Translations of this page:

User Tools

Site Tools


en:sg:pc-tec:hdd-encryption

Hard disk encryption

General

In Microsoft Windows, hard disks can be encrypted using the “BitLocker” software integrated into the operating system. Since the cumulative update of September 24, 2019, encryption is only performed on the software side within Windows, as hardware-side encryption has been excluded due to frequently occurring vulnerabilities. *1

Please note the difference between password, PIN and extended PIN.

  • Password: Passwords are referred to when authenticating the user to the system without using TPM.
  • PIN: PIN / Extended PIN is used for authentication of the user against the system with the use of TPM.

At Jade University, BitLocker is used without the use of TPM. Currently, BitLocker is only offered for systems without connection to the Active Directory - i.e. primarily for mobile devices.

Preparations

  1. Securing your personal data or the system!
  2. Is the computer used by one or more persons?
    • Recommendation for single use: Unlock the drive with a password (see below).
    • Recommendation if used by more than one person: Unlock the drive with a USB memory stick (see below).
  3. Assign password for local Windows account, if not already done
  4. Update operating system to the latest version (Windows update)
  5. Check TPM status in BIOS/UEFI - Please deactivate! The illustrations are only intended as a guide. Depending on the model, the display in BIOS/UEFI may differ.
    • Call BIOS/UEFI at Dell: F2
    • Call BIOS/UEFI at HP: F10
    • Open BIOS/UEFI at Lenovo: F1, F2 or ESC (depending on model)
  6. Adjust local group policies for BitLocker (see below)
  7. Create a password for BitLocker
  8. Have USB stick ready for the decryption key (only very small storage capacity required)
    • For authentication via USB stick another USB stick is required

Setup

Adjustment of local group policies

Procedure:

1. open the local group policies by entering gpedit.msc in the Windows search mask. Then expand to the Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption folder. Next, click on Operating System Drives.

2. under Operating System Drives, double-click to open “Request additional authentication at startup”.

3. activate the option and make sure that “Allow BitLocker without compatible TPM (…)” is checked. Now accept the selection and confirm with “OK”.

Encryption

Open the BitLocker administration by entering “Manage BitLocker” in the Windows search mask. Enable BitLocker for the desired drive by clicking on “Enable BitLocker”.

Note: Please note that if the system hard disk is encrypted, a previously set password will be requested during the computer startup process. If a hard disk or partition is encrypted that only functions as data storage, no password is requested here.

Specify how the drive is to be unlocked at startup.

Select here

  • Connect USB memory stick - for use with several people
  • Enter a password - for single-use

Create a password to unlock the drive.

The password must be at least 8 characters. Please use also digits and special characters! Due to the version status of Windows 10, various options may be offered to unlock the drive. On the part of the university computer centre, only the use of a password is offered. The password can either be entered manually or transferred via a USB stick.

How should the recovery key be saved.

  • Option 1: Save to USB memory stick.
    • However, use this only to back up the recovery key, not for other tasks.
  • Option 2: Save to file (HRZ recommendation).
    • Save the recovery file in a location outside your PC (e.g. drive Z:\).
  • Option 3: Print recovery key
    • Print on paper

The recovery key must never be on the encrypted device. Depending on the version and release status of Windows 10, it may be offered to save the recovery key on a Microsoft account - which we do not recommend. Basically, it is recommended to save the key on a medium that is not accessible at all times.

Note to staff: In addition, save the recovery file created under option 2 in the directory X:\HRZ-Support\DiskEncryption\Recovery Key. This enables the PC-Technik of the HRZ to provide support even if you cannot present the recovery key. The specified directory has a so-called “mailbox function”, i.e. after storage, only the colleagues of the HRZ can see this key.

Select how much space of the drive should be encrypted.

Select the option “Encrypt entire drive” here.

Select encryption mode to use.

Select the option “New Encryption Mode” here.

Do you want to encrypt the drive now?

Check the “Run BitLocker system scan” option and follow the instructions. The computer must then be restarted for BitLocker drive encryption.

Options

Encrypt external disks

  1. Enable Bitlocker on the corresponding drive

2. enter the password and click on continue

3. print the recovery key and save it on an external data storage device. This data storage should be used exclusively for keeping the recovery key. Please also note the possibility of our custody function under drive “x” (See section: “How should the recovery key be stored”)

4. please select “encrypt entire drive”.

5. please select the compatible mode.

6. confirm the process. Finally, your external data medium is encrypted

Decryption of drives

To decrypt the drive you have to click on more options and then select “Enter recovery key”.

Info: If you have already entered the password to unlock the drive before or if the drive is unlocked automatically, entering the recovery key is not necessary or possible during a subsequent decryption*.

BitLocker can accordingly be completely deactivated by entering the password without the need for additional identification. Deactivation in this case is to be equated with decryption.

*refers to a user with administrator rights. BitLocker deactivation can be prevented by restricting the rights of a standard user.

Unlocking drives

  • You can enable or disable the automatic unlocking of a drive. To do this, right-click on the drive to call “Manage BitLocker”.
  • Unlock by double-clicking on the drive and entering the password (if it is not a system partition)
  • Automatic unlocking of the drive on certain computers. To do this, check “Automatically unlock on this PC” and confirm by entering the password.

===Save system boot keys on multiple USB memory sticks===.

Right-click on a BitLocker-protected drive to open the “Manage BitLocker” menu. Here the system startup key can be duplicated. Alternatively, the file can also be copied. However, this is marked as a system file by default and is therefore hidden.

Information

"Windows security: BitLocker avoids hardware encryption in the future

After the hardware encryption of data media, again and again, serious security problems were uncovered, Microsoft draws now a line: With the cumulative updates published to 24 September, the Windows-own hard disk encryption BitLocker ignores such functions by default. Instead, BitLocker will perform encryption by default in the software. Previously, BitLocker preferred to use existing hardware encryption features and only took care of encryption itself when that was not possible. The change only affects newly encrypted drives; already encrypted ones remain in their previous state.“ (Heise Group, Jürgen Schmidt, 30.09.2019) *1

"Attacks on Trusted Platform Modules from Intel and STMicroelectronics

Once again, security researchers have identified serious vulnerabilities in certified Trusted Platform Modules (TPMs). The attack TPM-Fail scratches at the basic TPM concept. Firstly, such a TPM is supposed to protect cryptographic secrets particularly securely, as an additional instance independent of the main processor and operating system. Secondly, such TPMs go through elaborate certifications in special laboratories that test them for vulnerabilities.” (Heise Group, Christof Windeck, 11/14/2019) *3 Author's addition: According to its own information, Microsoft does not use the affected ECDSA algorithm, so BitLocker is not currently affected by any vulnerability on the part of TPM. TPM is disabled by default in the BIOS/UEFI on our pool and workstations as well as on the mobile devices and is therefore not visible in the device manager. *10

Sources

en/sg/pc-tec/hdd-encryption.txt · Last modified: 2021/05/03 15:35 by vi1005