BitLocker, Microsoft’s disk encryption technology that comes with Windows 7 Ultimate, can throw the system admin into a boondogle. Sure it’s easy to just use what is “in the box” and call it a day. However, be prepared for a long…very long day in getting BitLocker deployed and managed.

..

Microsoft has traditionally added feature after feature to their products. But that doesn’t necessarily mean you have to use them (or actually, should use them). Before we discuss BitLocker think of the last time someone used the e-mail server that comes with Windows Server 2003 (yes, it really does come with a basic POP3 server). Ok, give up? That’s probably because most of the corporate world uses Microsoft Exchange. How about using Windows Servers as internet firewalls. Possible? Yes. Practical? No. Microsoft adds these features to help sell the core product. The can say “well, you don’t need a mail server. Server 2003 has one built-in”, even though we all know that the only purpose for it is to use it in some lab.

..

And here comes BitLocker. Yes, it can encrypt hard drives. Yes, it can encrypt USB flash drives. But before you pay the extra $19.99 per user for your corporate Windows 7 deployment first consider these limitations and facts about how BitLocker is deployed:

..

• BIOS must be compatible with TPM version 1.2 and support USB device boot
• Requires TPM chip
• Requires TPM management snap-in configuration to save encryption key to a USB device
• TPM PIN management (help desk must maintain a list of TPM PINs in case user forgets)
• No complexity or content rules available for TPM PIN
• No single sign-on (TPM PIN not related to AD auth info)
• Admin rights needed to perform initial encryption
• Requires management of TPM “owner passwords”
• Requires you to maintain recovery keys that match Bitlocker keys created on each computer
• Requires Active Directory Schema extensions to be installed on 2003 and 2008 servers (don’t you love “extending the schema”?)
  
• Recovery options require a TPM PIN
• No centralized reporting
• Policies managed by GPOs (because they’re so easy to manage now)
  
• No separating of duties – recovery codes stored in AD, propogated to all DCs.
• No support for smart cards or tokens at pre-boot (cold boot and firewire-method HD attacks come to mind)
  
• For USB encryption – recovery keys are not managed centrally – give user ability to “print out” recovery key or store it elsewhere in a file (no key management)
• USB encryption -> not possible to write to non-Windows 7 machines once encrypted with Windows 7

..

So after all the time you’ve spent just to get this far you now have an encryption system that is only Windows 7 specific. Are your legacy XP clients encrypted? No. The Macs in the marketing department? No. The Linux devices in development? No. Use a smart card or token at pre-boot? No.  Can you write to USB drives encrypted with Win 7 on non-Win 7 machines? No. Are there separation of duties? Nope.

..

Before rolling out BitLocker take into consideration not only the software limitations but also the time involved to learn the infrastructure needed to deploy it properly. Create a lab with several PCs and a server and  do real-world testing and see for yourself. BitLocker can be a great tool for personal use, or in a very small business (under 15 users). But beyond that…beware of the boondoggle.

Related articles by Zemanta

• Anti-filesharing laws revive crypto fears for spooks (theregister.co.uk)