All organizations face the threats of data loss and data leakage, and the pressures of protecting their customers' and employees' privacy. Data loss usually results from loss of physical control of the media that contains the information, whereas leakage typically results from inclusion of information in messaging or other documentation where that data should not be included.
Mitigating data leakage must be done at both the technical and social/personnel level, while mitigating the effect of data loss can be done effectively through technical mechanisms alone. This latter point is where we will focus this month's article. In this two-part tip, we'll explore
A primer on BitLocker To Go (BTG)
For anyone who utilizes Windows 7, BitLocker To Go offers an effective encryption mechanism to help mitigate the effects of data loss from either theft or physical loss of a removable USB device such as a thumb drive. While the loss of a drive that contains data may have other ramifications, such as notification requirements or other compliance penalties, you will have some level of assurance that the data on the device is safe (because it is encrypted).
BTG, simply, is BitLocker applied to removable media. The functionality for BitLocker and BTG are the same, and the terms will be used interchangeably in this tip. BTG performs full-volume encryption of removable storage, including USB thumb drives, for example. Unlike Windows Encrypting File System (EFS), which is a file-level encryption, BitLocker To Go encrypts the whole volume. The encryption is based on 128-bit or 256-bit AES encryption. BTG is compatible with NTFS and all FAT (FAT32, exFAT, etc.) file systems as well.
To enable the encryption of a USB thumb drive, use the BitLocker Drive Encryption Control Panel
or right-click on the drive in Windows Explorer and click "Turn on BitLocker."
Figure 1: Enabling BitLocker from Windows Explorer
Next BTG will prompt for an unlock mechanism (password, smart card or both). Your corporate policy will likely address which of these you have to use. If not, then you will probably use passwords. Make sure the password you use can't be easily guessed or cracked. Again, see your corporate password policy for requirements.
Figure 2: Choosing unlocking method
Then BTG requires you to store or print a "recovery key" for disaster recovery purposes.
Figure 3: Recovery key options
After you encrypt the drive, whenever you insert it into a Windows 7 (or Server 2008 R2) system, you'll be prompted to enter the password or insert the smart card. If you have password-protected the device, you will have an option to "remember the password on the computer," which will store the password in the local user credential store. I would not recommend using this setting, as I think having the user enter the password, just to remember it, is a positive step. Otherwise, you may be using the "recovery" option much more than you would like.
A couple more points on BTG in an enterprise or larger organization, which we will review in the second part of this tip series:
- You can use Group Policy to "force" BTG on removable devices for writing, or read-only actions.
- You can also use Active Directory to store recovery keys.
- The types of keys used by BitLocker To Go can be controlled with Group Policy.
- Furthermore, the policy can specify password length as well as complexity.
Note that the ability to enable BTG is available only in the Enterprise and Ultimate versions of Windows 7 and Server 2008 R2. Once BTG has been enabled, however, it is fully functional on any Windows 7 version or Server 2008 R2. It can be used in read-only mode with Server 2008, Vista and XP (SP2/SP3) as well, by utilizing the BitLocker To Go Reader, which is added to the encrypted device. You will be prompted to install the reader if you are on a XP or Vista system. While it should go without saying, the Reader still requires you to enter the correct password or have the smart card.
An unprotected portion of the drive
The keys used to encrypt the drive (the full volume encryption key and the volume master key) are stored in an unprotected section of the drive. They are both protected with the secret password or smart card. BTG requires access to the keys to decrypt the information on the disk, thus the need to have them in a place that BitLocker can get to.
How to use BitLocker To Go
There are two places to use BTG: on a standalone system or in an Active Directory (AD) domain. Using BTG on a standalone system is simple: you right-click the USB drive icon, enable BTG (as described earlier), and from then on, BitLocker To Go protects the drive and the data on it. In standalone mode, there are limited configuration options. You basically get what you get.
In the AD scenario, which will most likely occur in a larger organization, you will use Group Policy to enforce BitLocker policy settings. These settings are defined under the "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption" portion of the Group Policy. This portion of the policy controls all BitLocker functions, not just those for removable drives.
In our next tip, we will review your BitLocker Active Directory policy options.
About the author:
Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security.
His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).
Send comments on this technical tip: firstname.lastname@example.org.
Join our SearchMidmarketSecurity.com
LinkedIn group, and share your expertise with your peers.
This was first published in August 2010