BitLocker and AD, Together at Last

Around January 10, Microsoft released "Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information," a long-winded name for an executable file that's really a ZIP archive. This news is important because it's the final piece in the BitLocker puzzle.

BitLocker is the Windows Vista Enterprise and Vista Ultimate feature that lets you encrypt your entire C drive—an extremely useful feature for those of us who spend much of our lives walking around with laptops that contain important business and personal information. BitLocker uses an excellent encryption algorithm called the Advanced Encryption Algorithm (AES). You can use AES with either a 128-bit or 256-bit key. (I'd go with the 128-bit key, the default, unless you're walking around with the launch codes for the Peacekeepers on your laptop.) More important than the size of the encryption keys, however, is the question of where they're stored—and where they're backed up. If the hardware that holds the key gets damaged, then you don't have access to your laptop anymore, unless you've somehow backed up those keys.

You can choose to store your BitLocker encryption key on a USB thumb drive, but that's only secure if you're meticulous about storing the thumb drive somewhere other than your laptop bag. I suspect that most people who use BitLocker will turn out to be owners of laptops equipped with a special chip called a Trusted Platform Module (TPM) chip. Basically, it's a chip with a small amount of non-volatile memory that holds onto the BitLocker encryption/decryption key. Every time your system boots up, the TPM chip sniffs around the system to ensure that it's sitting in the same laptop as the day before and, if the TPM chip is satisfied, it coughs up the BitLocker key. Once Vista has that key, it can start decrypting sectors and your computer can boot up.

But what about when things go wrong? What if the TPM chip isn't feeling so well, or the USB thumb drive stops working? How do you get to your data? BitLocker gives you several ways to create a "back door" to your data. In the simplest method, you can just ask BitLocker to print out a 48-digit recovery key. Then, when you try to boot your BitLocker-encrypted laptop and the laptop can't get to the decryption key because of a failed TPM chip or a lost or damaged USB stick, BitLocker gives you the option to perform a recovery. One recovery option entails typing the 48-digit key, resulting in a successful system bootup. (Whenever I talk about this subject in my Vista class, someone always wryly suggests printing out the 48-digit key and taping it to the bottom of the laptop for the sake of convenience.) The 48-digit approach works, sure, but it's a pain in the neck, even in a small enterprise. Imagine having to maintain file cabinets full of BitLocker recovery keys for thousands or tens of thousands of computers in a large organization!

That's where Active Directory (AD) comes in. There's a Group Policy setting that you can enable for Vista that says, "If you want to use BitLocker to encrypt this computer's C drive, don't do it unless the computer's connected to AD, and store the BitLocker recovery keys in that computer's machine account in AD." It's a nice approach, and one that Microsoft has touted for the past year or so: Every BitLocker presentation I've ever seen has at least a few slides about BitLocker/AD integration.

There was, however, a fly in the ointment: Microsoft never actually released the programs necessary to make the integration possible. The company said it would deliver the programs by December 1, 2006, but that date came and went. That's why this new offering is such good news—more than five weeks late, but in this case, better late than never.

To make AD store BitLocker recovery keys, you must create some space in AD for those keys, which means modifying your AD schema. The tool for doing so arrives in the recent download through a file called BitLockerTPMSchemeExtension.ldf. It also uses a new (as of Windows Server 2003 Service Pack 1—SP1) feature that lets AD store information in an object's attributes without making that information available to every user in the enterprise.

If you're thinking about using BitLocker, I highly recommend that you get this download and read the accompanying Microsoft Word document. Then, it's time to start locking up those laptop hard disks!

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.