Topics & Services
- No tags, yet
Topics & Services
In Microsoft Windows, hard disks can be encrypted using the “BitLocker” software integrated into the operating system. Since the cumulative update of September 24, 2019, encryption is only performed on the software side within Windows, as hardware-side encryption has been excluded due to frequently occurring vulnerabilities. *1
Please note the difference between password, PIN and extended PIN.
At Jade University, BitLocker is used without the use of TPM. Currently, BitLocker is only offered for systems without connection to the Active Directory - i.e. primarily for mobile devices.
Adjustment of local group policies
1. open the local group policies by entering gpedit.msc in the Windows search mask. Then expand to the Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption folder. Next, click on Operating System Drives.
2. under Operating System Drives, double-click to open “Request additional authentication at startup”.
3. activate the option and make sure that “Allow BitLocker without compatible TPM (…)” is checked. Now accept the selection and confirm with “OK”.
Open the BitLocker administration by entering “Manage BitLocker” in the Windows search mask. Enable BitLocker for the desired drive by clicking on “Enable BitLocker”.
Note: Please note that if the system hard disk is encrypted, a previously set password will be requested during the computer startup process. If a hard disk or partition is encrypted that only functions as data storage, no password is requested here.
Specify how the drive is to be unlocked at startup.
Create a password to unlock the drive.
The password must be at least 8 characters. Please use also digits and special characters! Due to the version status of Windows 10, various options may be offered to unlock the drive. On the part of the university computer centre, only the use of a password is offered. The password can either be entered manually or transferred via a USB stick.
How should the recovery key be saved.
The recovery key must never be on the encrypted device. Depending on the version and release status of Windows 10, it may be offered to save the recovery key on a Microsoft account - which we do not recommend. Basically, it is recommended to save the key on a medium that is not accessible at all times.
Note to staff: In addition, save the recovery file created under option 2 in the directory
X:\HRZ-Support\DiskEncryption\Recovery Key. This enables the PC-Technik of the HRZ to provide support even if you cannot present the recovery key. The specified directory has a so-called “mailbox function”, i.e. after storage, only the colleagues of the HRZ can see this key.
Select how much space of the drive should be encrypted.
Select encryption mode to use.
Do you want to encrypt the drive now?
Check the “Run BitLocker system scan” option and follow the instructions. The computer must then be restarted for BitLocker drive encryption.
2. enter the password and click on continue
3. print the recovery key and save it on an external data storage device. This data storage should be used exclusively for keeping the recovery key. Please also note the possibility of our custody function under drive “x” (See section: “How should the recovery key be stored”)
4. please select “encrypt entire drive”.
5. please select the compatible mode.
6. confirm the process. Finally, your external data medium is encrypted
To decrypt the drive you have to click on more options and then select “Enter recovery key”.
Info: If you have already entered the password to unlock the drive before or if the drive is unlocked automatically, entering the recovery key is not necessary or possible during a subsequent decryption*.
BitLocker can accordingly be completely deactivated by entering the password without the need for additional identification. Deactivation in this case is to be equated with decryption.
*refers to a user with administrator rights. BitLocker deactivation can be prevented by restricting the rights of a standard user.
===Save system boot keys on multiple USB memory sticks===.
Right-click on a BitLocker-protected drive to open the “Manage BitLocker” menu. Here the system startup key can be duplicated. Alternatively, the file can also be copied. However, this is marked as a system file by default and is therefore hidden.
After the hardware encryption of data media, again and again, serious security problems were uncovered, Microsoft draws now a line: With the cumulative updates published to 24 September, the Windows-own hard disk encryption BitLocker ignores such functions by default. Instead, BitLocker will perform encryption by default in the software. Previously, BitLocker preferred to use existing hardware encryption features and only took care of encryption itself when that was not possible. The change only affects newly encrypted drives; already encrypted ones remain in their previous state.“ (Heise Group, Jürgen Schmidt, 30.09.2019) *1
Once again, security researchers have identified serious vulnerabilities in certified Trusted Platform Modules (TPMs). The attack TPM-Fail scratches at the basic TPM concept. Firstly, such a TPM is supposed to protect cryptographic secrets particularly securely, as an additional instance independent of the main processor and operating system. Secondly, such TPMs go through elaborate certifications in special laboratories that test them for vulnerabilities.” (Heise Group, Christof Windeck, 11/14/2019) *3 Author's addition: According to its own information, Microsoft does not use the affected ECDSA algorithm, so BitLocker is not currently affected by any vulnerability on the part of TPM. TPM is disabled by default in the BIOS/UEFI on our pool and workstations as well as on the mobile devices and is therefore not visible in the device manager. *10