BitLocker-to-Go and BitLocker are efull disk encryption features supporting the latest operating system of windows. They come in two editions - enterprise and ultimate. These are designed for full volume data protection by supplying encryption to computing devices and data volumes. This way the mobile data within computing environs is fully secured from offline attacks. This hinders removal of hard disk from one computer and its consequent usage to another computer or access by use of a bootable DVD.
System Requirements and Various Modes of BitLocker
Bitlocker can be used in various platforms to hold encryption, one of them being Trust platform module (TPM). This gives it the ability to provide different levels of security to offline data volumes. In TPM mode, the only thing which is required to boot a computer is TPM chip. A Windows login access will still be required by the user if it has been preconfigured. Although this does not prevent an attack from computer starting up, it shields an offline attack. A pin is used to protect the keys inside the TPM chips. A user is required to enter this pin for him or her to render the computer usable.
BitLocker Authentication Mechanisms
BitLocker encryption can be implemented by use of three mechanisms; transparent operation mode, User authentication mode and USB Key Mode.
Transparent operation mode uses the competency of TPM 1.2 hardware. In this module the user powers up and logs onto the windows normally. The disk encryption key is inscribed by the TPM chip and is only releasable to the operating system loader code if the preceding boot files are unmodified. This is achieved by the pre-OS components of BitLocker through implementation of Trust management static root. The disadvantage of this mode is that a powered down machine can be booted by an attacker making this mode vulnerable to cold attacks (Beave, 2009).
User authentication mode requires a pre-boot PIN for user authentication. Although this provides attack immunity, it leaves a computer vulnerable to boot kit attack.
In USB Key mode, the startup key is stored in USB device and the user is required to insert this USB device in the computer before booting up through the protected OS. The BIOS of the protected machine should be able to support USB devices before the OS start up. This mode is as well vulnerable to a boot kit attack.
Data Encryption and the Purpose of Configuring Data Recovery Agents
BitLocker protected drives can be decrypted by smart certificates and public keys available in data recovery agents. Before configuration of any data recovery agent, it must be added to public keys. This is because BitLocker encryption can either be local group policy editor or Group Policy Management Console. It is recommended you also configure and enable unique identifier for any organization policy setting and associating it with any new BitLocker enabled data volume. It is also good to note that an update of data recovery agent is only possible in BitLocker if the identification field present on a data volume and value configured on a computer are absolutely alike (Beave, 2009).
Different Group Policy Settings that Can be Configured for BitLocker and BitLocker to-Go
There are two group policies setting for Bitlocker - Local Group Policy Editor and the Group Policy Management Console (GPMC). These can be found under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption. In most cases these settings can be applied when BitLocker is primarily turned on for a data volume. BitLocker may be turned off or modified unless a computer is in compliance with the existing group policy settings. Consequently if a computer drive is not in compliance with the current group policy settings, no alteration or modification can be implemented to the BitLocker’s configuration of this drive except that is concerned with bringing about this drive to compliance (Beave, 2009).