Translations of this page:

User Tools

Site Tools


en:sg:pc-tec:hdd-encryption

Hard Disk Encryption

General information

In Microsoft Windows, hard disks can be encrypted with the “BitLocker” software integrated into the operating system. Since the cumulative update of September 24, 2019, encryption is only performed on the software side within Windows, as hardware-side encryption was excluded due to frequently occurring weaknesses. *1

Please note the difference between password, PIN and extended PIN.

  • Password: We speak of passwords when the user is authenticated to the system without using TPM.
  • PIN: PIN / Extended PIN is used to authenticate the user to the system using TPM.

At Jade University, BitLocker is used without the use of TPM. Currently, BitLocker is only offered for systems that are not connected to the Active Directory - that is, primarily for mobile devices.

Preparations

  1. Back up your personal data or the system!
  2. Is the computer used by one or more persons?
    • Recommendation for single use: Unlock the drive with a password (see below)
    • Recommendation for use with several persons: Unlocking the drive with a USB memory stick (see below)
  3. Assign password for local Windows account, if not already done
  4. Update the operating system to the latest version (Windows Update)
  5. Check TPM status in BIOS/UEFI - Please deactivate!
    • Call BIOS/UEFI at Dell: F2
    • Call BIOS/UEFI at HP: F10
    • Call BIOS/UEFI on Lenovo: F1 or ESC (depending on model)
  6. Adjust local group policies for BitLocker (see below)
  7. Think up/create password/pin for BitLocker
  8. Have USB stick ready for decryption key (only very small storage capacity required)
    • For authentication via USB stick another USB stick is required.

Establishment

Adjustment of local group policies

Procedure:

1. open the local group policies by entering gpedit.msc in the Windows search mask. Then expand to the Computer Configuration folder → Administrative Templates → Windows Components → BitLocker Drive Encryption Then click on Operating System Drives.

Under Operating System Drives, double-click “Request additional authentication at startup”.

Enable the option and make sure that “Allow BitLocker without a compatible TPM (…)” is checked. Now accept the selection and confirm with “OK”.

Encryption

Open the BitLocker Administration by typing “Manage BitLocker” in the Windows search box. Activate BitLocker for the desired drive by clicking on “Activate BitLocker”.

Note: Please note that if the system hard disk is encrypted, a previously defined password will be requested during the startup process of the computer. If a hard disk or partition is encrypted that only serves as data storage, no password is requested here.

Define how the drive should be unlocked at startup

Choose here

  • Connect USB memory stick - for use with several people
  • Enter a password - for single-use

Create a password to unlock the drive

The password must be at least 8 characters long. Please also use numbers and special characters! Depending on the version of Windows 10, there are several ways to unlock the drive. On the part of the university computer centre only the use of a password is offered. The password can either be entered manually or transferred via USB stick.

How to backup the recovery key

  • Option 1: Save to USB memory stick
    • However, use it only to back up the recovery key, not for other tasks
  • Option 2: Save to file (HRZ recommendation)
    • Save the recovery file in a location outside your PC (e.g. Z:\ drive)
  • Option 3: Print the recovery key
    • Printout on paper

The recovery key must never be on the encrypted device. Depending on the version and version level of Windows 10, it may be possible that you will be offered to save the recovery key to a Microsoft account - which we advise against. Basically it is recommended to store the key on a medium which is not accessible at all times.

Notice to staff: Save the recovery file created under option 2 additionally in the directory X:\HRZ-Support\Disk encryption\Recovery keys. This way you enable the PC-Technik of HRZ to support you even in case you cannot present the recovery key. The specified directory has a so-called “mailbox function”, i.e. after saving it only the colleagues of the HRZ can see this key.

Select how much space of the drive should be encrypted

Select the option “Encrypt entire drive” here

Select the encryption mode to be used

Select the option “New encryption mode” here

** Do you want to encrypt the drive now?

Enable the “Run BitLocker System Check” option and follow the instructions. The computer must then be restarted for BitLocker drive encryption.

Options

Decryption of drives

To decrypt the drive you have to click on more options and then select “Enter recovery key”.

Note: If you have already entered the password to unlock the drive or the drive is unlocked automatically, it is not necessary or possible to enter the recovery key when decrypting the drive afterwards*.

BitLocker can therefore be completely disabled by entering the password without requiring any additional identification. In this case, deactivation is the same as decryption.

* refers to a user with administrator rights. The deactivation of BitLocker can be prevented by restricting the rights of a standard user.

Unlocking of drives

  • You can enable or disable the automatic unlocking of a drive. To do this, right-click on the drive and select “Manage BitLocker
  • Unlock by double-clicking on the drive and entering the password (if it is not a system partition)
  • Automatic unlocking of the drive on certain computers. To do this, check the box “Automatically unlock on this PC” and confirm by entering the password

Save system startup keys on multiple USB memory sticks

Right-click on a BitLocker-protected drive to open the “Manage BitLocker” menu. Here you can duplicate the system startup key. Alternatively, you can copy the file. However, by default, this file is marked as a system file and is therefore hidden.

Information

"Windows Security: BitLocker avoids hardware encryption in the future

After serious security problems in the hardware encryption of data media have repeatedly been uncovered, Microsoft is now drawing a line under the sand: With the cumulative updates released on September 24, Windows' own hard disk encryption BitLocker ignores such functions by default. Instead, BitLocker will encrypt in software by default. In the past, BitLocker preferred to use existing hardware encryption features and only handled encryption itself when it was not possible. This change only affects newly encrypted drives; drives that have already been encrypted remain in their previous state. (Heise Group, Jürgen Schmidt, September 30, 2019) *1

"Attacks on Trusted Platform Modules from Intel and STMicroelectronics

Once again, security researchers have demonstrated critical vulnerabilities in certified Trusted Platform Modules (TPMs). The TPM-Fail attack scratches at the basic TPM concept. Firstly, such a TPM is supposed to protect cryptographic secrets particularly securely as an additional instance independent of the main processor and operating system. Secondly, such TPMs undergo extensive certification in special laboratories, which check them for weaknesses. (Heise Group, Christof Windeck, November 14, 2019) *3 Author's note: Microsoft claims not to use the affected ECDSA algorithm, so BitLocker is not currently affected by any TPM vulnerability. By default, TPM is disabled in the BIOS/UEFI of our pool and workstations as well as mobile devices and is therefore not visible in the device manager. *10

Sources