 | |
 Screenshot of the BitLocker Drive Encryption utility | |
| Other names | Device Encryption |
|---|---|
| Developer(s) | Microsoft |
| Initial release | January 30, 2007; 18 years ago (2007-01-30) |
| Operating system | Microsoft Windows |
| Type | Disk encryption software |
| Website | learn |
BitLocker is afull volume encryption feature included withMicrosoft Windows versions starting withWindows Vista. It is designed to protect data by providingencryption for entirevolumes. By default, it uses theAdvanced Encryption Standard (AES) algorithm incipher block chaining (CBC) or "xor–encrypt–xor (XEX)-based Tweaked codebook mode with ciphertext Stealing" (XTS) mode[1] with a 128-bit or 256-bitkey.[2][3] CBC is not used over the whole disk; it is applied to each individualsector.[3]
BitLocker originated as a part of Microsoft'sNext-Generation Secure Computing Base architecture in 2004 as a feature tentatively codenamed "Cornerstone"[4][5] and was designed to protect information on devices, particularly if a device was lost or stolen. Another feature, titled "Code Integrity Rooting", was designed to validate the integrity of Microsoft Windows boot and system files.[4] When used in conjunction with a compatibleTrusted Platform Module (TPM), BitLocker can validate the integrity of boot and system files before decrypting a protected volume; an unsuccessful validation will prohibit access to a protected system.[6][7] BitLocker was briefly called Secure Startup before Windows Vista'srelease to manufacturing.[6]
BitLocker is available on:
| Developer(s) | Microsoft |
|---|---|
| Initial release | January 30, 2007; 18 years ago (2007-01-30) |
| Operating system | Microsoft Windows |
| Type | Command |
| License | Proprietarycommercial software |
| Website | manage-bde |
Initially, the graphical BitLocker interface in Windows Vista could only encrypt theoperating system volume.[13] Starting with Windows Vista with Service Pack 1 and Windows Server 2008, volumes other than the operating system volume could be encrypted using the graphical tool. Still, some aspects of the BitLocker (such as turning autolocking on or off) had to be managed through a command-line tool calledmanage-bde.wsf.[14]
The version of BitLocker included in Windows 7 and Windows Server 2008 Release 2 adds the ability to encrypt removable drives. OnWindows XP or Windows Vista, read-only access to these drives can be achieved through a program called BitLocker To Go Reader, ifFAT16,FAT32 orexFAT filesystems are used.[15] In addition, a new command-line tool calledmanage-bde replaced the oldmanage-bde.wsf.[16]
Starting with Windows Server 2012 and Windows 8, Microsoft has complemented BitLocker with the Microsoft Encrypted Hard Drive specification, which allows the cryptographic operations of BitLocker encryption to be offloaded to the storage device's hardware, for example,self-encrypting drives.[17][18] In addition, BitLocker can now be managed throughWindows PowerShell.[19] Finally, Windows 8 introducedWindows To Go in its Enterprise edition, which BitLocker can protect.[20]
Windows Mobile 6.5,Windows RT and core editions of Windows 8.1 includedevice encryption, a feature-limited version of BitLocker that encrypts the whole system.[21][22][23] Logging in with aMicrosoft account with administrative privileges automatically begins the encryption process. The recovery key is stored to either the Microsoft account orActive Directory (Active Directory requires Pro editions of Windows), allowing it to be retrieved from any computer. While device encryption is offered on all editions of Windows 8.1, unlike BitLocker, device encryption requires that the device meet theInstantGo (formerlyConnected Standby) specifications,[23] which requiressolid-state drives and a TPM 2.0 chip.[21][24]
Starting with Windows 10 1703, the requirements for device encryption have changed, requiring a TPM 1.2 or 2.0 module with PCR 7 support,UEFI Secure Boot, and that the device meets Modern Standby requirements or HSTI validation.[25]
Device encryption requirements were relaxed in Windows 11 24H2, with the Modern Standby, HSTI and Secure Boot compliance no longer required and the DMA interfaces blocklist removed.[26] And device encryption will be enabled by default by clean installation of Windows 11 24H2, calledauto device encryption.[27]
In September 2019 a new update was released (KB4516071[28]) changing the default setting for BitLocker when encrypting a self-encrypting drive. Now, the default is to use software encryption for newly encrypted drives. This is due to hardware encryption flaws and security concerns related to those issues.[29]
Three authentication mechanisms can be used as building blocks to implement BitLocker encryption:[30]
The following combinations of the above authentication mechanisms are supported, all with an optionalescrow recovery key:
BitLocker is alogical volume encryption system. (A volume spans part of ahard disk drive, the whole drive or more than one drive.) When enabled, TPM and BitLocker can ensure the integrity of the trusted boot path (e.g. BIOS and boot sector), in order to prevent most offline physical attacks and boot sector malware.[38]
In order for BitLocker to encrypt the volume holding the operating system, at least twoNTFS-formatted volumes are required: one for the operating system (usually C:) and another with a minimum size of 100 MB, which remains unencrypted andboots the operating system.[38] (In case of Windows Vista andWindows Server 2008, however, the volume's minimum size is 1.5 GB and must have adrive letter.)[39] Unlike previous versions of Windows, Vista's "diskpart" command-line tool includes the ability to shrink the size of an NTFS volume so that this volume may be created from already allocated space. A tool called the BitLocker Drive Preparation Tool is also available from Microsoft that allows an existing volume on Windows Vista to be shrunk to make room for a new boot volume and for the necessarybootstrapping files to be transferred to it.[40]
Once an alternate boot partition has been created, the TPM module needs to be initialized (assuming that this feature is being used), after which the required disk-encryption key protection mechanisms such as TPM, PIN orUSB key are configured.[41] The volume is then encrypted as a background task, something that may take a considerable amount of time with a large disk as every logical sector is read, encrypted and rewritten back to disk.[41] The keys are only protected after the whole volume has been encrypted when the volume is considered secure.[42] BitLocker uses a low-level device driver to encrypt and decrypt all file operations, making interaction with the encrypted volume transparent to applications running on the platform.[41]
Encrypting File System (EFS) may be used in conjunction with BitLocker to provide protection once the operating system is running. Protection of the files from processes and users within the operating system can only be performed using encryption software that operates within Windows, such as EFS. BitLocker and EFS, therefore, offer protection against different classes of attacks.[43]
In Active Directory environments, BitLocker supports optional key escrow to Active Directory, although a schema update may be required for this to work (i.e. if the Active Directory Services are hosted on a Windows version previous to Windows Server 2008).
BitLocker and other full disk encryption systems can be attacked by arogue boot manager. Once the malicious bootloader captures the secret, it can decrypt the Volume Master Key (VMK), which would then allow access to decrypt or modify any information on an encrypted hard disk. By configuring a TPM to protect the trusted boot pathway, including theBIOS andboot sector, BitLocker can mitigate this threat. (Note that some non-malicious changes to the boot path may cause aPlatform Configuration Register check to fail, and thereby generate a false warning.)[38]
The "Transparent operation mode" and "User authentication mode" of BitLocker use TPM hardware to detect whether there are unauthorized changes to the pre-boot environment, including theBIOS andMBR. If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device. This cryptographic secret is used to decrypt the Volume Master Key (VMK) and allow thebootup process to continue.[44] However, TPM alone is not enough:
All these attacks require physical access to the system and are thwarted by a secondary protector such as a USB flash drive or PIN code.
Although the AES encryption algorithm used in BitLocker is in thepublic domain, its implementation in BitLocker, as well as other components of the software, areproprietary; however, the code is available for scrutiny by Microsoft partners and enterprises, subject to anon-disclosure agreement.[49][50]
According to Microsoft sources,[51] BitLocker does not contain an intentionally built-inbackdoor, so there is no Microsoft-provided way forlaw enforcement to have guaranteed access to the data on a user's drive. In 2006, theUK Home Office expressed concern over the lack of a backdoor and tried entering into talks with Microsoft to get one introduced.[52] Microsoft developer and cryptographerNiels Ferguson denied the backdoor request and said, "over my dead body".[53] Microsoft engineers have said that United StatesFederal Bureau of Investigation agents also put pressure on them in numerous meetings to add a backdoor, although no formal, written request was ever made; Microsoft engineers eventually suggested that agents should look for thehard copy of theencryption key that the BitLocker program suggests that its users make.[54]
Niels Ferguson's position that "back doors are simply not acceptable"[53] is in accordance withKerckhoffs's principle. Stated by Netherlands-born cryptographerAuguste Kerckhoffs in the 19th century, the principle holds that acryptosystem should be secure, even if everything about the system, except the encryption key, is public knowledge.
Since 2020, BitLocker's method and data structure is public knowledge due to reverse engineering; the Linuxcryptsetup program is capable of reading and writing BitLocker-protected drives given the key.[55]
Starting with Windows 8 and Windows Server 2012, Microsoft removed the Elephant Diffuser from the BitLocker scheme for no declared reason.[56] Dan Rosendorf's research shows that removing the Elephant Diffuser had an "undeniably negative impact" on the security of BitLocker encryption against a targeted attack.[57] Microsoft later cited performance concerns, and noncompliance with theFederal Information Processing Standards (FIPS), to justify the diffuser's removal.[58] Starting with Windows 10 version 1511, however, Microsoft added a new FIPS-compliantXTS-AES encryption algorithm to BitLocker.[1] Starting with Windows 10 version 1803, Microsoft added a new feature called "Kernel Direct Memory access (DMA) Protection" to BitLocker, to protect againstDMA attacks viaThunderbolt 3 ports.[59][60] "Kernel Direct Memory access (DMA) Protection" only protects against attacks through Thunderbolt. Direct Memory Access is also possible throughPCI Express. In this type of attack an attacker would connect a maliciousPCI Express Device,[61] which can in turn write directly to the memory and bypass the Windows login. To protect again this type of attack, Microsoft introduced "Virtualization-based Security".[62][63]
In October 2017, it was reported that a flaw enabled private keys to be inferred frompublic keys, which could allow an attacker to bypass BitLocker encryption when an affected TPM chip is used.[64] The flaw is the Return of Coppersmith's Attack orROCA vulnerability which is in a code library developed byInfineon and had been in widespread use in security products such assmartcards and TPMs. Microsoft released an updated version of the firmware for Infineon TPM chips that fixes the flaw via Windows Update.[65]
