T 3.98 Loss of BitLocker-encrypted data

BitLocker Drive Encryption (BDE) is a program for encryption of partitions on data carriers.

The administrator may configure different methods for authentication as well as combinations thereof for decryption of the Windows partition by BDE during the start-up procedure of the operating system:

• TPM use without user authentication (requires a trusted platform module, TPM)
  
  In this configuration, BDE starts without interaction by the user, and the user does not have to provide BDE with authentication data. The start-up procedure will only be interrupted if the access to the TPM is not possible (e.g. if the TPM is deactivated or defective).
• Authentication using a key on a USB stick
  
  There is a risk that the user could lose the USB stick or that the stick is defective. The result is that Windows will not resume the start-up procedure.
• Authentication using a PIN (requires the IT system to have a TPM chip)
  
  There is a risk of the user forgetting the PIN. The operating system will only continue the start-up procedure after entry of the correct PIN.
• Authentication using PIN and USB stick

If the TPM was configured for use by BitLocker, Windows may cancel the start-up procedure of the IT system for various reasons:

• in case of the changes of the BIOS of main board,
• in case of damage to the TPM,
• if the Master Boot Record (MBR) of the hard drive has been modified,
• if the early boot components of the operating system have been changed,
• if further files monitored by BitLocker have been modified.

Changes of BIOS may be caused, for example, by a firmware update; files can be changed by software updates. In any case, the effect of the cancellation of the start-up procedure is that the user will not be able to use the IT system. The data protected by BDE remains encrypted.

In the cases presented, a numerical recovery password or a recovery key is used for protection. The key is in binary format, while the password can also be printed on a piece of paper. The digital storage locations supported for recovery passwords and recovery keys include the Active Directory and files that can be stored either locally or on external drives such as USB sticks.

However, when the recovery password is printed on paper or stored on a USB stick, there is a risk that unauthorised persons could gain access and in effect cause a loss of confidentiality of the data encrypted by BitLocker.

Furthermore, there is also a risk of losing the recovery password or the recovery key. In this case, the user will not be able to use the IT system any more. The encrypted data remains encrypted permanently.

As a result, the ability to access the data encrypted with the EFS (Encrypting File System) may be threatened if the EFS key is stored on a partition encrypted by BDE.

Under Windows 7 and Windows Server 2008 R2 and higher, users without administrator rights may use BitLocker To Go to encrypt critical data on internal and external drives. By default, the users may either use any password or a smart card for authentication. If BitLocker To Go is used and the creator of the encrypted data carrier forgets or refuses to provide the password, the data on the medium will no longer be available to the institution.