BitLocker

BitLocker is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft's Windows Vista and Windows 7 desktop operating systems, as well as the Windows Server 2008 and Windows Server 2008 R2 server platforms. It is designed to protect data by providing encryption for entire volumes. By default it uses the AES encryption algorithm in CBC mode with a 128 bit key, combined with the Elephant diffuser for additional disk encryption specific security not provided by AES.

BitLocker is available only in the Enterprise and Ultimate editions of Windows Vista and Windows 7. Users of other versions of Windows that don't include BitLocker could use a 3rd party encryption program to satisfy the need for full drive encryption (see Comparison of disk encryption software). In the RTM release of Windows Vista, only the operating system volume could be encrypted using the GUI and encrypting other volumes required using WMI-based scripts included in Windows Vista in the %Windir%\System32 folder. An example of how to use the WMI interface is in the script manage-bde.wsf, that can be used to set up and manage BitLocker from the command line. With Windows Vista Service Pack 1 and Windows Server 2008, volumes other than the operating system volume can be BitLocker-protected using the graphical Control Panel applet as well.

The latest version of Bitlocker, included in Windows 7 and Windows Server 2008 R2, adds the ability to encrypt removable drives.

---

BitLocker lets you encrypt the hard drive(s) on your Windows Vista Enterprise, Windows Vista Ultimate or Windows Server 2008 computer. BitLocker will not encrypt hard drives for Windows XP, Windows 2000 or Windows 2003. Only Windows Vista and Server 2008 include BitLocker. BitLocker drives can be encrypted with 128 bit or 256 bit encryption, this is plenty strong to protect your data in the event the computer is lost or stolen. BitLocker protects your hard drive from offline attack. This is the type of attack where a malicious user will take the hard drive from your mobile machine and connect it to another machine so they can harvest your data. BitLocker also protects your data if a malicious user boots from an alternate Operating System. With either attack method, BitLocker encrypts the hard drive so that when someone has physical access to the drive, the drive is unreadable. Now if you are a network admin and you need to harvest data from a hard drive when a machine fails, our tools include the functionality to prompt the admin for the recovery key so the hard drive can be accessed. We've done a good job at ensuring the data does not end up in the wrong hands, while making it easy for authorized users to access the data in the event of a failure.

What does BitLocker do?

Again, BitLocker encrypts the hard drive(s) to protect the Operating System from offline attacks. Server 2008, Windows Vista Enterprise, and Windows Vista Ultimate all include BitLocker functionality. Windows Vista Business Edition and the Home Editions do not include BitLocker. The RTM versions of Vista only allow BitLocker encryption of the C: drive. SP1 for Vista includes the ability to encrypt all of the hard drives belonging to the Vista machine. Server 2008 includes the ability to encrypt all of its attached hard drives as well. BitLocker on a Server 2008 server might not make sense for your servers in the Data Center, but using BitLocker on servers in remote offices makes a lot of sense. How many remote offices have their servers in secure Data Centers? They don't! If you're lucky, your server sits in a locked closet. If you're unlucky, it sits under someone's desk. Deploying BitLocker to these machines makes perfect sense because if those machines are stolen, their data is encrypted and protected from the types of attacks that they would be exposed to. Another piece to protect these remote servers is the Read Only Domain Controller functionality. I won't go into it here, but it gives you the ability to provide fast logon experiences for your remote users while ensuring that all of the domain credentials are not stored on these remote office servers.

What does BitLocker not do?

BitLocker does not protect the computers contents while the operating system us running. Again, BitLocker is built for offline attacks, once the operating system is up and running, Windows Vista will protect your data from unauthorized access. When Vista is up and running, unauthorized access can come in the form of:

• A malicious user trying to log onto the local computer. Windows Vista can protect itself by enforcing strict password policy and complexity. Please ensure that if your data is important enough to encrypt, that you also require complex passwords and/or two factor authentication. Two factor authentication takes the simple passwords or easy to guess passwords out of the equation so that they are no longer a risk.
• A malicious user connecting to the computer over the network to harvest data from the local computer. If the user has access to your physical network, the malicious user can try to connect to your machine over the network. Again, strict user permissions on the local machine and on your network as a whole, will prevent malicious users from accessing your network.

---

References:
http://ts2blogs.com/blogs/rwagg/archive/2010/03/02/what-is-bitlocker-what-does-it-do-what-does-it-not-do.aspx
http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption