A common issue facing businesses and organizations today is a lost or stolen laptop or PC that contains sensitive data.  As a result, many companies are starting to move to on-disk encryption to protect their data. Windows Vista and Windows 7 Ultimate and Enterprise editions contain a feature called BitLocker which protects data by encrypting information over entire volumes.

BitLocker is a full disk encryption program that uses the AES encryption algorithm in CBC(Cipher-block chaining) mode with a 128-bit key. BitLocker is only available on Server 2008 and select editions of Windows Vista and Windows 7. There are 3 different authentication modes that can be used as building blocks to implement BitLocker encryption.

Transparent Operation Mode

Transparent Operation Mode uses a key for the disk encryption.  It is encrypted by the Trusted Platform Module (TPM) chip and will only be released to the OS loader code if the early boot files appear to be unmodified.  By using TPM, a user can only protect against software based attacks but the computer is still vulnerable to hardware based attacks.  An example of such attack would be a cold-boot attack where a user doesn’t let the computer shut down completely. This attack relies on data to be in the RAM after power has been removed.

User Authentication Mode

User Authentication Mode or PIN Mode is when a user provides some authentication to the pre-boot environment (usually a username and password). The main problem when using a PIN is the system is still vulnerable to a pre-OS attack. Also, a PIN is great in theory but in order to be effective it must be very difficult, containing many different numbers and letters. But the more complex (and therefore more secure) a PIN is the less likely it is an end-user will remember it. Some users have such difficulty remembering their PINs that they resort to writing them down on a sticky note on their monitor, under their keyboard or somewhere else on their desk. This may help them remember the PIN but it defeats the purpose for it in the first place.

Dongle Mode

Dongle Mode is where a user must insert a USB device that contains a start-up key into the computer in order to boot the protected OS. The main problems with using a dongle are loss of the device and the system is still vulnerable to a pre-OS attack. This method is great against hardware attacks but how many people do you think will actually remove the dongle after they finish using the system?

BitLocker supports the above authentication modes in the following combinations: TPM only, Dongle only, TPM + PIN, TPM + Dongle and TPM + PIN + Dongle.  TPM is the least secure option and TPM + PIN + Dongle is the most secure.  You would think they would support a PIN only or a Dongle +PIN authentication mode.  How hard do you think it is to put in a Dongle versus trying to crack or brute-force a PIN?   Regardless which combination you choose, the smart thing to do is to use an authentication mode that requires two or more authentications.

If you are a business that needs to protect sensitive data, BitLocker is a Windows feature that you might want to check into.  Remember that no security is perfect but it is better to have one or more imperfect methods then none at all.