For Geeks @nd the not so Geeky

Data Encryption – Windows Decryption Methods Keys and Security

Data Encryption Methods – BitLocker

BitLocker was originally introduced in Vista as a new Windows data encryption or disk encryption method for portable PC’s and is now also available in the Ultimate and Enterprise editions of Windows7.

It uses the Tusted Platform Module (TPM) microchip which stores encryption keys and other cryptographic data when Windows boots to restrict data access as well as taking care of data security and privacy.

A decryption program or any decrypting software utilities are useles in trying to crack the encryption code provided by BitLocker in combination with TPM.

data encryptionData encryption keys can be stored on a USB flash drive or a user can be asked to provide a pin code before he or she can access the data on the hard drive which includes the OS and registry files.

Advanced Encryption Standard (AES) can use up to 256 bit encryption methods while BitLocker implements the AES 128 algorithm symmetric key protected by an asymmetric key encryption.

BitLocker uses asymmetric secure key encryption which basically means that a public key and private key are needed to decrypt the data making it very hard for an attacker to figure out the private key even when they are in the possession of the public key.

Data Encryption and Security

BitLocker protects against

  • Data recovery from a stolen computer unless you have the recovery password
  • Protects the boot environment against any unauthorized changes as long as the PC has a TPM chip

Does not protect against

  • Data access between different users on a network or locally on a running computer. For this kind of protection consider NTFS, EFS and share permissions

TPM compares a hash of the OS system configuration with a previous stored snapshot. When this data does not match because of a disk error, BIOS change or other changes the system will enter recovery mode. This means the drive will be locked until valid recovery credentials have been supplied to gain access to the encrypted data.

TPM is not required for using BitLocker data encryption and security. Likewise it is also worth noting that while many of the newer PC’s have a TPM chip it is often not activated in the BIOS.

  • TPM Only mode – Provides a normal logon experience as long as the integrity of the file system, boot environment or hardware has not changed. Least secure
  •  TPM and PIN – PIN complexity can be set in group policy
  • TPM and Startup Key – Uses a USB flash drive to provide the startup key and is the only option available for a PC without a TPM chip. For PC’s with a TPM chip boot environment protection is provided
  •  TPM and SmartCard Certificate
  • No TPM – BitLocker uses a startup key or smartcard to provide encryption, no boot environment security. Needs to be configured with the Allow BitLocker without a compatible TPM option via gpedit.msc

For PC’s equipped with a TPM chip BitLocker can be configured through Control Panel -> System and Security -> BitLocker Drive Encryption. Note that you will get an error when no TPM hardware is present or enabled and if you haven’t configured the use of BitLocker without  TPM through group policy.

Data Encryption Methods – BitLocker To Go

Windows encryption BitLocker To Go can encrypt data on USB flash drives and portable hard drives. This data can be read on Vista and XP computers by downloading a special reader from Microsoft and does not require the computer to have TPM hardware.

All editions of Windows7 can read and write data to BitLocker To Go devices, but only the Enterprise and Ultimate editions can be used to configure these devices and create a data encryption key.

Data Encryption Policy – Group Policy Settings

Operating System Drives

  • Require Additional Authentication at Startup – For PC’s without a TPM chip requiring a startup key and/or pin
  • Require Additional Authentication at Startup (Windows Server 2008 and Windows Vista) – Similar to above except that you can only use a PIN or a startup key and not both
  • Allow Enhanced PINs for Startup – Enables the use of complex PINs containing various characters, numbers and symbols
  • Configure Minimum PIN Length for Startup – From 4 to 20 digits
  • Choose How BitLocker Protected OS Drives Can be Recovered – enables the use of a data recovery agent
  • Configure TPM Platform Validation Profile – Let’s you specify the way the TPM hardware chip secures the BitLocker encryption key

Fixed Data Drive Policies

  • Configure Use of Smart Cards on Fixed Data Drives – Option to require the use of smart card
  • Deny Write Access to Fixed Drives not Protected by BitLocker
  • Allow Access to BitLocker Protected Fixed Data Drives From Earlier Versions of Windows – Allows for the unlocking and viewing of FAT or FAT32 partitions on computers running older version of Windows, up to XP SP2
  • Configure Use of Passwords for Fixed Data Drives – Password complexity, minimum length requirement can be set
  • Choose How BitLocker Protected Drives Can be Recovered – Similar to above system drive option

Data Encryption Keys – Data Recovery Agents

A DRA is a user account that uses smart card certificates and public keys for data recovery and can be added through the Add Data Recovery Agent in local group policy. Certificates can be found on the local computer or from the AD DS in a domain.

A DRA can be used organization wide in an AD DS environment meaning you only need a single account instead of a specific recovery password for each encrypted volume.
After having specified the DRA you need to provide the unique identifiers for your organization by accessing the BitLocker Drive Encryption node in group policy.
After that you will need to configure the following policies

  • Choose How BitLocker-Protected Operating System Drives Can Be Recovered
  • Choose How BitLocker-Protected Fixed Drives Can Be Recover
  • Choose How BitLocker-Protected Removable Drives Can Be Recovered

Manage-bde Data Encryption and Decryption Command Line Options


Data Encryption Methods – Encrypting File System (EFS)

  • Available in Win7 Pro, Ultimate and Enterprise editions
  • Can encrypt individual files and folders unlike BitLocker which encrypts a whole volume
  • On a USB flash drive user needs appropriate decryption certificate to read encrypted content
  • Uses 2 keys – Public key or certificate availavle to anyone used to encrypt data and a private key for the individual user used to decrypt data with the corresponding public key
  • As soon as a user encrypts data on a Win7 PC EFS creates a file encryption key (FEK)  unique to every file or folder.  The FEK is encrypted or decrypted again by any user needing access instead of the whole file or folder
  • Allows you to encrypt individual files to multiple users but not folders
  • User must logon to the computer once to create an EFS certificate by encrypting any file
  • A recovery agent must be created to recover all files that users encrypt. This certificate can and should also be exported to another computer in case the user profile becomes corrupted
  • By default the local administrator account is the recovery agent. In an AD DS domain the first domain administrator takes on ths role, additional recovery agents can be created via group policy

Data Compression and Encryption

  • No file can be compressed and e encrypted at the same time
  • Data compression or encryption require the NTFS file system

Cipher EFS Data Encryption and Decryption Command Line Options


Windows 7 Encryption –

Comments are closed.