T 3.97 Violation of confidentiality in spite of BitLocker drive encryption under Windows Vista and higher

BitLocker Drive Encryption (BDE) is a program for encryption of partitions on data carriers. BitLocker requires at least two partitions: an unencrypted system partition, usually S:\, which is not shown on the Explorer, and the actual Windows partition, usually C:\, to which the operating system is installed.

BDE encrypts the Windows partition completely with exception of the boot sector and a section with BitLocker metadata. Further partitions on internal hard drives such as a data partition can only be encrypted using BDE under Windows Vista with Service Pack 1 and higher. Under Windows 7 and Windows Server 2008 R2 and higher, BDE includes the function BitLocker To Go for encryption of external and virtual data carriers.

A user of Windows Vista without Service Pack 1 can incorrectly assume that BDE encrypts all data on a hard drive, including the data in an additional data partition. This can lead to violations of the confidentiality of user data if this data, in contrast to the assumption of the user, is not stored in encrypted state.

BDE is completely transparent to the users when running on a Windows Vista system. During the start-up procedure, BDE decrypts the partitions after entry of the correct access data or the biometric ID. These will remain unencrypted during the whole runtime of the IT system. During this time, BDE provides no protection for the confidentiality of the data. Correspondingly, BDE particularly does not offer protection against violation of confidentiality by malicious code.

Administrative authorisation is required for BDE configuration of local hard disks. For mobile and virtual data carriers, normal user authorisations are sufficient. If a user or malicious program possesses administrative authorisation or user rights, then the privileges can be used to deactivate BDE without authorisation, to add additional keys of his own making, or to delete key material.

The effect of deactivation or unauthorised addition of a key created by the user himself is the loss of the confidentiality of the data. The deletion of the system partition's key material leads to the loss of the availability of the overall system.

The deactivation of BDE or the undesired deletion of key material, when the user or program possesses administrative authorisations, can also result in the incorrect operation of the manage-bde.wsf or manage-bde.exe maintenance tool supplied with the system.

There is also a danger of a violation of confidentiality in spite of using BitLocker Drive Encryption when unauthorised persons obtain knowledge of the recovery key. The recovery key can be used to decrypt a partition encrypted by BDE. This is true even when using a Trusted Platform Module (TPM) because the recovery key is intended to permit decryption, especially in the case of a defective TPM.

For maintenance, the BDE configuration tools allow for temporary disabling of hard drive partition encryption without encrypting data. The data will remain encrypted, but an open start key (Clear Key) is stored unprotected on the drive. The integrity checking during start-up procedure is also deactivated. In this state, the system - also on other hardware - can be started without authentication, and enables unhindered data access. It can be copied, and the Clear Key can be read. An attacker could exploit this and try to extract unprotected key material to bypass data encryption in the future.