Access Keys:
Skip to content (Access Key - 0)
Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version. Compare with Current  |   View Page History
<< Previous Version 20 Next >>

BitLocker

On this page:

About

Windows BitLocker Drive Encryption is a security feature that provides data protection for your computer by encrypting all data stored on the Windows operating system volume.

Enable BitLocker

  1. Verify you machine meets the BitLocker hardware requirements.
  2. Back up your data before you encrypt your computer with BitLocker, using a backup tool such as CrashPlan.
  3. (Recommended for machines not in the Win Domain) Save your password using LastPass.
  4. (Optional) Encrypt an external drive - Not in KB yet, using external source.

FAQ

Do I need to encrypt my computer using BitLocker?

Currently, laptops and other portable storage devices (i.e. portable hard drives, USB memory sticks) that contain personal information requiring notification (PIRN) are required to be encrypted.

If you want to use BitLocker, check in first with your system administrator. Local IT policy may require additional safeguards to ensure that - should you leave MIT, be unavailable, or forget your password - someone from your business area can still access the important business files on the encrypted computer.

How does BitLocker protect my data?

How BitLocker works with operating system drives

Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by:

  • Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts all user files and system files on the operating system drive, including the swap files and hibernation files.
  • Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer's boot components appear unaltered and the encrypted disk is located in the original computer.

BitLocker is integrated into Windows 7 and provides enterprises with enhanced data protection that is easy to manage and configure. For example, BitLocker can use an existing Active Directory Domain Services (AD DS) infrastructure to remotely store BitLocker recovery keys.

BitLocker offers no protection for malware (computer virus) infections. Users must maintain their operating system and practice good computing hygiene (applying patches, security updates, creating strong passwords, and staying away from dubious links and web sites).

BitLocker also does not encrypt email or attachments. Users must look to other tools for protecting data in transit, such as PGP Zip.

Is my computer protected when it is in sleep mode or when the screen saver is active?

Yes. BitLocker on operating system drives in its basic configuration (with a TPM but without advanced authentication) provides additional security for the hibernate mode. However, BitLocker provides greater security when it is configured to use an advanced authentication mode (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires BitLocker authentication. As a best practice, we recommend that sleep mode be disabled and that you use TPM+PIN for the authentication method.

If I change my Kerberos password, will my BitLocker password also change?

No, the two are not connected. Although you may have originally used your Kerberos password as your BitLocker password, if you change your Kerberos password later on, this does not also change your BitLocker password.

Can I share my password with Desktop Support?

You should not need to, and doing so may violate state laws that require you to protect personal information that is on your computer.

What is the difference between a TPM owner password, recovery password, recovery key, PIN, enhanced PIN, and startup key?

There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.

TPM owner password

Prior to enabling BitLocker on a computer with a TPM version 1.2, you must initialize the TPM. The initialization process generates a TPM owner password, which is a password set on the TPM. You must be able to supply the TPM owner password to change the state of the TPM, such as when enabling or disabling the TPM or resetting the TPM lockout.

Recovery password and recovery key

When you set up BitLocker, you must choose how access to BitLocker-protected drives can be recovered in the event that the specified unlock method cannot be used (such as if the TPM cannot validate the boot components, the personal identification number (PIN) is forgotten, or the password is forgotten). In these situations, you must be able to supply either the recovery key or the recovery password to unlock the encrypted data on the drive. In Windows 7, the term "recovery key" is used generically to refer to both the recovery key file and the recovery password. When you supply the recovery information, you can use either of the following formats:

  • A recovery password consisting of 48 digits divided into eight groups. During recovery, you need to type this password into the BitLocker recovery console by using the function keys on your keyboard.
  • A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device.

PIN and enhanced PIN

For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation. The PIN can consist of 4 to 20 digits as specified by the Configure minimum PIN length for startup Group Policy setting and is stored internally as a 256-bit hash of the entered Unicode characters. This value is never displayed to the user. The PIN is used to provide another factor of authentication in conjunction with TPM authentication.

For an even higher level of security with the TPM, you can configure BitLocker to use enhanced PINs. Enhanced PINs are PINs that use the full keyboard character set in addition to the numeric set to allow for more possible PIN combinations and are between 4 and 20 characters in length. To use enhanced PINs, you must enable the Allow enhanced PINs for startup Group Policy setting before adding the PIN to the drive. By enabling this policy, all PINs created can utilize full keyboard characters.

See the MS Technet FAQ for help with additional questions not listed here.

Troubleshooting

How to...

Users in need of further assistance can contact the Help Desk at 617.253.1101, helpdesk@mit.edu, or by submitting a request online (http://ist.mit.edu/support).

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Last Modified:

page-info: unable to locate page


Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki