Windows Vista Ultimate Edition and Windows Vista Enterprise Edition offer BitLocker Drive Encryption as a method to encrypt the contents of your hard drive. While working with BitLocker Drive Encryption I experienced a couple of imperfections and weaknesses.
The imperfections and weaknesses made me believe the current version of BitLocker can be seen as a Microsoft ‘version 1.0’ product. To me a typical ‘version 1.0’ product from Microsoft is the first incarnation of a thought to solve a specific problem or target a specific audience. There have been many Microsoft products that I call ‘version 1.0’ products. Windows NT Server 4.0, Terminal Server Edition, SharePoint Portal Server 2001 and the infamous Private Folder are among these products. What they have in common is they lack management features, offer poor performance, aren’t designed with security as a main focus. Usually I find they are complete rubbish and unsuitable for implementation in enterprise environments.
I think ‘version 1.0’ products are great in a way. It shows Microsoft’s dedication to a certain thought. Usually versions after the initial versions offer more performance, a newly designed interface and new features. It’s just too bad some customers lose their trust in the product or technology after they implement a ‘version 1.0’. These customers don’t tend to bother looking at next versions…
What’s wrong with BitLocker
I think BitLocker Drive Encryption is unsuitable for implementation within an enterprise environment. I’ve tried it and found the following imperfections of BitLocker Drive Encryption as an enterprise-ready tool for full-disk encryption:
BitLocker is only available in certain versions of Windows Vista
You can only use BitLocker Drive Encryption in Windows Vista Enterprise and Windows Vista Ultimate. Microsoft has stated it will only support Windows Vista Ultimate for five years. You can only buy Windows Vista Enterprise within certain licensing models and subscriptions.
If you want BitLocker you either need to migrate your computers before April, 10 2008 (to benefit from the maximum support period) or pay a load of money to receive Windows Vista Enterprise and all the other Software Assurance (SA) benefits. (which is fine if you’re planning on using all of them…)
You won’t find BitLocker Drive Encryption in Windows Vista Business Edition, Windows XP Professional or Windows XP Tablet PC Edition.
BitLocker requires certain hardware
In most documentation you’ll find BitLocker only works when you have a TPM 1.2 chip. Some people even consider this a hardware requirement while it’s not… or at least not really. You need a TPM chip if you want to use BitLocker in the TPM + PIN or TPM + Startup Key scenario. (I guess that’s why they call these scenarios that way…) You can also use BitLocker in the External Key scenario. This mode doesn’t require a TPM chip. It requires your computer to have a BIOS that recognizes external media (like an USB stick) and the external media itself. Some older computers don’t have a TPM chip or the right BIOS.
The BitLocker user interface isn’t graphical
BitLocker Drive Encryption requires user interaction when you implement it in one of the more secure modes. (TPM + PIN, TPM + Startup Key, External Key and Numerical Password) In these modes you are confronted with a text based user interface, instead of a graphical user interface when you startup the machine or wake it from it’s sleep. While a text-based user interface is fine for some, for others it isn’t… like women.
The BitLocker user interface isn’t Multi-Language
A Windows Vista Enterprise or Windows Vista Ultimate installation can be tailored to fit everyone’s language needs. The language of BitLocker’s user interface for interaction when you startup the machine or wake it from it’s sleep can’t be changed.
BitLocker Drive Encryption can’t be enforced remotely
At this moment there is no central management center or management console to centrally enforce, monitor and check BitLocker Drive Encryption. What you can do is use bde-manage.wsf, Active Directory, some group policies (specifically TPM.admx and VolumeEncryption.admx), some sample scripts (which you can find here) and the BitLocker Recovery Password Viewer tool in combination with a startup or login script to prepare the system for BitLocker Drive Encryption and actually rollout BitLocker Drive Encryption.
When the device is not connected to your network however you have no way of managing it. You can’t check whether the drive is still encrypted, whether someone tries to decrypt it or even help your user decrypt it in case of problems…
The Drive Encryption process can be paused indefinitely
Even if you manage to rollout an encryption policy to all PC’s in your enterprise there’s still a nasty little thingy that might come back and bite you in the behind. When a Windows Vista PC encrypts its hard drive the user receives a information balloon. Depending on the way you implemented it the user might be able to pause the encryption process indefinitely (the user is admin) or the user can fetch the password for an administrator-equivalent account from your script. Be aware!
Encrypting volumes other than the system volume isn’t supported
If you use manage-bde.wsf to implement BitLocker Drive Encryption you can actually instruct it to encrypt other volumes besides your system volume. (Note: your system volume first needs to be encrypted with BitLocker) Microsoft supports this for Windows Server Codename “Longhorn”, but not for Windows Vista.
BitLocker doesn’t interact with tokens or smart cards
You can’t use BitLocker with tokens or smart cards. You can use an USB device which unlocks after swiping your finger and store your Startup key on it. This doesn’t mean BitLocker isn’t two factor authentication. If you use BitLocker in a TPM + PIN scenario you have something you have (TPM chip) and something you know (PIN).
I believe Microsoft’s intent with BitLocker 1.0 is to create awareness for full disk encryption.
BitLocker is great if you use an administrator-equivalent account on a Windows Vista Ultimate machine and want to encrypt the data on it’s system volume. I don’t believe BitLocker 1.0 is enterprise-ready. I guess that’s why most large companies worldwide use encryption solutions from PointSec, Credant, Utimaco and SafeBoot.
I hope this information helps Microsoft make BitLocker version 2.0 enterprise-ready.
Windows Vista Security Primer
Windows BitLocker Drive Encryption Step-by-Step Guide
Windows BitLocker Drive Encryption Frequently Asked Questions
BitLocker Drive Encryption Technical Overview
BitLocker Drive Encryption Glossary
How Ultimate Is This?
Enterprise And Server: Use Of BitLocker™ Drive Encryption
A best practice guide on how to configure BitLocker (Part 1)
A best practice guide on how to configure BitLocker (Part 2)
BitLocker Drive Encryption: Hardware Enhanced Data Protection
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information
Tomek on BitLocker(ed)
Tomek on Schema extensions for Vista new features
Gartner’s “Magic Quadrant for Mobile Data Protection 2006”
AES-CBC + Elephant diffuser A Disk Encryption Algorithm for Windows Vista
Vista, how you have failed me
ActiveWin.com: A Look at BitLocker Drive Encryption
My Secure Vista Install
BitLocker and disk decommissioning
Related KnowledgeBase articles
How to encrypt data volumes in Windows Vista
BitLocker Drive Encryption (BDE) enables the PagefileOnOSVolume registry setting in Windows Vista
How to use the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool to view recovery passwords for Windows Vista
Error message when you try to start a Windows Vista-based computer that is configured to use BitLocker: “The PIN has been entered incorrectly too many times”
Error messages after you install the BitLocker Drive Encryption schema updates in a Windows Server 2003 domain