Presumably it will be enhanced in the future: allowing the encryption of other drives would be a good next step, for example.ĮDITED TO ADD (5/3): BitLocker is not a DRM system. It is also Microsoft’s first TPM application. It’s a feature that is turned off by default. Right now BitLocker is only in the Ultimate and Enterprise editions of Vista. It stops a particular attack against data. It allows people to stop worrying about their drives getting lost or stolen. It allows people to throw away or sell old drives without worry. But it does mitigate a specific but significant risk: the risk of attackers getting at data on drives directly. The problem is that it’s impossible to distinguish between a legitimate dual boot system and an attacker trying to use another OS-whether Linux or another instance of Vista-to get at the volume.īitLocker is not a panacea. You still won’t be able to share any files on your C drive between operating systems, but you will be able to share files on any other drive. After that, your dual boot system will work just fine, or so I’ve been told. But then you can use the recovery key to boot into Windows, then tell BitLocker to take the current configuration-with the dual boot code-as correct. If you have Vista running, then set up a dual boot system, Bitlocker will consider this sort of change to be an attack and refuse to run. So, does this destroy dual-boot systems? Not really. It’s shorter because it has to be typed in manually typing in 96 digits will piss off a lot of people-even if it is only for data recovery. The only place where a 128-bit key limit is hard-coded is the recovery key, which is 48 digits (including checksums). (My advice: stick with the default.) The key management system uses 256-bit keys wherever possible. Choices are 128-bit AES-CBC plus the diffuser, 256-bit AES-CBC plus the diffuser, 128-bit AES-CBC, and 256-bit AES-CBC. Administrators can select the disk encryption algorithm through group policy. The diffuser is designed to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC. And it only will work on some hardware: because BItLocker starts running before any device drivers are loaded, the BIOS must recognize USB drives in order for BitLocker to work.Įncryption particulars: The default data encryption algorithm is AES-128-CBC with an additional diffuser. You can get BitLocker to work in systems without a TPM, but it’s kludgy. ![]() There aren’t any back doors for the police, though. There are ways for an administrator to set group policy settings mandating this key. It is automatically generated by BitLocker, and it can be sent to some administrator or printed out and stored in some secure location. There is a recovery key: optional but strongly encouraged. But if you can force users to attach it to their keychains-remember that you only need the key to boot the computer, not to operate the computer-and convince them to go through the trouble of sticking it in their computer every time they boot, then you’ll get a higher level of security. People will keep their USB key in their computer bag with their laptop, so it won’t add much security. BitLocker doesn’t even let you get to a password screen to try.įor most people, basic mode is the best. Note that if you configure BitLocker with a USB key or a PIN, password guessing doesn’t work. ![]() This happens early in the boot process, when there’s still ASCII text on the screen. ![]() And finally, there’s a mode that uses a key stored in the TPM and a four-digit PIN that the user types into the computer. Then there’s a mode that uses a key stored in the TPM and a key stored on a USB drive. Here, the user has to insert the USB drive into the computer during boot. The BitLocker key can also be stored on a USB drive. The user does nothing differently, and notices nothing different. In the simplest mode, the TPM stores the key and the whole thing happens completely invisibly. In its basic mode, an attacker can still access the data on the drive by guessing the user’s password, but would not be able to get at the drive by booting the disk up using another operating system, or removing the drive and attaching it to another computer. Basically, it encrypts the C drive with a computer-generated key. BitLocker Drive Encryption is a new security feature in Windows Vista, designed to work with the Trusted Platform Module (TPM).
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |