Section 8.3. Encryption

BitLocker Drive Encryption

Encrypts entire drives so that data can't be read, even if your computer is stolen (available only with the Enterprise and Ultimate editions of Windows Vista).

To open

Control Panel [Security] BitLocker Drive Encryption

Description

BitLocker Drive Encryption, new to Windows Vista, is the best way to keep all of your files safe from others. It works even if you have a laptop and it's stolen. It's designed so that your laptop or PC won't even start up without your encryption key, so a thief will not even be able to boot your PC, much less read any of its files. BitLocker Drive Encryption encrypts all files on a drive, including those needed for startup and logon. By doing this, it ensures that a thief cannot start your system, log on to it, and then steal your encrypting password as a way to decrypt and read your files.

The EFS can encrypt individual files and folders, but it cannot encrypt an entire startup drive (Windows won't work if you encrypted the files needed for startup and logon).

BitLocker encrypts all new files you add to your protected drive. The files are encrypted only when they are stored on the drive you've encrypted. If you copy them to another drive or computer, they are automatically decrypted. Shared files are encrypted when they are stored on the encrypted drive, and any user who has access to BitLocker-protected shared files will be able to use them as she would normally.

To turn on BitLocker Drive Encryption, choose Control Panel [Security] BitLocker Drive Encryption (see Figure 8-20) and click Turn on BitLocker. Alternatively, you can choose Control Panel [Security] BitLocker Drive Encryption. Follow the wizard that appears for turning it on; the instructions are straightforward. Youll be prompted to save a startup key to a removable Universal Serial Bus (USB) device, unless you have the Trusted Platform Module (TPM) version 1.2 or higher. (See the next section, "BitLocker hardware requirements," for details.) From then on, you'll have to insert the USB device into your computer in order for it to start. In addition, you'll create a recovery key or password so that you can always unlock BitLocker, in case you have problems starting up your PC.

Make sure not to skip the step for creating a recovery key or passwordif you don't create one, you could lock up your PC so that you can't start it or recover any of your files.

Figure 8-20. Turning on BitLocker Drive Encryption

BitLocker hardware requirements

BitLocker has specialized hardware requirements, which means that you may not be able to use it. It stores its encryption and decryption key in a device separate from your hard disk. Because of this, you'll need one of the following in order to use BitLocker:

• A computer that has TPM version 1.2 or higher. (TPM is a microchip in some new computers that supports advanced security features.) If you have hardware with TPM 1.2 or higher, BitLocker Drive Encryption will store its key on the chip.

• A removable USB flash drive. In this case, BitLocker Drive Encryption will store its key on the removable drive. Keep in mind, though, that you'll need to have the removable drive attached to your computer in order to use BitLocker Drive Encryption.

  Although Microsoft mentions that you can use BitLocker if you have a USB flash drive, you do need to go through some steps to get this to work. See http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx for details.

  
  

Even if you have one of the two aforementioned devices, though, you may not be able to use BitLocker Drive Encryption. You'll also need to meet the following requirements:

• You must have at least two partitions on your hard diskone for the Windows Vista operating system (usually the C: drive), which BitLocker will encrypt, and another partition, which must remain unencrypted in order for your PC to start. This second partition needs to be both a primary partition and the active boot partition. If you have only one partition, you'll need to create a second one with these properties. As of this writing, the only way to do this is to perform a clean install of Vista and use "Repair Your Computer" to run diskpart.exe, then partition a small (at least 1.5 GB) primary and active partition that appears before your C: drive. Microsoft may release a tool in the future to repartition an existing drive.

• Your disk must be formatted with the NTFS filesystem. If it is formatted with FAT32, you can convert it to NTFS. See "FAT to NTFS Conversion Utility," in Chapter 11.

• You must have a BIOS that is compatible with the TPM and supports USB devices during computer startup. If you don't have one, you'll have to update the BIOS. If this is not the case, you will need to update the BIOS before using BitLocker.

Notes

• To find out whether your hardware supports TPM, check the BitLocker Drive Encryption page (shown in Figure 8-20). There should be a TPM administrator link in the left pane. If the link isn't there, you'll need a USB flash drive. However, in some instances, a BIOS problem may prevent the link from appearing, even if your hardware supports TPM. If you think your hardware supports TPM but don't see the link, check your documentation or the manufacturer's web site.

• If your PC doesn't support TPM but you have a USB flash drive, the BitLocker wizard will require that you create a startup key that will be stored on the drive.

• When your PC starts up and it's protected with BitLocker, BitLocker checks your hardware for potential security risksfor example, changes to startup files, BIOS changes, or disk errors. If this occurs, it will lock your drive. You'll need a BitLocker recovery key or password to unlock the drive. That's all the more reason to create a recovery key or password when you first turn on BitLocker.

See also

"Encrypting File System (EFS)" and "NTFS Encryption Utility," in this chapter, and "FAT to NTFS Conversion Utility," in Chapter 11

Certificate Manager: \windows\system32\certmgr.msc

Manages encryption and other certificates. See "Microsoft Management Console," in Chapter 10.

Encrypting File System (EFS)

Encrypt files and folders on NTFS drives (Business edition and higher only).

To open

Right-click a file or folder Properties General Advanced

Description

You use the Encrypting File System (EFS) to prevent unauthorized access to your data, and one of the features of the NTFS filesystem is its built-in support for automatic encryption of files and folders using "public key cryptography." NTFS encryption is invisible, and encrypted files are opened as easily as decrypted files. The difference is that other users, either those who access your computer remotely or those who also log in to your computer under a different user account, will not be able to open or read encrypted files on your system.

Right-click on any file or folder, select Properties, and then click the Advanced button. The "Encrypt contents to secure data" option (shown in Figure 8-21) is used to instruct Windows to encrypt the selected item. If a folder is selected, all of its contents will be encrypted (you'll be prompted about any subfolders); furthermore, any files added to that folder will be automatically encrypted as well.

Figure 8-21. Encrypting a file or folder

The names of encrypted files show up in Windows Explorer in green rather than in the default black. (Compressed files show up blue.)

Notes

• NTFS drives support both encryption and compression, but you cannot compress and encrypt a given file at the same time. If you attempt to encrypt a compressed file, Windows will first uncompress the file.

• When you move an encrypted file to a nonencrypted folder on an NTFS drive, the file will remain encrypted.

• If you encrypt some or all of the files on your drive and your hard disk crashes, or you encounter some other program that requires Windows to be reinstalled, you may not be able to access your previously encrypted files (assuming they're still intact). You can avoid this by using the /r parameter of the NTFS Encryption Utility to generate a "recovery agent key," a cryptographic key that you can use to unlock files in the event of an emergency. You should be able to use this key to subsequently gain access to your encrypted files when necessary. For more information, go to Start Help and Support and search for "cryptography." See "NTFS Encryption Utility," later in this chapter, for details.

• If you don't want encrypted files to show up in green, open Windows Explorer and choose Organize Folder Options View tab and uncheck the "Show encrypted or compressed NTFS files in color option.

See also

"NTFS Encryption Utility" and "BitLocker Drive Encryption"

NTFS Encryption Utility: \windows\system32\cipher.exe

View or configure the automatic file encryption on NTFS drives.

To open

Command Prompt cipher

Usage

 cipher [/e|/d|/c] [/b] [/s] [/a] [/f] [/q] [/h] [filename] cipher /k cipher /x [filename] cipher /r:efs_file cipher /w:dir cipher /u [/n] cipher /y cipher /adduser [/CERTHASH:hash | /CERTFILE:filename] cipher /removeuser /CERTHASH:hash cipher /rekey 

Description

The NTFS Encryption Utility is the command-line equivalent of encrypting files using Windows Explorer. (See the preceding section, "Encrypting File System (EFS)," for details.) However, it adds several powerful features not normally available through Explorer. It's also useful for automating the encryption or decryption of several files with the help of a batch file. The NTFS Encryption Utility takes the following options:

filename

Specifies a file, folder, or group of files (using wildcards) to compress or uncompress. Omit filename to act on the current directory.

/e

Encrypts the specified file(s). If a folder is specified for filename, the folder will be marked so that subsequent files added to it will be encrypted automatically. Include the /a parameter to encrypt files already in the folder and the /s parameter to act on subdirectories as well.

/d

Decrypts the specified file(s). If a folder is specified for filename, the folder will be marked so that subsequent files added to the folder will be decrypted automatically. Include the /a parameter to decrypt files already in the folder and the /s parameter to act on subdirectories as well.

/s

By default, if filename is a directory, the /e or /d option acts on the specified directory but not on any subdirectories. Include /s to include all subdirectories as well. Use the /a option to encrypt the files stored in these directories.

/a

Operates on files as well as folders. If folders and files are not both marked to be encrypted, it's possible for an encrypted file to become decrypted when it is modified if its parent folder is not encrypted.

/b

Aborts if an error occurs. Cipher normally continues to execute, even if it encounters errors.

/h

Includes files with hidden or system attributes set; otherwise, ignored by cipher.exe.

/k

Generates and displays a new file encryption key (certificate thumbprint) for the current user. You cannot use the /k option with any other options.

/r: efs_file

Generates an EFS recovery agent key and certificate, and then writes them to efs_file.pfx (containing the certificate and private key) and efs_file.cer (containing only the certificate). Because the /r option will automatically add the appropriate file extensions, all you need to specify are the path and file prefixes for efs_file. See "Notes," later in this section, for more information.

/w: dir

"Wipes" the drive containing the directory dir. When a file is deleted in Windows, only that file's entry in the filesystem table is deleted; the actual data contained in the file remains on the hard disk until it is overwritten with another file. Wiping a drive writes over all unused portions of the disk, possibly containing deleted files so that previously deleted data cannot be recovered. The /w option does not harm existing data, nor does it affect any files currently stored in the Recycle Bin. This is an extreme form of data security, and you should use it on a regular basis if security is a big concern.

/u

Updates all encrypted files on all local drives. Use /u to ensure that your file encryption key or recovery agent key is current. You cannot use the /u option with any other options, except for /n.

/n

Modifies /u so that encrypted files are only listed, not updated. Type cipher /u /n to list all the encrypted files on your system. You can use the /n option only in conjunction with /u.

/x

Backs up the EFS certificate and keys into a file. If efs_file is provided, the current user's certificate(s) used to encrypt the file will be backed up. If not, the user's current EFS certificate and keys will be backed up.

/y

Displays your current EFS certificate thumbnail.

/adduser

Adds a user to the specified encrypted file(s). If CERTHASH is provided, cipher will search for a certificate with the hash SHA1. If CERTFILE is provided, cipher will extract the certificate from the file.

/rekey

Updates the specified encrypted file(s) to use the configured EFS key.

/removeuser

Removes a user from the specified file(s). CERTHASH must be the SHA1 hash of the certificate.

If you run the NTFS Encryption Utility without any options, it will display the encryption settings for the current directory and all of its contents.

Notes

• If you encrypt some or all of the files on your drive and your hard disk crashes, or if you encounter some other program that requires Windows to be reinstalled, you may not be able to access your previously encrypted files (assuming they're still intact). You can avoid this by using the /r parameter to generate a "recovery agent key," a cryptographic key that you can use to unlock files in the event of an emergency. You should be able to use this key to subsequently gain access to your encrypted files when necessary. For more information, go to Start Help and Support and search for "cryptography."

• Although cipher.exe is available on the Home editions of Vista, it will return an error ("The request is not supported") if you try to encrypt a file with it.

See also

"BitLocker Drive Encryption"