10 Things you don’t want to know about Bitlocker…
Nov 2015 Update – It seems bitlocker sans pre-boot has been trivially insecure for some time according to Synopsys hacker Ian Hakan, who found a simple way to change the Windows password and thus allow access to data even while Bitlocker was active.
So, with the forthcoming release of Windows 7, the ugly beast known as “Bitlocker” has reared its head again.
For those of you who were around during the original release of Bitlocker, or as it was known then “Secure Startup”, you’ll remember that it was meant to completely eliminate the necessity for third party security software. Yes, Bitlocker was going to secure our machines against all forms of attack and make sure we never lost data again.
Bitlocker was/is actually pretty good – it’s nicely integrated into Vista, it does its job well, and is really simple to operate. As it was designed to “protect the integrity of the operating system”, most who use it implemented it in “TPM Mode”, where no user involvement is required to boot the machine..
And that’s where problems started.
Hands up how many people have a TPM chip on their laptop?
Everyone I bet – it’s a ubiquitous piece of hardware nowadays. Ok, another show of hands please for those who’ve enabled, and taken ownership of the chip? “Taken ownership?” – yes, you remember going through the personalization phase of the chip, enabling it in the BIOS etc? Remember, all TPM’s are shipped disabled and deactivated.
What? You didn’t go through that yet? You didn’t do that before you deployed your laptops? Oh well, Bitlocker’s going to be a bit of a struggle for you isn’t it?
Fact 1. To use Bitlocker without adding additional authentication, you need an enabled, owned TPM1.2+ hardware chip.
Ok, For those of you who did go through this I congratulate your foresight. The only problem of course is:
Fact 2. Bitlocker with TPM-Only protection is vulnerable to Cold Boot, Firewire and BIOS Keyboard Buffer attacks.
Damn! Sorry to tell you this but there are some pretty simple attacks on your TPM-only machines – Do a google search for “Bitlocker Firewire” or “Bitlocker Cold Boot” or”BIOS keyboard” and you’ll find lots of research, and even a few tools which will unlock your nice “protected” machine and recover the data.
To make a machine secure, and by that I mean give you protection against having to disclose loss of personal information to all your customers if the machine goes missing, you need to use some form of pre-windows authentication (with or without TPM as well – it makes no difference). Microsoft themselves recommend this mode of operation.
For Bitlocker, turning on authentication gives you a couple of choices, you can set a pin for the machine, and also if you want, you can use a USB storage device (a memory stick, NOT a smart card) as a token. Yes, I did say a pin, and I certainly did not say “your Windows user ID and password” In fact I didn’t mention users at all. Bitlocker officially supports ONE login, so if more than one person uses a machine, you’re going to have to share that with everyone.
I feel some facts coming on…
Fact 3. Bitlocker is only secure if you use a pin or USBstick for authentication
Fact 4. There’s no link between your Windows credentials and Bitlocker Credentials
Fact 5. Bitlocker does not support the concept of more than one user
Even Microsoft’s official advice tells you to use a 6+char pin, plus TPM for authentication – no using it in TPM only mode now!
Ok, so now your lucky Bitlocker users have pc’s protected, maybe with a TPM, but certainly with some form of authentication which is shared between the owner of the machine, and probably you (as administrator), and the system guys etc. Hey – you probably have an excel spreadsheet with everyone’s pin’s written down?
I hope so, because when those users start forgetting their pins, who’s at the end of the phone? The good news is the pin never changes – there’s no forced change or lifetime.
What do you mean, that doesn’t fit with your password policy? Did I mention yet that the PIN can only be made from the Fn keys, not the normal letter keys unless you configure a special “Enhanced Pin” mode which does not work on non-USA keyboards? Did I mention there’s no complexity or content rules apart from Length?
Fact 6. Bitlocker PIN’s are usually FN key based. Bitlocker does not support non-US Keyboards
Hands up again all of you who’ve implemented PKI smart cards, or bought laptops with fingerprint sensors, or who have tokens such as ActivIdentity, CAC, PIV, eToken Keys, DataKey cards, SafeNet cards etc? You’d like to be able to use them for authentication to your PC’s wouldn’t you?
Fact 7. Bitlocker only supports USB STORAGE devices and PINs – no integration with any other token
And of course, you want users to be able to reset these credentials when they forget them without calling you, or your overworked, understaffed helpdesk? Sorry. No can do.
Fact 8. There’s no built in self-service pin recovery for Bitlocker users
There are Active Directory based methods, the GPO settings will let you store the (fixed) recovery key in your AD. I’m not sure how you feel about that getting propagated to every controller in your forest, but I’m sure you know and trust EVERY AD administrator in your organization who (now) have access to those keys. I mean, if someone was to dump out those keys and then quit, what would you do? It’s not as if the key ever expires. I guess you could write a program and then run it on every machine to recreate the keys, or write the recovery key down and give it to the user to hold on to?
Going back a bit, let’s review why we are going through this effort in the first place. I know the flippant answer is “because we were told to secure our machines”, but what does that mean? Most likely your company falls under one of the 250+ global laws defining and mandating the protection of peoples personal data, social security numbers, health information, credit card numbers etc. Regulations such as PCI, HIPPA, HITECH, SOX etc. You’re wanting to use Bitlocker to encrypt your machines because then, WHEN they get lost or stolen, you won’t have to pay fines, or tell everyone you lost their data, because to be honest, you didn’t did you? You lost the machine sure, but as the data was encrypted, no one can get access to it.
To use this “get out of jail” card you need to be able to prove a couple of things:
- That the data was indeed protected at time of loss
- That the protection method was appropriate given the type of data.
So, applying those tests, a rule appears.
Fact 9. You need extra software to PROVE Bitlocker was enabled and protecting the drive at time of theft to claim protection from PII laws
Personally, I know how to set GPO’s etc to mandate the use of Bitlocker, but I also know how easy it is for a user to turn it off. I don’t know of anything in Active Directory which gives me a definitive answer as to the state of protection of a given machine. There’s even a command line tool which can be run to completely (un)configure it. We need something that reports on the state of protection of a lost machine – just saying “well,. the policy says it should be encrypted” is not enough. Perhaps a reader can help out?
Ok, let’s finally take a look at implementing this solution. Now, you do have a 100% Vista Ultimate / Windows7 Enterprise environment don’t you? What? You still have some XP and Vista Business out there? Are you going to leave those machines unprotected, or are you planning to run a mix of third party software and Bitlocker?
Fact 10. Bitlocker only supports Windows7 Ultimate/Enterprise and Vista Ultimate.
It may come across that I’m not a great fan of Bitlocker – that’s far from the truth. I would use it (personally), and would recommend it to my friends etc. I see it as REALLY good for technical, trustworthy end users. But, that’s not the market it’s being promoted for is it? Nothing fills me with dread more than an enterprise product which requires yet another password, require specific hardware which is not enabled by default, presents a black screen with white text to users (urgh! So archaic), does not conform to our recognized password/pin lifetime policies, does not work on non-USA machines, and does not have audit-friendly output for the main purpose it serves, i.e. tell me if this stolen machine is a liabiltiy or not. Come on now – it’s 2009! Don’t we deserve better?
I actually like it because of the following 10 reasons:
- Only 1 of the 3 machines I use has a USA keyboard, so I can use FN mode Pins
- It never forces me to change my Pin
- I can turn it on and off whenever I like without my corporate IT people knowing.
- I get to use the TPM chip, even though it took me a whole day to work out how to enable it
- I can write fancy scripts to turn it on and off (I’m a closet programmer)
- I get a nice dos-like screen when I turn my machine on, just like 20 years ago
- Bitlocker is mostly controlled through a command line script (manage-bde)
- My local IT team can’t come and use my machine, or see what’s stored on it without me knowing
- I know that no one will be able to recover my data if I leave McAfee
- I just like things to be done the hard way