BitLocker-protected drive in the standard way.
Network unlock deployment, step by step
Here are the steps involved in setting up network unlock for a Windows domain:
- Install the WDS Server role via Server Manager or PowerShell. The command for PowerShell is Install-WindowsFeature WDS-Deployment
- In Services Management or via PowerShell, ensure that the WDS service is running. The PowerShell command is Get-Service WDSServer
- Through Server Manager or PowerShell, install the network unlock feature. The PowerShell command is Install-WindowsFeature BitLocker-NetworkUnlock
- Create a network unlock certificate using the Certificates Management console (certmgr.msc).
- Export the public key certificate to a .cer file.
- Export the private key to a .pfx file.
- Deploy the private key and certificate to the WDS server.
- Copy the .cer file to the domain controller and create a new Group Policy to enable the "Allow network unlock at startup" policy.
- Deploy the public certificate to the client computers via Group Policy.
- Set Group Policy to "Require additional authentication at startup" and select "Require Startup PIN with TPM."
- Create a certificate template for Network Unlock, which the Active Directory CA can use to create and issue the Network Unlock certificates. This is an involved process that we'll cover in a later article.
Note that you can impose even more security by requiring both a PIN and a startup USB key, but this option is not available through the GUI. You'll need to use command line utility Manage-bde, but first, you select "Require startup key and PIN with TPM" in the Group Policy. In Part 2, we'll discuss how to use Manage-bde to create the recovery key and startup key, and encrypt the drive.
There have been a number of improvements to BitLocker Drive Encryption in Windows 8 and Windows Server 2012. In Part 1 of this article, we looked at the new support for self-encrypting drives (SEDs) and the new Network Unlock feature that allows for automatic unlocking of BitLocker-protected drives when the computer is connected to the wired corporate network. In Part 2, we'll take a look at another enterprise-level new feature: support for BitLocker on cluster shared volumes.