Topics & Services
Topics & Services
In Microsoft Windows, hard disks can be encrypted with the “BitLocker” software integrated into the operating system. Since the cumulative update of September 24, 2019, encryption is only performed on the software side within Windows, as hardware-side encryption was excluded due to frequently occurring weaknesses. *1
Please note the difference between password, PIN and extended PIN.
At Jade University, BitLocker is used without the use of TPM. Currently, BitLocker is only offered for systems that are not connected to the Active Directory - that is, primarily for mobile devices.
Adjustment of local group policies
1. open the local group policies by entering gpedit.msc in the Windows search mask. Then expand to the Computer Configuration folder → Administrative Templates → Windows Components → BitLocker Drive Encryption Then click on Operating System Drives.
Under Operating System Drives, double-click “Request additional authentication at startup”.
Enable the option and make sure that “Allow BitLocker without a compatible TPM (…)” is checked. Now accept the selection and confirm with “OK”.
Open the BitLocker Administration by typing “Manage BitLocker” in the Windows search box. Activate BitLocker for the desired drive by clicking on “Activate BitLocker”.
Note: Please note that if the system hard disk is encrypted, a previously defined password will be requested during the startup process of the computer. If a hard disk or partition is encrypted that only serves as data storage, no password is requested here.
Define how the drive should be unlocked at startup
Create a password to unlock the drive
The password must be at least 8 characters long. Please also use numbers and special characters! Depending on the version of Windows 10, there are several ways to unlock the drive. On the part of the university computer centre only the use of a password is offered. The password can either be entered manually or transferred via USB stick.
How to backup the recovery key
The recovery key must never be on the encrypted device. Depending on the version and version level of Windows 10, it may be possible that you will be offered to save the recovery key to a Microsoft account - which we advise against. Basically it is recommended to store the key on a medium which is not accessible at all times.
Notice to staff: Save the recovery file created under option 2 additionally in the directory
X:\HRZ-Support\Disk encryption\Recovery keys. This way you enable the PC-Technik of HRZ to support you even in case you cannot present the recovery key. The specified directory has a so-called “mailbox function”, i.e. after saving it only the colleagues of the HRZ can see this key.
Select how much space of the drive should be encrypted
Select the encryption mode to be used
** Do you want to encrypt the drive now?
Enable the “Run BitLocker System Check” option and follow the instructions. The computer must then be restarted for BitLocker drive encryption.
To decrypt the drive you have to click on more options and then select “Enter recovery key”.
Note: If you have already entered the password to unlock the drive or the drive is unlocked automatically, it is not necessary or possible to enter the recovery key when decrypting the drive afterwards*.
BitLocker can therefore be completely disabled by entering the password without requiring any additional identification. In this case, deactivation is the same as decryption.
* refers to a user with administrator rights. The deactivation of BitLocker can be prevented by restricting the rights of a standard user.
Right-click on a BitLocker-protected drive to open the “Manage BitLocker” menu. Here you can duplicate the system startup key. Alternatively, you can copy the file. However, by default, this file is marked as a system file and is therefore hidden.
After serious security problems in the hardware encryption of data media have repeatedly been uncovered, Microsoft is now drawing a line under the sand: With the cumulative updates released on September 24, Windows' own hard disk encryption BitLocker ignores such functions by default. Instead, BitLocker will encrypt in software by default. In the past, BitLocker preferred to use existing hardware encryption features and only handled encryption itself when it was not possible. This change only affects newly encrypted drives; drives that have already been encrypted remain in their previous state. (Heise Group, Jürgen Schmidt, September 30, 2019) *1
Once again, security researchers have demonstrated critical vulnerabilities in certified Trusted Platform Modules (TPMs). The TPM-Fail attack scratches at the basic TPM concept. Firstly, such a TPM is supposed to protect cryptographic secrets particularly securely as an additional instance independent of the main processor and operating system. Secondly, such TPMs undergo extensive certification in special laboratories, which check them for weaknesses. (Heise Group, Christof Windeck, November 14, 2019) *3 Author's note: Microsoft claims not to use the affected ECDSA algorithm, so BitLocker is not currently affected by any TPM vulnerability. By default, TPM is disabled in the BIOS/UEFI of our pool and workstations as well as mobile devices and is therefore not visible in the device manager. *10