I was talking to my wife, Deb Shinder (security MVP) about Vista security and asked her about a rumor regarding "back doors" in Vista's BitLocker whole volume encryption feature. She told me that this is only a reckless rumor that has no basis in fact. There are no back doors in Vista's BitLocker disk encryption feature. None, not any.
Well, that seems like good news to me. If I lose my laptop, I can rest assured that no scumbag is going to be able to access my email or the super secret PowerPoint presentations I create for large companies and governments. There is no back door and it doesn't matter that the bad guys have physical access to the disk.
How can this be a bad thing. For my own data, it's not a bad thing. But technology doesn't know who's a good guy and who's a bad guy. What if some terrorist had valuable information on his hard disk that could allow law enforcement to stop a major attack, but that information was protected by BitLocker? Law enforcement might see rumors on the Web that there was a back door and ask Microsoft for the keys. They'll be sad to find that there is no back door and that there's no way they'll be able to get the information they need without the cooperation of the criminal.
Does that mean that Microsoft should not release BitLocker? Of course not. There are already many disk encryption products on the market today that you can buy from third parties. Microsoft isn't doing anything new here, except that they're including it with some versions of the Vista operating system. I've heard some people in the law enforcement community say that MS should not release BitLocker to the general community.
Of course, I think they're wrong. However, keep in mind that if you don't provide law enforcement with your keys when asked, that may be just enough to give them probable cause to arrest you, even if you didn't do anything wrong. And if you're at a border, keep in mind that you don't have any Constitutional Rights (if you're a US citizen) against unreasonable Search and Seizure. No, it's not a Patriot Act thing -- it's always been that way.
If you want to know more about BitLocker, check out http://technet.microsoft.com/en-us/windowsvista/aa905065.aspx
BTW -- the RTM version of BitLocker allows you to only encrypt the Vista boot volume. When Vista SP1 is installed, you'll be able to encrypt any volume. When Windows Server 2008 is released, you'll be able to encrypt any volume using BitLocker.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)