The special system volume brings up an important requirement for using BDE:Before
or when you begin Vista installation, you must make sure your system has at
least two volumes:one volume to install the Vista OS (the encrypted OS volume
in Figure 1) and another volume (the
system volume in Figure 1) to store
the BDE integrity-protected boot files and FVEK. Microsoft recommends that you
set aside at least 1. 5GB of disk space for the special system volume. Also,
you must mark the system volume as active and assign it the S drive letter.
After Vista is installed, BDE isn ’t enabled by default, but you can enable
it from the BitLocker Drive Encryption Control Panel applet. BDE supports state-of-the-art
encryption and security technologies. It can use the Advanced Encryption Standard
(AES)cipher and a 128-bit or 256-bit symmetric FVEK to encrypt the BDE-protected
volume.
BDE can also optionally leverage a TPM to secure access to the FVEK and to
verify the integrity of boot files. A TPM is a specialized security hardware
module that ’s integrated with a computer ’s motherboard. It can
provide tamper-proof security services to a computer and its users. These security
services include protected storage for cryptographic keys, platform integrity
verification, and strong device and user authentication.
A key TPM characteristic is that it can provide hardware-rooted security services.
The problem with software-based security mechanisms is that malicious code can
circumvent them by inserting itself in the protected system before the security
mechanisms are operational. When a system uses TPM hardware for its security
mechanisms, there is no practical way for malicious software to insert itself
before the security mechanisms.
A TPM is built according to the specifications of the Trusted Computing Group
(TCG), an industry consortium that defines specifications for trusted computing
platforms and networking architectures. See http://www.rusted-computing.org
for more information about the TCG and its specifications. An important detail
is that BDE requires a TCG-compliant computer BIOS and a TPM that ’s architected
according to the 1. 2 version of the TCG specifications. New computer systems
from leading hardware vendors such as IBM, HP, and Dell can support TPM1. 2.
BDE supports four authentication modes for unlocking the FVEK and deciding
whether BDE will decrypt the OS volume and allow the OS to start:
TPM-only mode —The TPM protects the BDE FVEK, and no additional input
is required from the user to start the OS.
USB token –only mode —The user must provide a valid USB token to
unlock the FVEK and start the OS. This scenario is for users of machines without
a TPM.
TPM/PIN mode —The TPM protects the BDE FVEK. The user must also provide
a valid PIN to unlock the FVEK and start the OS. The PIN can be 4 to 20 digits
long.
TPM/USB token mode —The TPM protects the BDE FVEK. The user must also
provide a valid USB token to unlock the FVEK and start the OS.
BDE has no special requirements with regard to the use of USB tokens, so any
Vista-compatible USB memory token will do. I recommend that you use the TPM/PIN
or TPM/USB token BDE authentication modes because they leverage two authentication
factors for better security. Also note that BDE can be used on computer systems
that don’t have a TPM installed:BDE can leverage a USB token to unlock
the FVEK. An important side effect of BDE’s TPM or USB token requirement
is that currently you can’t test BDE if you have Vista installed on a
Microsoft Virtual PC or Virtual Server environment. VMWare supports USB tokens,
but at the time of writing it lacks TPM support.
If BDE authentication fails (if a system’s TPM is missing, changed,
or corrupt; if the boot files have been modified; or if a user can’t provide
the correct PIN or USB token), BDE enters recovery mode. In this case, the user
needs a recovery key or password to regain access to the OS and the BDE-protected
data stored on the system.
Managing BDE
BDE is a complex technology that requires a significant amount of planning if
you want to deploy it properly in an enterprise. Proof of BDE management complexity
is the many passwords and PINs for using and managing BDE. Some of them are
optional, but there are still quite a few to look after. Below a short list
of the required ones and a couple of the optional ones:
The BIOS password —A BIOS password is required to enable the TPM in
BIOS. On new computer systems, the TPM is typically disabled by default in BIOS.
The Windows administrator password —This isn’t a BDE-specific
password, but I included it on this list for completeness. You need to know
an administrator password to manage and configure many of a Vista machine’s
settings, including BDE settings. In the Vista Control Panel, the BDE applet
is marked with the User Account Control UAC)shield icon (as Figure
2 shows) to indicate that Vista requires administrator-level credentials
for initializing the TPM and for BDE-protecting a Windows volume.
