Bitlocker To go

 

Bitlocker To go

Well with Windows 7 coming up, there’s been a bit of talk around Bitlocker To Go.(BTG) BTG is essentially Bitlocker for external drives. It’s full volume encryption for all your USB drives.

Jeffa and I have been talking about it quite a bit recently and there seems to be a lack of understanding on how it works.  So I thought I would post this information.

Technically, you could have bitlockered a USB drive in Vista, but it was NOT a supported scenario. In Windows 7, not only is it supported, but encouraged.

There are even supporting GPO entries that you can set that will require all external drives to be encrypted. More on these in another post.

So back to BTG.

BTG is very similar to Bitlocker on the host. It still uses a 3 key system to protect the drive. so what you end up with is this:

• The volume is encrypted with 256 bit AES based on a Full Volume Encryption Key (FVEK)
• The FVEK is then encrypted with 256bit AES based on the Volume Master Key (VMK)
• The VMK is encrypted and protected with a Key Protector that is based on a user defined password.

For more detail see the Bitlocker Architecture article.

Using BTG on a USB drive is really easy. Once you’ve inserted the drive and it’s been recognized by the system, just go to the Bitlocker Drive Encryption in Control Panel.

Just select Turn On Bitlocker next to the external drive you want to encrypt.

When you first set it up, you are presented with a choice on how you want to unlock the drive.

If you are using a Smart Card as your login, you can chose to save the key on there. If you do this, you’ll need your Smart Card every time you want to access the external drive.

In this case I selected ‘Use a password to unlock the drive’

You are presented with the traditional Bitlocker selection on where to save your recovery key.

Don’t worry, it’s smart enough not to let you save the recovery key on the drive you are trying to encrypt.

Once you’ve found a suitable location, you can start the encryption process.

Once you’ve started the encryption process, you can remove the drive before it is complete. However the system does tell you to pause the encryption before removing the drive.  If you don’t…well, let’s just say you’ve been warned.

Once encryption is complete, and you remove, then reinsert the drive you are presented with the password dialog to access the drive.

If you chose to ‘Automatically unlock on this computer from now on’ the system will store your password (the Key Protector password) in an encrypted section of the registry. So the next time the drive is inserted, if you are the person logged on and have access to that registry key, the Key Protector password will be automatically entered for you and the drive will be accessible.

I would strongly suggest actually using the Context menu on the drive and selecting Eject when you want to remove the drive from the machine.  Technically you should be doing this with all your USB drives, but with a Bitlockered one, you really need to get into the habit “just in case”.

But what if you chose not to unlock the drive?

When you try to access it you will get an access denied error. If you try to do a ‘dir’ from an Admin command prompt you’ll see that the volume isn’t even bound to the system.  (go ahead, try it).

Now if you were to set the System Files Visibility on your machine and look at a USB drive protected by BTG, you’ll notice some files on there.

These files are indeed the keys to the drive. It’s the FVEK, and the VMK. You may also notice that they are stored in the unprotected section of the drive.  I’m sure some sensationalist’s our there are freaking out just waiting to break a story on how you can use these keys to decrypt the drive so BTG is broken.  Well, get a grip, that’s not the case.

As I said earlier, the FVEK is encrypted with the VMK, and the VMK is encrypted with the Key Protector which is hopefully locked safely away in the noggin of the user. 

There’s not much point in trying to brute force the keys to get to the data on the drive. They are encrypted with the same strength stuff that’s used on the drive data anyway.  If you are that determined to brute force something you may as well just target the drive data.

Good luck with that. With today’s computing power, and presuming that you have to go through an average of 52% of the keyspace before you find the right key, it’s going to take you about 20,000,000,000,000,000,000 years to do it. I plan on being dead by then do if you get to my data in 20 Quadrillion years, you just have the time of you life.

BTG is a great way to protect all of those external drives you have.  You can protect a USB drive for each client, or account, or just keep your kids pictures safe from prying eyes if you happen to drop your USB key in the parking lot.

No, you probably can’t open it up on the local Wal-mart photo Kiosk.  But you should be able to open it up on any bitlocker capable machine providing you remember the password. Such as Windows Vista or Windows Server 2008

In fact, BTG includes a Bitlocker Reader application on the USB drive. When you open the drive on a Vista machine it looks something like this:

You’ll notice that the drive has the Bitlocker icon on it. If you open it, you see the following:

You can see the BitlockerToGo exe there ready to serve you:

Once you run it you are asked for the password for the drive. If you enter it correctly the BTG Reader starts and presents you with the following dialog.

Now you are ready to access your files. But, you have to drag them to the local computer to use them.  This will allow the on access decryption to decrypt the file as it copies it to your system all ready to use.

So give it a try. I personally use it on my external drives. Especially those that contain my laptop backups, and any client data that I’m working on. I don't tend to lose drives, but if I ever did, I know that the data on them would be very safe.

Published Sunday, March 01, 2009 8:57 PM by RockyH

From Source to Secure : Bitlocker To go