Drive encryption with Microsoft BitLocker



Similar documents
How to enable Disk Encryption on a laptop

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Encrypting with BitLocker for disk volumes under Windows 7

In order to enable BitLocker, your hard drive must be partitioned in a particular manner.

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

Dell UPS Local Node Manager USER'S GUIDE EXTENSION FOR MICROSOFT VIRTUAL ARCHITECTURES Dellups.com

Do "standard tools" meet your needs when it comes to providing security for mobile PCs and data media?

ZENworks 11 Support Pack 4 Full Disk Encryption Agent Reference. May 2016

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

Windows BitLocker Drive Encryption Step-by-Step Guide

ScoMIS Encryption Service

BitLocker/Active Directory Encryption Procedure Department: Information Security Office Version: 1.0 Last Revised: 09/26/2011

Cautions When Using BitLocker Drive Encryption on PRIMERGY

Introduction to BitLocker FVE

Disk Encryption. Aaron Howard IT Security Office

Windows 7 Hard Disk Recovery

Acer erecovery Management

Acer erecovery Management

Also you need the C-MOR ISO file. This file you will find following this link:

Yale Software Library

1. System Requirements

Managing Applications, Services, Folders, and Libraries

ScoMIS Encryption Service

Operating Instructions - Recovery, Backup and Troubleshooting Guide

Technical Note. Installing Micron SEDs in Windows 8 and 10. Introduction. TN-FD-28: Installing Micron SEDs in Windows 8 and 10.

Using BitLocker to encrypt a Windows 8 device

Full Disk Encryption Agent Reference

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

FAQ No Q: What should we know before we start Windows 10 upgrade?

Reborn Card NET. User s Manual

Disaster Recovery Guide

EMBASSY Remote Administration Server (ERAS) BitLocker Deployment Guide

McAfee Endpoint Encryption (SafeBoot) User Documentation

Operating Systems: Microsoft Windows XP, Windows Vista or Windows 7 RAM: 2GB

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

SafeGuard Enterprise User help. Product version: 7

SafeGuard Enterprise User help. Product version: 6.1

HP MediaSmart Server Software Upgrade from v.1 to v.3

Information Systems Services. SafeGuard Enterprise. enc. Device Encryption (DE) Installation V /11/2010

MICROSOFT BITLOCKER ADMINISTRATION AND MONITORING (MBAM)

Windows BitLocker TM Drive Encryption Design Guide

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 16 Fixing Windows Problems

SafeGuard Enterprise User help. Product version: 6 Document date: February 2012

Installing and Upgrading to Windows 7

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

SafeGuard Easy startup guide. Product version: 7

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

Management of Hardware Passwords in Think PCs.

Hyper-V Installation Guide for Snare Server

Utimaco SafeGuard Easy Installation Instructions for Notre Dame installer v2.5

Windows Server 2008 R2 Essentials

Troubleshooting Sprint Mobile Broadband USB Modem by Novatel Wireless TM (Ovation TM U727)

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 3 Installing Windows

Alcatel-Lucent Extended Communication Server Active directory synchronization : installation and administration

EZblue BusinessServer The All - In - One Server For Your Home And Business

WatchGuard Mobile User VPN Guide

University of Rochester Sophos SafeGuard Encryption for Windows Support Guide

BitLocker Encryption for non-tpm laptops

Operating System Installation Guide

4 Backing Up and Restoring System Software

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

SAM 8.0 Backup and Restore Guide. SafeNet Integration Guide

Drive Vaccine PC Restore

Image Assistant. User Guide. Image Assistant. Laplink Software, Inc. User Guide. The ONLY Way to Restore an Old Image to a New PC!

TPM. (Trusted Platform Module) Installation Guide V for Windows Vista

Magaya Software Installation Guide

Windows 7, Enterprise Desktop Support Technician

HP MediaSmart Server Software Upgrade from v.2 to v.3

Table of Contents. Online backup Manager User s Guide

For Windows XP 64 bit

Hiva-network.com. Microsoft_70-680_v _Kat. Exam A

Installation Notes for Outpost Network Security (ONS) version 3.2

Selected Windows XP Troubleshooting Guide

SafeGuard Enterprise Web Helpdesk

"Charting the Course to Your Success!" MOC D Windows 7 Enterprise Desktop Support Technician Course Summary

Motion Computing Tablet PC

Using GIGABYTE Notebook for the First Time

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Microsoft Windows Server 2008: Data Protection

DriveLock and Windows 7

Table of Contents. TPM Configuration Procedure Configuring the System BIOS... 2

SafeGuard Easy Administrator help. Product version: 6 Document date: February 2012

IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a)

Lenovo Online Data Backup User Guide Version

Windows Server 2008 Essentials. Installation, Deployment and Management

To get started, you will need the following items Product Key Router with firewall capability Network cables

User s Guide

Windows 8 Backup, Restore & Recovery By John Allen

Rev 7 06-OCT Site Manager Installation Guide

Jetico Central Manager. Administrator Guide

Mobile Device Security and Encryption Standard and Guidelines

NovaBACKUP. Storage Server. NovaStor / May 2011

Step by step guide for installing highly available System Centre 2012 Virtual Machine Manager Management server:

Lepide Active Directory Self Service. Installation Guide. Lepide Active Directory Self Service Tool. Lepide Software Private Limited Page 1

Sophos Disk Encryption License migration guide. Product version: 5.61 Document date: June 2012

Wharf T&T Cloud Backup Service User & Installation Guide

Installation Instructions Release Version 15.0 January 30 th, 2011

Florida Atlantic University VPN Client Installation Guide

Transcription:

Drive encryption with Microsoft BitLocker 1 General informations... 2 1.1 What is BitLocker?... 2 1.2 For who is BitLocker?... 2 1.3 Possible authentication features... 2 1.4 Security features... 2 2 Configuration... 3 2.1 Prerequisites... 3 2.2 Policy Configuration... 3 2.3 Activate TPM... 4 2.4 Activate encryption to the system partition... 4 2.4.1 Configure authentication withtpm 1.2 and USB-key... 4 2.4.2 Configure authentification with TPM 1.2, TPM-PIN and USB-Key... 6 2.5 Encrypt additional data partitions... 7 2.6 Boot from encrypted system drive... 7 2.6.1 In the normal case (without TPM-Pin)... 7 2.6.2 In the normal case (with TPM-Pin)... 8 2.6.3 After loosing your key... 8 2.6.4 After changing hardware or settings in the operating system... 9 2.7 Decrypt drives... 11 2.7.1 In the normal case... 11 2.7.2 After lose the key... 11 2.7.3 With defect hardware... 11 2.8 Finding the recovery key... 12 3 Appendix... 13 3.1 Possible problems... 13 3.1.1 A drive could not be encrypted... 13 3.2 FAQ... 13 3.2.1 Can i copy the USB-key and give it to someone else?... 13 3.2.2 Can i use Smart-Cards instead a USB-key?... 13 3.2.3 Can I change the TPM-Pin?... 13 3.2.4 Is it needed that the encryption is finished before give it to the end-user?... 13 3.2.5 Can I use an alpha-numerical TPM-PIN?... 13 3.2.6 I can t see the register BitLocker Recovery in Active Directory... 13 3.2.7 Does BitLocker slow down my computers?... 13 3.3 Links... 13 Josh Burkard, 2011 Page 1 of 13

1 General informations 1.1 What is BitLocker? BitLocker is a drive encryption mechanism integrated in Windows. It is available in Vista and Windows 7, in the Ultimate and Enterprise editions. The mechanism encrypts single partitions. To encrypt the system-partition, there will be created a special boot partition with 100 MB size. The key used for encrypt and decrypt partitions can depending on configuration be calculated from TPM, TPM-PIN and / or USB-key. 1.2 For who is BitLocker? BitLocker could be used by private and commercial users. It s recommended to encrypt mobile devices, like notebooks or public computers. In every case, you have to ensure that the recovery key is stored on a safe place. 1.3 Possible authentication features To autheticate your users, you can use the following features and combinations: - TPM 1.2 - TPM 1.2 + TPM-PIN - USB-Key - TPM 1.2 + USB-Key - TPM 1.2 + TPM-PIN + USB-Key - TPM 1.2 + SmartCard (need a certificate infrastructure) 1.4 Security features To ensure, that you can access your datas in each case, there will be created a recovery key at the encryption initialization. The recovery key will be stored on an USB-Key, on a local or network drive or will be printed out. In an enterprise environment the recovery key can be stored to the computer object in active directory. Cause waking up your computer from sleep mode doesn t start your computer from disk but from memory, BitLocker doesn t ask again for authentication. To be absolute secure, you have to disable the sleep mode and allow only the hibernation mode. Josh Burkard, 2011 Page 2 of 13

2 Configuration 2.1 Prerequisites You have to ensure, that you met the following prerequisites: - Windows 7 Ultimate or Windows 7 Enterprise - (Vista Ultimate or Vista Enterprise) - Windows 2008 R2 (or Windows 2008) - Locale admin rights to your client computer - The encrypted disk have to be a basic disk (not a dynamic disk) - Your notebook must be powered by power supply and not by battery. It s recommended to use hardware with TPM 1.2. 2.2 Policy Configuration You have to define this settings in group policy: - Encryption of any partition should be possible only when the recovery key was stored in active directory. - TPM 1.2 and a USB-key should be used for authentication - Additional a TPM-Pin can be used for authentication. - Deactivate the sleep mode and activate the hybernation mode in your power plans. An example: Josh Burkard, 2011 Page 3 of 13

2.3 Activate TPM Open the Control Panel System and Security BitLocker Drive Encryption TPM Administration 2.4 Activate encryption to the system partition 2.4.1 Configure authentication withtpm 1.2 and USB-key Open the Control Panel System and Security BitLocker Drive Encryption Follow the wizzard. Maybee you have to prepare your drive for BitLocker: Josh Burkard, 2011 Page 4 of 13

After preparing your drive, you have to restart your computer. The wizzard continues automaticaly after the restart. Insert a USB-Key to your computer. Save the recovery key on a safe place. After this, click on Next. Josh Burkard, 2011 Page 5 of 13

Select Run BitLocker system check and click on Continue. Leave your USB-Key connected to your computer. After restarting your computer, Windows starts to encrypt your system drive. You can use your computer as normally during the encryption. 2.4.2 Configure authentification with TPM 1.2, TPM-PIN and USB-Key First you have to configure your system partition like described in point 2.4.1. Check that the encryption is successful finished. Run an command promt as Administrator. Run: manage-bde -protectors -add c: -rp -rk d: -tpsk -tp 1234 -tsk e: Where c: is the encrypted Drive, d: means the location of the recovery key and e: means the location to the USB-keys. Enter your numerical TPM-PIN instead of 1234. On some hardware you can use also an alphanumerical TPM-PIN. After successful creation of the TPM-Pin, there is an additional key-file on your USB-key. To prevent that your computer starts with the old key-file, move the old key-file from the USB-key to somewhere else. Josh Burkard, 2011 Page 6 of 13

2.5 Encrypt additional data partitions Open the Control Panel System and Security BitLocker Drive Encryption Click on Turn On BitLocker nearest to the desired drive. 2.6 Boot from encrypted system drive 2.6.1 In the normal case (without TPM-Pin) Connect your USB-key to your computer and power on your computer. Windows will start automatically. If you forgotten to connect your USB-key to your computer, this message appears: Connect your USB-key now and press ESC on your Keyboard. Windows will start automatically. Josh Burkard, 2011 Page 7 of 13

2.6.2 In the normal case (with TPM-Pin) Connect your USB-key to your computer and power on your computer as described in point 2.6.1. As soon as your USB-key was detected, BitLocker ask you for your TPM-Pin: 2.6.3 After loosing your key If you lose your key (USB-key or TPM-Pin) or it isn t available temporary, you can boot with the recovery key. Power on your computer without USB-key and wait for this message: Press the ENTER-key. This message will appears: Enter the recovery key and press the ENTER-key. Windows will boot normaly. To find the recovery key in active directory, follow point 0. To decrypt or disable the encryption follow point 2.7.1. Josh Burkard, 2011 Page 8 of 13

2.6.4 After changing hardware or settings in the operating system When you change your hardware configuration or make heavy changes on your system settings, it can happen that you receive this message: Press the ENTER-key: Enter your recovery key and press the ENTER-key. Windows will start automatically. To save your changes permanently, open the Control Panel System and Security BitLocker Drive Encryption: Suspend the BitLocker protection on your system drive. Josh Burkard, 2011 Page 9 of 13

Resume the BitLocker protection on your system drive immediately again: Josh Burkard, 2011 Page 10 of 13

2.7 Decrypt drives 2.7.1 In the normal case Open the Control Panel System and Security BitLocker Drive Encryption: Click to Turn Off BitLocker near the desired drive. 2.7.2 After lose the key Power your computer on as described in point 0. Now you can decrypt your drive as described in point 2.7.1. 2.7.3 With defect hardware When your hardware is defect, you will have to possibilities to recover your data s: Insert your harddisk in another computer and boot from this. You will need to recover as described in point 2.6.4. Otherwise you can connect your harddisk to another computer with Windows 7 Ultimate / Enterprise with an SATA/IDEtoUSB-connector. Windows will detect it automatically as a encrypted drive and starts an assistant to decrypt your drive. If you don t like the assistant or you want to leave the original drive encrypted, you can use this command: repair-bde D: Z: -rp 111111-111111-111111-111111-111111-111111-111111-111111 Where D: means the encrypted source-drive and Z: means a destination-drive. Instead the 111111 use the recovery key. You will find more help for recovery at: http://technet.microsoft.com/en-us/library/ee523219(ws.10).aspx Josh Burkard, 2011 Page 11 of 13

2.8 Finding the recovery key If you lose your key (USB-key or TPM-Pin), you will need the recovery key to boot or decrypt your drive. If you configured your group policies as described in point 2.2 before your computer was encrypted, then you will find the recovery key in active directory at the computer object: If your computer name unknown, you can search for the recovery key: Enter your Password ID, which will be shown by the recovery assistant or the boot screen: Josh Burkard, 2011 Page 12 of 13

3 Appendix 3.1 Possible problems 3.1.1 A drive could not be encrypted You couldn t encrypt your drive in this cases: - Your computer isn t connected to your domain. Connect it. - Some AntiVirus-, VPN- or FireWall- software s block the BitLocker encryption. Uninstall it and reinstall it after encryption. - The device doesn t support TPM 1.2. You can configure your group policy to allow BitLocker without TPM 1.2, but it s not recommended. - The USB-key isn t readable by BIOS or at boot level. Use another USB-key. 3.2 FAQ 3.2.1 Can i copy the USB-key and give it to someone else? Yes, this is possible. The key-file is in the root directory of your USB-key and aremarked as hidden system files. You must configure windows explorer to show this files. 3.2.2 Can i use Smart-Cards instead a USB-key? Yes, there are concepts to use Smart-Cards and BitLocker together. You will need a running certificate infrastructure. You will find mor infos at: http://technet.microsoft.com/en-us/library/dd875530(ws.10).aspx 3.2.3 Can I change the TPM-Pin? Yes, look at http://blogs.technet.com/b/ganand/archive/2008/04/26/you-will-not-get-the-option-toreset-pin-in-bitlocker-when-using-tpm-pin-startupkey-protectors-in-vista-sp1.aspx 3.2.4 Is it needed that the encryption is finished before give it to the end-user? No, the encryption can be suspended at a shutdown or reboot. At next reboot the encryption will resume automatically. The user has to authenticate anyway. 3.2.5 Can I use an alpha-numerical TPM-PIN? Yes, but this depends on hardware. If your hardware doesn t support an alpha-numerical TPM-PIN but you created one, you should recover as described in 0. 3.2.6 I can t see the register BitLocker Recovery in Active Directory To show the register BitLocker Recovery at the computer objects, you need to install the feature BitLocker Password Recovery Viewer, which is available after installing the Remote Server Administration Tools for Windows 7. You will find this at: http://www.microsoft.com/downloads/en/details.aspx?familyid=7d2f6ad7-656b-4313-a005-4e344e43997d&displaylang=en 3.2.7 Does BitLocker slow down my computers? Yes, but you can t feel it: http://technet.microsoft.com/en-us/library/ee449438(ws.10).aspx#bkmk_performance 3.3 Links http://technet.microsoft.com/en-us/library/dd875513(ws.10).aspx Josh Burkard, 2011 Page 13 of 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information