S 4.422 Use of BitLocker To Go in Windows 7 and higher

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator, User

Using BitLocker To Go and the Windows 7 Enterprise and Ultimate versions, the users can encrypt partitions on removable data media such as USB sticks, external hard disk drives or Virtual Hard Drives (VHD). If an encrypted data medium is lost or stolen, the data stored on the data medium are protected, since decryption is only possible using a password, a smart card or the recovery information. Via the context menu of the respective drive symbol, BitLocker To Go is turned on using the "Activate BitLocker..." option. To accomplish this, no administrative user rights are required. The administration of encrypted removable data media takes place in the Control Panel under BitLocker Drive Encryption.

Before using BitLocker To Go, it is recommended to apply M 1.7 Crypto-concept. In addition to this, the security policies should be supplemented according to S 2.401 Handling mobile data media and devices and S 2.309 Security policies and rules for the use of mobile IT with regard to in which scenarios which groups of people must, may or must not use encryption. It should be noted that no individual files can be encrypted using BitLocker To Go, but only a partition of a data medium.

The greatest challenge is the careful handling of the cryptographic key material by the users (S 2.46 Appropriate key management). If it falls into the hands of unauthorised persons, the confidentiality of the data is no longer guaranteed. The protection requirements regarding the confidentiality and availability of the key must be considered to be at least as high as the protection requirements of the unencrypted data itself. As soon as several users use BitLocker To Go, a centrally controlled key management, for example using Active Directory, should be used.

BitLocker To Go is activated by default. If, however, the use of BitLocker To Go is not explicitly intended (see S 2.325 Planning the Windows XP, Windows Vista and Windows 7 security policies), it should be deactivated for each group policy, since otherwise threats as described in T 3.98 Loss of BitLocker-encrypted data and T 3.97 Violation of confidentiality in spite of BitLocker Drive Encryption might arise.

The settings for BitLocker To Go described below can be found in the following group policy:

Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Removable Data Media.

Key category

After calling the command "Activate BitLocker...", the user can assign an encryption password or insert a smart card with an encryption certificate. The public part of this certificate is stored on the mobile data medium in unencrypted form and might disclose information on the certificate infrastructure (PKI) used if the data medium is lost. If the protection requirements of the PKI with regard to confidentiality are high, consideration should be given to encrypting this data medium only using a password or to using separate certificates. If the protection requirements with regard to the confidentiality of the data to be encrypted are high, mere password authentication is not sufficient. Here, smart card systems with a separate multifactor authentication solution should be used.

The length of the encryption password must be defined according to S 2.11 Provisions governing the use of passwords. The Prompt for password complexity setting should also be set (requires S 4.48 Password protection under NT-based Windows systems).

Encryption level

If the protection requirements with regard to confidentiality of the data are very high, the encryption level of 128-bit AES with diffuser should be increased to 256-bit AES with diffuser (Select encryption method and encryption level for drive group policy). Thus, however, the encryption process requires a significantly higher processor capacity and might not be run in a stable manner on a slow computer.

Opening encrypted data media without BitLocker To Go

Encrypted data media can also be read using the Bitlockertogo.exe tool by Windows versions in Windows XP and higher without BitLocker provided that they have been formatted using the FAT file system. Write access to the medium is not possible. For alternative operating systems such as Mac OS or Linux, a program for reading data media encrypted using BitLocker To Go is not available.

Using a group policy, it can be defined that Bitlockertogo.exe is to be stored automatically in unencrypted form on each re-encrypted FAT data medium. The application does not support any access authorisations and smart card authentication and is thus generally unsuitable for internal use. In a security policy for the encrypted exchange of data with third parties, it should be defined who is authorised to transfer data and on which IT systems encrypted FAT data medium may be created.

Preventing unencrypted writing

Based on the crypto-concept, it must be decided if and for which IT systems writing to external unencrypted data media is prohibited by means of a group policy. The corresponding GPO is as follows: Deny write access to removable data media which are not protected by BitLocker. Using this setting, it can be ensured that data on external data media are always encrypted.

If this setting is used, exceptions must be configured in practice in most cases and made known to the users so that a rule-consistent and understandable encryption strategy can also be implemented in difficult applications.

The most common reasons for this are presentation devices which are to read a USB stick as well as the specific transfer of external data media to external bodies. It is possible to label several USB sticks clearly visible as "public" and to exclude them from being encrypted. Unencrypted data media should only be handed out and used by persons authorised to do so. More restrictive organisational safeguards, for example logging the handing out of USB sticks, must be taken into account depending on the protection requirements regarding the confidentially of the data. All required exceptions must be regulated in the security policy for the exchange of data or in the crypto-concept. On the technical level, the group policy mentioned above allows exceptions for certain data media which were assigned an ID beforehand. Precise instructions on how to configure the IDs can be directly found in the group policy. The users must be trained on how to handle encrypted and unencrypted data media.

Recovery of encrypted removable data media in emergencies

Recovery passwords and keys allow an administrator or user to recover encrypted data if the user has lost the encryption password or the smart card. For the first encryption of the data medium, the assistant generates a 48-digit random password for the recovery. It should be accepted and can be printed or stored as a text file. According to S 2.22 Escrow of passwords, precise instructions on how to proceed with the recovery passwords should be developed for the users. They must be treated as confidentially and carefully as the recovery password or the smart card.

According to S 4.86 Secure separation of roles and configuration with crypto modules, if and how recovery passwords and recovery keys are to be stored centrally and who may access them for recovery purposes must be regulated. In order to provide better protection for the confidentiality of the recovery information and to accelerate the recovery in emergencies, it is recommended that this information be automatically stored in the Active Directory without any user interaction. In any case, it must be ensured that the recovery passwords and keys are handled properly. For this purpose, the Define how removable data media protected by BitLocker can be recovered group policy is used. In addition to this, the steps, persons and resources required for the recovery must be precisely defined.

If the recovery password is selected manually or changed subsequently by the administrator, then trivial passwords must be avoided (according to S 2.11 Provisions governing the use of passwords). If the same recovery password is selected for different data media for reasons of efficiency, then it is even more important to avoid using trivial passwords.

If you suspect that a password, smart card or key were compromised, then the corresponding key must be set to a new value. This setting is made in connection with the recovery password or the recovery key.

Using the group policy, a 256-bit recovery key can be generated for each encrypted data medium. In this manner, the data medium can be accessed when the original authentication resources are no longer available. The recovery key cannot be printed and it is not possible to distribute it orally, for example over the telephone. This increases the protection of the confidentiality of the data, but delays data recovery in emergencies. These recovery keys can only be stored on an additional USB stick or in the Active Directory. On systems by means of which data with very high confidentiality requirements are encrypted, only recovery keys, but no recovery passwords should be allowed.

In addition to this, the administrator can install a data recovery agent (Group Policies Snap-in | Computer Configuration | Windows Settings | Security Settings | Public Key Policies | BitLocker). This is the public part of a universal recovery key; it is installed uniformly on all BitLocker clients. The appropriate private key can decrypt the encrypted data media and should not be in the possession of the administrator. In principle, data recovery agents require a particularly high protection against any misuse and it is very complicated to replace them if they are compromised. The data recovery agent is no replacement for recovery passwords or keys, but only additional protection against the loss of data for users who cannot participate in the central key management. The advantages of the data recovery agent must be weighed against its disadvantages before using a data recovery agent.

Destroying the key material

As soon as an encrypted data medium is disposed of or lost, all keys and passwords in connection with this data medium must be destroyed immediately. For centrally stored keys, the destruction should be recorded in a revision-proof manner provided that the encrypted data are still classified as confidential.

Training the users

Due to the easy operation and strong presence of the BitLocker To Go encryption function for the user, the human errors described in T 3.44 Carelessness in handling information often occur.

The users must be informed on how to store the recovery passwords and keys and which steps and contact partners apply to them if passwords, other keys and encrypted data media are lost.

In most cases, users using BitLocker To Go without a central key management are persons in a leading or sensitive position within the information system. They should be sensitised to the threats at regular intervals. This also includes training them on the rules regulating the creation and storage of data media and keys as well as on how to proceed if they are lost and disposed of.

Limits of the suitability of BitLocker To Go

The encryption using BitLocker To Go protects data on mobile or virtual data media only if they were lost or stolen. The protection is not effective as long as the data medium is connected to the system and when the user authentication has been completed successfully. BitLocker To Go does not provide protection against the unauthorised copying of data or smuggling in of malicious software (malware) during operation.

The encryption and authentication processes are inherently less prone to the manipulation of the operating system for portable media whose security mechanisms have already been directly integrated into the hardware. They are recommended for applications with particularly high protection requirements regarding confidentiality.

BitLocker tools

Review questions:

© Federal Office for Information Security. All rights reserved.