• No results found

BitLocker Network Unlock & BitLocker support for Encrypted Drives

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "BitLocker Network Unlock & BitLocker support for Encrypted Drives"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

presented by

BitLocker Network Unlock

&

BitLocker support for Encrypted Drives

UEFI Winter Plugfest – February 21-23, 2011

Presented by Narendra Acharya (Microsoft)

UEFI Plugfest – February 2012 www.uefi.org 1

(2)

Agenda

BitLocker Network Unlock

Windows Requirements for Network

Unlock

Validating Network Unlock

BitLocker & Encrypted Drives

Windows Requirements for Encrypted

Drives

Validating Encrypted Drives

(3)

BitLocker Network Unlock

(4)

BitLocker Network Unlock

Windows 7 BitLocker Unlock experience

– TPM + PIN key protector which provides a high level of protection

– Significant deployment problem for servers, which need to be serviced and restarted with no human interaction

– Power management calls for shutting down or hibernating machine in order to save electricity, especially at night

– Causes problems by preventing Wake-On-LAN

Windows 8 improves BitLocker Unlock experience

– No user prompting

– Uses Wired network, Windows Deployment Server (WDS) & DHCP

– BitLocker (at pre-boot) discovers its Network Unlock provider on WDS

– Retrieves a secret from WDS

– Automatically unlocks the OS volume using the secret & the TPM

(5)

Requirements for Network Unlock

Systems with wired LAN ports and TPMs must support BitLocker Network

Unlock

– Requires full DHCP support for wired LAN during pre-boot through a UEFI DHCP driver

– Includes support for EFI_DHCP4 and DHCP6 protocols defined in UEFI 2.3.1 • EFI_DHCP4_PROTOCOL

• EFI_DHCP4_SERVICE_BINDING_PROTOCOL

• EFI_DHCP6_PROTOCOL

• EFI_DHCP6_SERVICE_BINDING_PROTOCOL

If implemented for Server

– Support for both IPv4 and IPv6 required

System.Fundamentals.Firmware.UEFIBitLocker

UEFI Plugfest – February

(6)

Validating Network Unlock

• Download the ‘Network Key Protector Test Suite’ from Microsoft Connect & Refer Instructions

• Use 3 Machines & a regular Network Switch

• Setup DHCP server - Windows Server 2008 R2 or Windows 8 Server • Setup WDS Server - Windows 8 Server only

– Install WDS role and BitLocker Network Unlock feature

– Initialize WDS server – Type from Administrator CMD prompt: ‘wdsutil /Verbose /initialize-server /reminst:"c:\RemoteInstall" /standalone’

– Add Network Unlock private certificate: Run ‘server-applycert.cmd’

– Restart WDS Server: Run ‘net stop wdsserver’ & Run ‘net start wdsserver’

• Setup UEFI Client – Windows 8 Client

– Setup Group Policy: Run ‘client-gp-usepin.cmd’

– Add Network Unlock public key: Run ‘reg import RSA2048NKP_FVE_NKP.reg’

– Turn on BitLocker with TPM+PIN (1234) & Save the Recovery Password

– Verify ‘manage-bde –status’ output protector lists has “Network (Certificate based)”

– Restart the machine

• If OS boots directly to Windows Logon  Network Unlock works

(7)

BitLocker support for

Encrypted Drives

(8)

BitLocker & Encrypted Drives

Windows 7 BitLocker performance implications and storage support

– Overhead during encryption, run-time, startup, etc.

– Performance implications exacerbated on low-power PCs and Slates

– Hardware Encrypted Drives not supported on Windows 7

Windows 8 improves BitLocker performance and supports Encrypted

Drives

– Encrypted Drives offload processing to hardware

– Specialized hardware reduces power use and increases battery life

– Initial encryption time of volumes eliminated. Run time improved

– BitLocker manages keys

(9)

Requirements for Encrypted Drives

Systems with Encrypted Drive must support BitLocker

– Requires support for EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined in UEFI 2.3.1

• IEEE 1667 TCG Silo

• TCG OPAL v2.0

• Single User Mode

– Support Programmatic Tper Reset

System.Fundamentals.Firmware.UEFIEncryptedHDD

UEFI Plugfest – February

(10)

Validating Encrypted Drives

Correctly provision & partition using Windows 8 in-box tools like

Setup / Diskmgmt.msc / Diskpart.exe

Ensure TPM is enabled & activated (Use TPM.msc)

“Turn on BitLocker” on the OS volume & Ensure to select “Run

BitLocker system check” option on the final UI page

Restart the machine & Type the following from an Administrator

CMD prompt: ‘manage-bde -status’

You are done if it says ‘Encryption Method: Hardware

Encryption’

If error message specifying BitLocker can’t be enabled appears

after you login, then:

Capture the error information

Export the events from: Applications & Services

Logs

Microsoft

Windows

BitLocker-API

(11)

Questions?

Contact

BitLocker Network Unlock:

[email protected]

BitLocker & Encrypted Drives:

[email protected]

UEFI Plugfest – February

(12)

Thanks for attending the

UEFI Winter Plugfest 2012

For more information on

the Unified EFI Forum and

UEFI Specifications, visit

http://www.uefi.org

References

Download now ( PDF - 12 Page - 566.31 KB )

Related documents

Using BitLocker to encrypt a Windows 8 device

Step 18: Place a check in the "Run BitLocker system check" box and then click Continue to begin the encryption process. A message will appear that says a restart is required

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

default settings of PCRs allow for core root of trust measurements (CRTM) prior to the handing of the boot manager kernel to the Windows 7 kernel; this allows checking for root

Acceptable Encryption Usage for UTHSC

If you want the removable data drive to automatically unlock, you can specify that option after encryption has occurred by clicking Manage BitLocker from the BitLocker

BitLocker To Go USB Flash Drive encryption User Guide

• If you forget the password for the encrypted drive, the BitLocker recovery key which was either saved or printed when setting up encryption will enable you to unlock the drive

Encrypting with BitLocker for disk volumes under Windows 7

To encrypt the drive that Windows is installed on (the operating system drive), BitLocker stores its own encryption and decryption key in a hardware device that is separate from

E-Pollbook Flash Drive Guide for BitLocker

In order to save or open files from a drive encrypted with BitLocker, you must first unlock the drive by entering the encryption password.. Without the password or the Recovery

BitLocker to Go: Encryption for personal USB flash drives (Windows 7 and 8)

If you forget the password for your encrypted flash drive, you can use the BitLocker recovery key (which you saved to your H: drive when you set up encryption) to unlock the drive

Using Bitlocker to Encrypt your Flash Drive Information Technology Services July 27, 2012

When you insert the BitLocker To Go encrypted drive in a Windows XP or Vista system, you will see an AutoPlay dialog box that prompts you to install the BitLocker To Go Reader,