Everything you wanted to know on encryption and BitLocker!
Encryption is a process of coding plain text to create ciphertext to secure data.
Symmetric Key Encryption
This type of encryption uses the single shared key for:
-for encrypting information
-for decrypting information
Symmetric encryption is very fast but managing the key is a challenge because if the key gets lost or stolen one can be in a problem hence symmetric encryption is used in combination with asymmetrical encryption.
Public Key Cryptography (Asymmetrical Key Encryption)
Public-key cryptography or encryption uses two different keys for encryption and decryption of information.
- Public key for encryption
- Private Key for decryption
Asymmetrical key encryption performs the following:
Encryption of symmetric secret keys to protect keys during an exchange over a network or while being used, stored, or cashed by operating systems.
Creating digital signatures to provide authentication and non-repudiation for online entities
Creating digital signatures to provide integrity to digital files and folders.
Encryption on Windows
Old versions of Windows used to have options to encrypt files and folders but recent technology from Windows with the launch of BitLocker with Windows 7 Enterprise and upwards has provided users an excellent security option due to its feature of full drive encryption. In case of any offline attack i.e. if someone steals your hard drive and plugs it into his PC all information on your drive is unreadable for him. In case a PC gets booted from a Windows PE or Linux recovery disk by an intruder entire disk drive will still be unreadable as BitLocker watches the boot process and if any unnatural boot process is identified locks the drive. The limitation to this technology from Microsoft is that one needs to have a TPM for BitLocker to operate properly which is basically a chip on the computer’s motherboard. BitLocker can also be installed on PCs that do not have TPM but they would have to use a plug-in storage device to use the facility.
Encrypted File System (EFS)
EFS enables transparent encrypting and decrypting of files using a standard cryptographic algorithm.
It does not protect data during the transfer of data from one system to another.
Encryption and decryption occur at the application level and not at the application level.
EFS uses a symmetric key, which itself is encryption with asymmetric or a public key. A private key must be available for the file to be decrypted and it is bound to user identity (user id and password).
EFS keys can’t be archived and they are protected by user passwords.
BitLocker Drive Encryption
Bit Locking is a data protection technology that locks your entire hard drive along with the operating system to protect your data from being stolen.
Bit-Locker to Go is a feature to encrypt portable storage devices.
It is installed automatically in the operating system but needs to be enabled separately.
TPM (Trusted Platform Module) can be used with BitLocker to provide additional protection. TPM is a hardware component available in most new computer systems as a part of the motherboard. TPM can create and stores encryption keys on itself (Cryptographic keys) instead of storing them on hard drives. TPM also keeps an eye on the expected bootup process and allows the disk drive to be unencrypted in finding the correct bootup process.
BitLocker can be installed on computers that do not have TPM but they need to be started with a USB start-up key. BitLocker also provides a feature to authenticate users before start-up until a user provides a personal identification number or inserts a removable drive.
BitLocker Requirements
- BitLocker requires minimum Windows 7 Enterprise or Ultimate edition.
- It requires 100MB separate system partition which gets created automatically and does not have any assigned letter.
- Requires TPM1.2 and sometimes enabling TPM in BIOS
BitLocker Modes
- TPM Only- No authentication required to start PC
- TPM and PIN- Pin required for authentication to start PC
- TPM and USB- USB drive is required for authentication to start PC as BitLocker stores keys on USB.
- TPM, USB key and PIN- Most secure BitLocker mode as it will require double authentication to start PC.
- Without TPM-USB key only- This mode is used if your computer does not have a TPM chip. Computer can then be started just with USB key only.