Whole Disk Encryption (WDE) is good security for your data

disk_with_chainWhole Disk Encryption (WDE) is the technology to encrypt the entire drive of a computer to prevent unauthorized access to the data on the drive.

WDE is required for laptops used by many organizations such as government, health care, finance and business.

WDE is good for anyone who wishes to securely protect their data.

All Operating Systems and all drives can be encrypted with built in software or add on software.

This document is about encrypting the computer’s system drive so that a password is required to boot and access any data on the drive.  This document covers Windows (BitLocker and alternatives), Mac and Linux WDE.

Note that WDE adds an additional level of security by encrypting the entire system disk in addition to your computer’s logon account (username and password).  You will have 2 account passwords (also known as keys) to manage.  Depending on  how WDE is installed, you may or may not be prompted for the WDE key.

Windows

Microsoft calls their WDE solution BitLocker and it is available in some versions of Windows.  The Home versions do not have WDE available.  BitLocker and is available with the following versions  of Windows.

  • Windows Vista Ultimate and Enterprise (not Business)
  • Windows 7 Ultimate and Enterprise (not Professional)
  • Windows 8.1 Pro and Enterprise
  • Windows 10 Pro and Enterprise

If you have a Home version of Windows or a version not listed above you are out of luck with BitLocker unless you want to upgrade to an available version that does have BitLocker.   Windows 7 and 8.1 Anytime Upgrades apparently are no longer available from Microsoft.  Windows 10 Home to Pro is available for 99USD (Click Start > Settings > Update & security > Activation > Go to store to see options).  Windows Pro full version or OEM can be found for 199USD or less.  Don’t buy cheap licenses from questionable sources.

Fortunately there are some non-Microsoft WDE solutions available discussed later.

BitLocker is designed for business class and enterprise computers with a Trusted Platform Module (TPM) and loaded with a Pro or Enterprise version of Windows that contains BitLocker.  Business class computers are built more durable, have a TPM and are more expensive than home computers and laptops.

The TPM is a hardware module that performs cryptography functions and interacts with the computer hardware and software to strengthen encryption.

If you are encrypting your business laptop, let your IT department help you.

Bitlocker with a TPM  is straightforward to install and invisible to the user.

There are workarounds for Windows computers without a TPM.

For the home or small business user you can enable BitLocker with or without a TPM.  BitLocker without a TPM requires a USB drive with the key file stored on it or typing in the lengthy key when the PC boots.

Here are my experiences with Bitlocker without a TPM and with a USB

The PC must recognize the USB drive in BIOS during the boot to work with BitLocker.  A wonky USB drive (ie partition issues) can prevent BitLocker from installing or working.  After a successful encryption with BitLocker, the booting PC will present you with a black screen saying “Remove disks or other media.  Press any key to restart”  I found this message confusing.  Don’t remove your USB drive with the key file, just press Enter.

The USB drive can be removed after booting to free the USB port.  The USB drive with the key file must be plugged into a PC USB port, not a USB hub port.  There are reports that direct motherboard USB ports and not USB 3.0 ports are better so if you have issues, try a different USB port.

How to enable BitLocker with a USB drive

First you need to change two settings with the Local Group Policy Editor.  Click Start, type in gpedit.msc in the search box.  In the Local Group Policy Editor snap-in, navigate the tree Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives  then double click Require additional authentication at startup.  This will open a window, click Enabled, check the box Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) then click Apply then OK and exit Group Policy Editor.

Local Group Policy Editor - BitLocker require additional authentication at startup  - screen

Local Group Policy Editor – BitLocker require additional authentication at startup – screen

Next we will use the Manage BitLocker utility to encrypt the drive.  Click Start, type in BitLocker and click on Manage BitLocker.  Here you’ll see your C: drive.  Click the link Turn on BitLocker.  Follow prompts.  See BitLocker resources below.

BitLocker Drive Encryption - manage Bitlocker

BitLocker Drive Encryption – manage Bitlocker

The Run BitLocker system check always puts me in a loop so I uncheck that box when I see it.

The Run BitLocker system check always puts me in a loop so I uncheck that box when I see it.

BitLocker Windows 7 Ultimate in the process of encrypting the system drive.

BitLocker Windows 7 Ultimate in the process of encrypting the system drive.

BitLocker resources

SecureDoc by winmagic.com is a WDE solution for all versions of Windows, does not require a TPM and is FIPS 140-2 certified. The standalone/unmanaged version is about 110USD.

There are free WDE solutions for Windows that do not require a TPM and are secure.

VeraCrypt is a fork of TrueCrypt.

TrueCrypt is still used even though support has been discontinued.  A recent independent audit of the code found it sound.

Mac

WDE is available on Mac computers with OS X Lion or later.  It is called FileVault.

https://support.apple.com/en-us/HT204837

Linux

WDE is available in modern Linux distributions and can be easily enabled during the installation of Linux on the computer.  It is called Linux Unified Key Setup (LUKS) and dm-crypt.

TrueCrypt is still used even though support has been discontinued.  A recent independent audit of the code found it sound.

DiskCryptor – full disk encryption only.  I have no experience with this product.

Don’t lose or forget your keys and passwords!

Forgetting or losing your passwords or keys can result in total loss of your data!  In an enterprise situation, your IT department can help recover passwords.  But in a standalone, unmanaged, you own your personal computer situation losing passwords can be a disaster.  Encrypted data cannot be recovered.  That is why it is encrypted.

Always backup your data before encrypting.

Always make copies of your WDE key.  The BitLocker key is a 48 character long number.  It is stored in a file on the USB drive for easy unlocking during booting.  If you don’t have the USB you can manually type in the key to unlock during booting.

Make copies of the USB drive with the key file, make copies of the file, print the file and/or store it at your Microsoft account, whatever works for you.

A BitLocker key file.

A BitLocker key file. The identification ID identifies the computer this recovery key is for (useful if you have multiple computers protected by BitLocker).

Safeguards for keys.

Windows

Microsoft Enterprise networks and commercial WDE software for Windows Enterprises can be configured to store WDE passwords so the data can be accessed if the user forgets the password.

See the information in the section above “Don’t lose or forget your keys and passwords!”

When you are logged on to a Windows PC with BitLocker enabled, the key information can be displayed by the command (run as administrator) “manage-bde –protectors c: -get”

bitlocker_cmd_reveal_password

Demonstrating the command to reveal the ID and Password for WDE. This will unlock WDE but you still need your computer account credentials to log on.

Mac

Mac FileVault can be recovered with a password or recovery key.  Recovery can be configured with an iCloud account to assist with disk unlocking. https://support.apple.com/en-us/HT204837

Linux

VeraCrypt and TrueCrypt both require that you burn a rescue disk CD during system drive WDE which will help recover damaged boot loaders but you still must know your account password.

How secure is WDE?

Windows BitLocker is closed source software so we don’t know exactly how it works and if it has a back door.  There is a driver available that allows Linux to read a BitLocker drive and that makes me wonder about the security of BitLocker – if these people could reverse engineer or figure out the API for BitLocker, what else is known?  http://www.hsc.fr/ressources/outils/dislocker/

SecureDoc is closed source.

TrueCrypt is open source and has passed audit. http://www.pcworld.com/article/2905995/truecrypt-audit-shows-no-sign-of-nsa-backdoors-just-some-minor-glitches.html

VeraCrypt is open source.

Who knows what the NSA can do.

Notes

WDE programs can also encrypt other drives and USB drives.

FIPS 140-2 is a Federal Information Processing Standard that is used to approve and certify cryptographic modules including WDE.  Organizations may require that hardware and software is FIPS 140-2 certified.

 

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.

2 Responses to Whole Disk Encryption (WDE) is good security for your data

  1. mani deep says:

    Having support for data-at-rest encryption is awesome, but I have to admit I’m a bit puzzled on how to get a viable backup-strategy with encryption in place as xtrabackup wont work with it enabled.
    Can someone advice on a good way to implement hot backups with encryption enabled ?

  2. I am very appreciative of this website. Thank you so much for offering all of this information, it has been very helpful and I have been referring to it every day! I Have Create My Own Website Plz Visit On My Site .

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>