Chat Topic: BitLocker Feature Focus Chat
Date: Friday, April 28, 2006
Wendy [MSFT] (Moderator):
Welcome to today’s chat about BitLocker Team. Today's talk is on the BitLocker, BitLockerDrive Encryption gives you stronger security on your Windows Vista systems, even when the system is in unauthorized hands or is running a different or exploiting OS. Secure Startup does this by preventing a thief who boots another OS or runs a software hacking tool from breaking Windows Vista file and system protections or even offline viewing of the files that make up the O/S itself.
For those just joining us, today’s chat is about the Print Management Console Team. To post a question, please type your question, select the “Ask the experts” check box, and click “Send.” That way, we can track which questions we still need to answer.
At this time, I’ll let the experts introduce themselves.
Jamie [MS] (Expert):
Hi, my name is Jamie, I'm the senior software engineer for the BitLocker Drive Encryption feature core functionality.
Wendy [MSFT] (Moderator):
Hi Everyone! My name is Wendy and I just recently joined the Longhorn/Windows Vista team. Previously I was part of the R2 and MSN 9.0 Beta Teams. My job is to see that you BTs get what you need to have the best beta experience ever and we’ve got some great things brewing! Looking forward to seeing lots of great questions from you!
bill [ms] (Expert):
Bill - User Experience PM for BitLocker - My responsibilities include UI and documentation. Goal to make BitLocker as straightforward and useful as possible.
Wendy [MSFT] (Moderator):
We will try to answer as many questions as we can today. Participants should type their questions, select the “Ask the experts” check box, and click “Send.” Those posts will go into a private queue, from which our experts will draft answers and repost questions in the upper window with their answers. (To confirm: if you selected the “Ask the experts” check box when you posted, you don’t need to resubmit.).
bill [ms] (Expert):
Q: can i encrypted external usb drive?
A: No - BitLocker encrypts the OS volume
Austin [MSFT] (Expert):
Hi, I'm Austin, a Director in the Windows Client group at Microsoft. I own product management for Windows Vista security and compliance features.
Austin [MSFT] (Expert):
Q: Can we get a quick overview of BitLocker as a starting item, please
A: BitLocker provides full volume encryption and helps prevent a thief who boots another operating system or runs a software hacking tool from breaking Windows Vista file and system protections or performing offline viewing of the files stored on the protected drive. More details, including whitepapers, is at
http://www.microsoft.com/technet/windowsvista/security/bitlockr.mspx
bill [ms] (Expert):
Q: What sort of performance considerations are there when using BitLocker?
A: We are pulling together numbers - there are a number of variables so our best answer at this point is about 10% hit.
Jamie [MS] (Expert):
Q: there is a data limit that can be encrypted?
A: The only limit to how much can be encrypted is the limitations on how big an NTFS volume can be. I'm not sure at hand what that upper limit is.
Erik [MSFT] (Expert):
Hello! My name is Erik, and I'm a Lead Program Manager on the BitLocker Team. I manage development of BitLocker features, resources, and schedules.
Wendy [MSFT] (Moderator):
As a reminder, for those of you who may not be able to stay for the entire chat we will have a transcript posted on Connect
Austin [MSFT] (Expert):
Q: bitlocker will be support as a part of vista or as a individual application ?
A: Bitlocker is part of the Enterprise and Ultimate versions of Windows Vista. It is not a standalone product.
bill [ms] (Expert):
Q: Our biggest concern with laptop encryption is how we unlock the laptop when the user forgets their key when they reach their destination. How does Bitlocker handle this?
A: Keys are valuable because they are secure - if a use loses their PIN they can call in for their recovery password - this could be handled as a helpdesk phone call. PINs like all PINs should be personal and memorable to the user as they will be using it each time they start the machine.
Jamie [MS] (Expert):
Q: In a no-boot scenario, such as hardware failure, will Bitlocker have recovery tools available to IT pros in Vista and, hopefully, downlevel OSes?
A: BitLocker provides a WMI interface to perform various administrative functions for management and recovery. A tool exists called "manage-bde.wsf" that uses this interface. A subset of functionality works on WinPE and the Windows DVD (recovery) to unlock a volume, disable the volume and decrypt a volume. A USB based key or recovery key is required for access to a volume via a recovery OS.
bill [ms] (Expert):
Q: I want to know the the Recovery Method avaliable for BitLocker, would you mind to give some intro on it? thx!
A: Reovery method is established when the volume is encrypted - user choice - recovery password and/or recovery password key (machine readable file stored on USB). These need to be presented in case of BitLocker recovery.
Wendy [MSFT] (Moderator):
For those just joining us, today’s chat is with the BitLocker Team. To post a question, please type your question, select the “Ask the experts” check box, and click “Send.”
Austin [MSFT] (Expert):
Q: This is not a explicit BitLocker question but will Vista allow the use of the TPM part in versions other than Ultimate and Enterprise?
A: Yes, Vista includes a TPM v1.2 driver, and TPM-based services that virtualizes access to the TPM, in all versions.
Jamie [MS] (Expert):
Q: How does BitLocker work with hot swapping RAID drives?
A: BitLocker works at the Logical volume level (technically, above the volume management driver). As long as the hardware presents a logical volume to the OS that is handled by volume management, BitLocker should have no problems with it. Although at this time we have not tested hot swapping RAID drives, I dont forsee an issue with this.
bill [ms] (Expert):
Q: I have been evaluating bit locker for my organization, and the only way I can get Vista to authenticate the usb drive is by having the install DVD in the drive. This is on three different computers and three different usb flash drives. What am I missing?
A: BitLocker relys on the PCRs as part of its early authentication - if a machine has been started with a bootable DVD the PCR values will be different if the DVD is not present at boot. We recommend that you create a BitLocker drive from a boot with out a bootable cd/DVD present. Otherwise it will (as you have found) require the CD/DVD always be present.
Austin [MSFT] (Expert):
Q: Can removable media (SD cards, flash drives, etc.) be encrypted with BitLocker?
A: No, however, you can use EFS to encrypt removable media in Windows Vista. The EFS keys will be stored on the BitLocker-protected volume.
bill [ms] (Expert):
Q: Which is the key that can be stored in a smartcard or USB, the TPM or the VMK key?
A: Startup or Recovery password keys can be stored on the USB - Smartcards are not supported.
Jamie [MS] (Expert):
Q: Also, are there any fundemental differences between x86 and x64 versions of BitLocker?
A: There are no differences between these two architectures as far as BitLocker is concerned.
Austin [MSFT] (Expert):
Q: Witch type of encryption metod use bitlocker? (AES, RSA other)
A: We use AES 128 or 256 encryption (you can select either one)
bill [ms] (Expert):
Q: If you can only encrypt the OS volume, what is the advantage. Don't most of us put the actual data we want to encrypt on a different volume?
A: OS volume contains the system keys, user passwords.
Jamie [MS] (Expert):
Q: If a user should lose the ability to boot their BitLocker Encrypted system will there be any methods to recover their data?
A: See my earlier answer on recovery. The easiest way is to boot the Windows DVD, pass the first dialog, there is an option you can click for recovery. When recovering an encrypted volume you will be prompted for recovery credentials (the password, or the USB thumb drive). You can also use the manage-bde.wsf script to unlock / disable / decrypt the volume given the recovery credentials. Without the recovery credentials, the volume cannot be unlocked or decrypted.
Wendy [MSFT] (Moderator):
Q: is there any universal key for all drives in the world?
A: Yes and I have it... <g>
But in all seriousness, no there is not a universal key.
Erik [MSFT] (Expert):
Q: will bitlocker allow a user to set time expire keys to allow temp access to encrypted data
A: BitLocker does not have a feature for creating keys that expire with time. It would require considerable effort to mitigate attacks against any time service in the pre-OS environment.
Wendy [MSFT] (Moderator):
For those just joining us, today’s chat is with the BitLocker Team. To post a question, please type your question, select the “Ask the experts” check box, and click “Send.”
bill [ms] (Expert):
Q: If the TPM chip fails, is all the data non-recoverable?
A: If you have the recovery password you can recover the data - If your motherboard dies - TPM or not, the harddisk can be moved to another computer and recovered with the recovery password.
bill [ms] (Expert):
Q: is all setting controable via GPO
A: Yes - but that would need to be qualified with what ALL means.
Jamie [MS] (Expert):
Q: What do you guys say to the reports about BitLocker making dual booting difficult?
A: As with any file and disk encryption product, it is by design that an encrypted partition cannot normally be seen by any OS (Windows or otherwise) on another partition. I am sure that when technical information about the BitLocker data format is published, there will be a number of implementations written to allow access to the volume from other OSes given the recovery credentials, in the same manner other OSes can read Encrypted NTFS.
bill [ms] (Expert):
Q: Is Bitlocker limited to only encrypting the OS partition, or can it do all partitions?
A: OS partition only. BitLocker has utilities to unlock (through recover password) a foriegn volume.
Austin [MSFT] (Expert):
Q: Please make sure that BitLocker always reminds users that if they lose the recovery key and the unlock code, that will mean that their data is irretrievably lost - already, too many EFS users complain that they can't get at their data.
A: Yes, we definitely want to make sure that users don't inadvertently turn on BitLocker and lose their data. In an enterprise, there is a policy setting to require recovery key escrow to Active Directory before the feature can be enabled. If the recovery key can't be written to AD, the drive won't be encrypted. In a consumer (Ultimate version) environment, we're working to get an online key escrow solution in place. Regardless, when you walk through the setup wizard, we require recovery key backup to either USB flash or other removable device, a folder or file share, or printed out. That key can be used to recover the drive if a user forgets their login password or needs to pull the hard drive out and put it in another machine.
bill [ms] (Expert):
Q: can there be a different set of keys (ie. one key for read access, one key for write access), etc.?
A: Keys are not read/write they are used to open the volume.
Jamie [MS] (Expert):
Q: if i'm loosing the key and psw ...what's happen?
A: If all keys and passwords are lost, the volume is, by design, inaccessable. To provide any means around this would provide a means for someone to break into BitLocker and would make the functionality mute. It is important therefore to maintain (1) controlled backups of keys and (2) controlled backup of the data. In particular backing up the data is important, in case, for example, the laptop/computer is stolen.
Erik [MSFT] (Expert):
Q: Will bitlocker encryption be a problem if a given volume is backed up with the use of imaging software? And then the image is placed for recovery purposes?
A: It depends on how the backup software works. If the backup software accesses the disk from above the volume snapshot driver in the disk driver stack and the disk is unlocked, then the backup will be unencrypted. If the backup software calls into the disk driver stack at or below the volume manager driver, the backup will contain only encrypted data.
bill [ms] (Expert):
Q: Does BitLocker use the TPM?
A: Yes TPM 1.2 is used by BitLocker.
Austin [MSFT] (Expert):
Q: Will BitLocker be presented as an install option to average users or will it only be presented in laptop/enterprise situations? How will BitLocker be presented (that is, how likely is Grandma to install it)?
A: It will not be likely that Grandma will discover BitLocker and turn it on for fun. She'll need to be running the Ultimate version of Windows Vista, and then she'd need to go to control panel - bitlocker. Then she'd need to walk through the wizard to enable it. There is no active prompt for the user to turn on BitLocker, either during setup or first login.
bill [ms] (Expert):
Q: there is a list of improvemente between the build 5365 and vista beta 2? if yes wich point are improved?
A: Yes, will work on a list - most people have down loaded it this week and found bugs we have now taken care of, not sure this will be posted as a list.
Jamie [MS] (Expert):
Q: Does BitLocker live above, or below, software-based RAID? What does this positioning allow / prevent?
A: BitLocker sits between "Volume Snapshot" and "Volume Management" drivers. Software and Hardware RAID sits (normally) below "Volume Management" driver in the logical disk stack, and so such volumes are seen by BitLocker as a logical volume, and can be used by BitLocker. Issues can occur if a filter driver that expects to see an NTFS volume sits below the BitLocker filter drive. Such filter drivers should be inserted either just above "Volume Snapshot" or just below "Volume Snapshot".
bill [ms] (Expert):
Q: Hi, are any hardware list where I can find hw tpm ready ?
A: visit your favorite OEM's website
Austin [MSFT] (Expert):
Q: Surely an online escrow service will have all the conspiracists crying out "we don't wana MS having access to our data", How do you plan to appease them?
A: Any online escrow will be completely optional. It's just another way to archive keys along with USB flash, file share, printing it out, etc.
Jamie [MS] (Expert):
Q: How does this affect the use of "Boot CD's (like BartsPE and ERD Commander), for example if the person needs to boot from a "Clean CD" in order to remove viruses and other malware? (In the event that the person takes the computer to a repair shop)
A: BitLocker scenarios that use the TPM must use a boot chain that boots from a TPM aware BIOS to a TPM aware MBR on a hard disk. At this time, booting off a CD using the TPM is not supported, but may be considered in a future version of the product.
Austin [MSFT] (Expert):
Q: Austin, then how will it be possible to implement BDE without the user going through the wizard? Many users are not that tech savvy. Is BDE scriptable in any way?
A: Yes, it will. We have full WMI support for BitLocker. Enabling the feature can be completely scripted.
Wendy [MSFT] (Moderator):
Before you leave the chat, don’t forget to let us know how we’re doing! To the right of your emoticon pull-down box is a “Chat Feedback” option. If you don’t feel the chat was helpful, please ensure that you provide verbose comments on why you didn’t feel it was helpful and what we can do to improve the experience for you!! If you would like to provide more feedback than the 1000 characters will allow, feel free to eMail us at LHBeta@microsoft.com
Erik [MSFT] (Expert):
Q: For the enterprise scenario, where would the recovery keys be stored? In AD?
A: We recommend that enterprises use AD to store their recovery passwords. But, there are other methods to back up recovery data, such as USB keys, print outs, or on file shares.
bill [ms] (Expert):
Q: What kinds of device will be able to contain the key for the drive (smartcard, usb key, active directory, proprietary)?
A: Startup keys (keys set to be required at startup) will need to be on USB devices. Keys are files so can be stored and transported on any media. Recovery Password can easily be stored to Active directory
Jamie [MS] (Expert):
Q: how would a mobo prevent the installation of an OS and bitlocker as well?
A: A PC motherboard by design does not prevent the installation of an OS. BitLocker does nothing to prevent an installation of an additional OS. A Motherboard with a TPM disabled will prevent BitLocker being enabled in TPM mode.
bill [ms] (Expert):
Q: Do you plan on creating an add-in for XP and/or 2000 so encrypted drives can be opened/modified from XP and/or 2000?
A: No - BitLocker is a Vista Ultimate/Professional only feature
Wendy [MSFT] (Moderator):
Q: Will my Q's be answered :)
A: We will try to answer as many questions as we can today. Our experts are typing as fast as they can!
Wendy [MSFT] (Moderator):
Today's first "Best Question" goes to Mark Sulmon for asking "Worst case scenario: a bug, backdoor or any other loophole allows a hacker or virus to enable BitLocker without your knowledge. Can you confirm there is NO way to access or recover any data for that customer (no back-up as usual ;-))" Congrats, Mark!!!!
bill [ms] (Expert):
Q: If a HD has more than 2 partitions, eg 3 or 4 partitions still enable BDE?
A: Yes - but only the System volume will be encrypted.
bill [ms] (Expert):
Q: Can I take advantage of bitlocker without a TPM?
A: Yes you will enable BitLocker with a required Startup key (USB).
Jamie [MS] (Expert):
Q: Worst case scenario: a bug, backdoor or any other loophole allows a hacker or virus to enable BitLocker without your knowledge. Can you confirm there is NO way to access or recover any data for that customer (no back-up as usual ;-))
A: Should a Virus or Trojan gain administrator access, and with administrator access, gain control of BitLocker, it could go ahead and encrypt the volume rendering the data inaccessable. There is no mechanism that would allow recovery outside of doing a full restore. A virus or trojan could achieve the same effect without BitLocker on any OS if it gainst administrator or root access. For this reason (along with hardware failure and theft) it is always very important to perform regular backups on a machine.
Erik [MSFT] (Expert):
Q: have you heard of any aftermarket TPM chips? Surely a PCI TPM chip or USB TPM chip is possible?
A: We have not. However, a Trusted Platform Module that does not adhere to the principle of one-to-one binding with the platform is not really following the TCG v1.2 specification. It's important to establish a strong physical binding with the platform to prevent tampering with or replacement of the TPM, which could potentially compromise security.
bill [ms] (Expert):
Q: Is it possible to tell Bitlocker I want to use a key I already have? For instance, to encrypt two harddrives with the same key so I don't have to remember two keys...
A: The PIN is the only "key" you will need to remember. You can assign the same PIN to multiple TPM machines.
Jamie [MS] (Expert):
Q: How does it interoperate with DB products that try to write directly to disk?
A: As long as that product access the disk at a logical volume level, which as far as I know they do, then BitLocker will be transparent to that product. If a product acesses the disk at a partition or physical level, they will read back encrypted data.
Austin [MSFT] (Expert):
Q: If I were recommending BitLocker to a corporate customer, what kind of scenario could I present which would best illustrate the need to use BitLocker?
A: Here's a good reason to use BitLocker: http://news.com.com/Aetna+says+laptop+with+member+data+stolen/2100-1029_3-6066078.html?tag=html.alert . There's a story like this almost every week in the news.
Wendy [MSFT] (Moderator):
We will need to wrap up this chat in about 20 minutes. Please post any other questions (select the “Ask the experts” check box) that you would like us to answer.
bill [ms] (Expert):
Q: Will bitlocker be made available for XP or other windows bases systems to make use of? (either through a purchase plan or downloadable)
A: BitLocker is only available for Vista Ultimate and Professional.
Erik [MSFT] (Expert):
Q: Does BitLocker work in Virtual Machine ?
A: BitLocker is not supported when running within a virtualized OS.
bill [ms] (Expert):
Q: Do you have a central way to manage pins in AD -- what enterprise IT Management considerations have you incorperated?
A: Recovery keys only to Active Directory - If you forget your PIN a recovery key will be needed to reaccess your machine.
Jamie [MS] (Expert):
Q: You said in the earlier session that BitLocker uses the MBR, among other things, to establish trust. May I modify the partition table through Disk Management, perhaps by adding a primary partition, without causing BitLocker to invalidate my drive?
A: On a correctly configured BIOS, the boot code (first 0x1B8 bytes) is measured into PCR[4], and the partition table is measured into PCR[5]. By default, PCR[5] is ignored, and modifying the partition table is allowed. A domain administrator can opt to monitor PCR[5], in which case, modifying the partition table would cause BitLocker to enter into recovery mode on the next boot.
bill [ms] (Expert):
Q: Is TPM chip required on the system for Bitlocked to work ?
A: TPM is not required - Startup key required on systems without a TPM.
Wendy [MSFT] (Moderator):
Second "Best Question" winner goes to Eli for asking "Iis bitlocker done in such a way that there is a single point of failure on the HDD? (i.e. a few sectors of the HDD gets damaged causing the drive to be unrecoverable) Or can all non damaged parts always be recoverable?" Woohooo--Congrats.
bill [ms] (Expert):
Q: can you clarify how Smartcards integrate with BitLocker?
A: Smartcards are not being supported by BitLocker at this time.
Erik [MSFT] (Expert):
Q: Please tell me you will do anything in your power to avoid having to include backdoors in BitLocker (backdoors are a bad idea in my opinion).
A: Microsoft has not and will never put backdoors into its products or the BitLocker feature.
bill [ms] (Expert):
Q: In the event the hard drive is moved/recovered with a recovery password, is there any limitation to actions on that drive (since it won't be the OS volume on the new machine), or can full decryptions be performed?
A: There are no limitations- you can decrypt the drive.
Wendy [MSFT] (Moderator):
Q: you guys need T-shirts: "unlock my bits" :P
A: You just cracked the whole team up--The LUV the idea! Way to rock!
Jamie [MS] (Expert):
Q: Iis bitlocker done in such a way that there is a single point of failure on the HDD? (i.e. a few sectors of the HDD gets damaged causing the drive to be unrecoverable) Or can all non damaged parts always be recoverable?
A: BitLocker has resiliance to HDD corruption. BitLocker keeps 3 copies of the critical metadata spread through the disk. If any of the 3 copies become corrupted, BitLocker is self repairing and will find new locations on the disk to keep the metadata. All 3 copies would have to be corrupted before critical data loss occurs. This of course can and should be mitigated by regular backups, which will also protect against loss of data via theft.
bill [ms] (Expert):
Q: Will there be a visual notification in the taskbar indecating BitLocker is enabled on the system?
A: No - you will need to look in security control panel to check the status.
Wendy [MSFT] (Moderator):
Since we have plenty of questions in the queue, I've blocked new questions.
Erik [MSFT] (Expert):
Q: will we be able to install a copy of windows with bitlocker pre-activated on the new installation?
A: If by pre-activated, you mean the volume is being encrypted as the installer is working, then the answer is no. The keys need to be generated at specific points in the process of enabling BitLocker, which cannot occur while the OS is being installed.
Austin [MSFT] (Expert):
Q: Is it possible to tell Bitlocker I want to use a key I already have? For instance, to encrypt two harddrives with the same key so I don't have to remember two keys... [this regarding computers without a TPM chip, so I can't use a PIN]
A: You can't use the same key for 2 different drives. However, you can store the keys for 2 different drives on the same USB flash device. Each key file has a unique GUID.
bill [ms] (Expert):
Q: does bitlocker use different keys for each drive on a machine, or the same key for all drives per machine?
A: BitLocker protects the OS Volume only.
Wendy [MSFT] (Moderator):
Before you leave the chat, don’t forget to let us know how we’re doing! To the right of your emoticon pull-down box is a “Chat Feedback” option. If you don’t feel the chat was helpful, please ensure that you provide verbose comments on why you didn’t feel it was helpful and what we can do to improve the experience for you!! If you would like to provide more feedback than the 1000 characters will allow, feel free to eMail us at LHBeta@microsoft.com
bill [ms] (Expert):
Q: Are there any plans to ever support TPM 1.1? What is fundamentally different in TPM 1.2 that prevents it from being used in Vista? TPM 1.1 chips are in many laptops already and so far you can't really do anything with them - seems like such a waste. :)
A: BitLocker supports 1.2 only.
Jamie [MS] (Expert):
Q: How does Bitllocker interface between system BIOS and vista OS ?
A: The System BIOS must expose an interface as described by the TCG PC Client Working Group. It exposes a new "INT 1A" function that provides the fundamental operations to measure code and to unseal secrets. BitLocker uses the BIOS interface to the TPM to perform each measurement step up to and including BOOTMGR. It then uses the BIOS interface to unseal the Volume Master Key. BOOTMGR onwards performs code and data validation, and will ultimately pass the VMK to the OS.
bill [ms] (Expert):
Q: Please expand on your answer to Q [17]. We've had the same issue. The install DVD was not present when encrypting, but the only way the key is read from the USB device is if a bootable CD/DVD is present during startup.
A: PCRs are used with the TPM - these values change if the computer has been booted with a Bootable CD/DVD - IF the PCRs change BitLocker assumes there is some sort of attack.
Jamie [MS] (Expert):
Q: In computers with TPM, how many PINs can the chip store? There are many people who use several harddrives, so they'll encrypt more than two or three Vista installations...
A: The TPM does not store PINs and keys for individual volumes. What it does is create a "BLOB" of data that contains encrypted information of the PIN, the required PCR's, and the encrypted VMK. The same Blob of data is stored on the encrypted volume (3 times). The Blob is then provided back to the TPM along with the PIN. If the PIN and PCR's are correct, the VMK is returned back to the caller. The critical part of this is the PCR's which indicates what code has executed.
bill [ms] (Expert):
Q: When in a dual boot enviroment, will bitlocked Vista partitions be accessible in Windows XP, or does it require an encryption key and possible software installation in XP?
A: Encrypted drive will not be available to the other OS - you will need Vista Ultimate or Professional to recover/unlock the BitLocker drive.
Jamie [MS] (Expert):
Q: Will BitLocker allow access to a drive that has become partially corrupted - ie: bad sectors, damaged FAT table etc?
A: There are a number of emergency recovery options that can be applied to disk corruption. None ever replace full and regular backups. A corrupted MBR can be repaired independent of BitLocker. A BPB (BIOS Parameter Block) on a BitLocker volume can be repaired using a low level disk editing tool. Three copies of Metadata exists, any of which can be made the primary block of metadata if corruption prevents BitLocker from determining what Metadata to use. Any remaining corruption effects the file system itself, and many tools exist for emergency repair of a file system.
Wendy [MSFT] (Moderator):
As we have so many questions, the BitLocker has agreed to stay for another 30 minutes to answer questions!!!!
Erik [MSFT] (Expert):
Q: I realise that a TPM is not required to use BitLocker, and you can have a startup key - however, are there features in BitLocker that DO require a TPM? Is there anything that you can't do without one?
A: There are no other features shipping in Windows Vista that take advantage of the TPM. However, Windows Vista will support the TPM through the inclusion of TPM Base Services (a software stack that allows applications to communicate with and share the TPM). TPM Base Services are included in all SKUs of Windows Vista. The ISV community will be able to take advantage of this support using a TCG Software Stack that has been ported to work with Windows Vista and TPM Base Services or by using our TPM WMI Provider.
bill [ms] (Expert):
Q: My laptop is not able to access a USB device this early in the boot process. Will we be able to save the key e.g. to a floppy disk in the future?
A: Only USB drives are being supported.
LeslieJ - Microsoft (Expert):
Q: Does BitLocker have special hardware requirements concerning hard disks? Or does any hard disk work with BitLocker?
A: BitLocker is hard drive agnostic - as long as the drive configuration meets the BitLocker requirements, it will be OK.
Jamie [MS] (Expert):
Q: Will bitlocker work with a jump drive? or does it have to be with a USB key?
A: The primary requirement is that small removable storage is used, and that the removable storage can be seen by the BIOS and the OS.
bill [ms] (Expert):
Q: My fellow betatester Sean, says that he got bitlocker to install even though he doesn't have a TPM...is this possible??
A: Yes - BitLocker can use a Startup Key.
Wendy [MSFT] (Moderator):
I have re-opened the Q&A portion, however all questions will not be able to be answered, but we would definitely like to see your questions.
bill [ms] (Expert):
Q: Does BitLocker support the use of smartcards?
A: No
Austin [MSFT] (Expert):
Q: How does the USB based startup PIN play in an Enterprise environment when a booted machine needs to have services running (like AV, SMS agent, etc) even without a user present?
A: When using USB flash for key storage, the flash drive is only needed for a few seconds at boot time. You then get a message that the drive can be removed.
LeslieJ - Microsoft (Expert):
Q: Can an ISV leverage BitLocker through API's SDK's etc? We want our app to be able to encryptit's sensitive data, not necessarily the whole drive. Is this a BitLocker use case?
A: We are releasing a full SDK in WMI.
Jamie [MS] (Expert):
Q: Did I get this right: when I have the key, I can access an encrypted drive from Windows PE?
A: If you have the external key or recovery password, you can unlock, access, disable and decrypt the volume from Windows PE and the Windows DVD recovery environments.
Erik [MSFT] (Expert):
Unfortunately, I have to step out of the chat. It's been great answering your questions today! Thank you for all your interest in BitLocker Drive Encryption. See you in the newsgroups!
Austin [MSFT] (Expert):
Q: Is Bitlocker primarily a Microsoft product? Or is it a third party product developed for Windows Vista platforms?
A: The BitLocker Drive Encryption technology was developed internally at Microsoft and has been part of Windows Vista since beta 1. It is not a product that was acquired from another company
Jamie [MS] (Expert):
Q: Will BitLocker technology utilize crypt-decrypt hardware acceleators if present?
A: Not in this version of the product.
bill [ms] (Expert):
Q: Are we going to be able to copy our keys to other devices, incase one or more goes missing/gets damaged, will Vista be able to read the other key, and decrypt the drive? How does this affect portable drives?
A: There is "manage keys" functionallity in BitLocker to create copies of keys and change PINs
LeslieJ - Microsoft (Expert):
Q: How does one recover a key in situations where the user has lost their key stored on a USB drive and is backed up in AD. How does it work if the user is no longer employed and an admin needs to get to the encrypted data?
A: The user should contact the administrator who has permission to recovery the password from AD. This would likely be over the phone. If the user is no longer employed, then the normal corporate policies would be enforceable. If the admin needs to get to the encrypted data, the admin can create (as a corporate policy) a separate key that will always be available only for the administrator.
Jamie [MS] (Expert):
Q: How do I recover if a laptop fails (spilling a Big Gulp Cola into the keyboard, for example) but the disk is dry and fully functional?
A: There are a number of options, most of which require attaching the hard disk to another computer or laptop. You would then use, for example, the manage-bde script or the BitLocker UI to disable or decrypt the volume. This will require a USB key or recovery password.
bill [ms] (Expert):
Q: Is there central management of recovery keys with BitLocker? Tell us about any ability to deploy, manage and recover centrally across hundreds of systems. Please also cover how we can audit which laptops have been unprotected.
A: Recovery keys can be saved to Active Directory.
Wendy [MSFT] (Moderator):
Q: Is bitlocker the final name for this feature?
A: Yes, POR is that this is the final name.
Austin [MSFT] (Expert):
Q: Do i need Longhorn AD Prepartion in order to backup BitLocker Recovery Keys in AD?
A: No, there will a LDIF file available for the Windows 2003 SP1 AD to extend the schema to have the new attribute available.
bill [ms] (Expert):
A: The encryption would still be tied to the original TPM - recovery password could be used to access the image.
LeslieJ - Microsoft (Expert):
Q: Once the recovery key has been used, is there provision to re-key the system, so that the user can't re-use that recovery key later? Or do we have to decrypt / re-encrypt the whole system?
A: There would be no BitLocker requirement to re-key the system after a recovery has been used. If you want to change the volume master key, you simply disable and re-enable BitLocker. If you want to change the full volume encryption key, you'd have to fully decrypt and re-encrypt the volume.
Jamie [MS] (Expert):
Q: If I have a share on a bitlocker partition, can I still see that share from the network?
A: Yes, file sharing occurs at a higher level then BitLocker Drive Encryption, and can be shared. If file sharing is enabled, good file access security must be applied.
bill [ms] (Expert):
Q: If I make an image of my encrypted harddrive with Ghost or another imaging software and copy it to another harddrive/computer, what would happen? Would I be able to boot from it with the correct key, or is Bitlocker attached to a certain hardware?
A: The image can be moved to another computer but will need to be accessed with the recovery password.
Austin [MSFT] (Expert):
I have to run but it was great chatting with everyone. Thanks for all of the great questions! Austin
LeslieJ - Microsoft (Expert):
Q: in case that end user loose all reference will be available tech supp 24x7 trough premier ?
A: BitLocker is supported the same way that any Microsoft released product is supported. Microsoft does not keep any sort of master key or copy of individual keys, however. Our recommendation is that users make multiple copies of keys and store them in secure areas.
Jamie [MS] (Expert):
Q: Is BitLocker filesystem dependant in any way? Will WinFS contain functionality for BitLocker and will the performance hit be larger?
A: In the current version of BitLocker, the file system must be NTFS. We have not yet tested BitLocker with WinFS.
LeslieJ - Microsoft (Expert):
Q: If a person encrypts their system in a company setting, can the IT department break it, or are we stuck with losing the data?
A: In a corporate environment, we recommend that IT departments create 2 keys - 1 that belongs to the user and 1 that belongs to the IT department. We also recommend that the IT department own the recovery keys. In this case, the IT department has 2 possible recovery options: 1 is via the recovery key and 1 is via the IT department key.
bill [ms] (Expert):
Q: in case that i lost all my credential example key and pswd msft will be able to support the end user? and how? with grace call or just PPI?
A: If you lose all your keys - the data is locked.Microsoft does not have any way of recovering your keys - no back doors.
bill [ms] (Expert):
Thanks all for your participation - the questions and your time testing the feature has been very valuable - see you in the chat room bill
Jamie [MS] (Expert):
Q: How did you test if BitLocker is really secure? Did you try to break into encrypted devices? :)
A: We have a team of Penetration testers who's task is to keep us engineers honest by reviewing the source code and with source code and design at hand, try breaking into the BitLocker security. Penetration testing generally (but not exclusively) concentrates around key management as the encryption algorithm itself used is the industry standard AES (128 and 256).
LeslieJ - Microsoft (Expert):
Q: for users on a domain, will decrypt be limited to domain administrators?
A: BitLocker automatically decrypts on-the-fly whenever the startup key and/or PIN is entered. In the event of a lost key, the IT administrator will likely be the owner of the recovery key, which the user will need in order to re-open the system.
LeslieJ - Microsoft (Expert):
Q: Can one use bitlocker on an information partition as well as the os partition
A: We are encrypting the OS volume.
Jamie [MS] (Expert):
Q: How long has BitLocker been developing? When did you decide that this functionality was going to be included in Windows?
A: The initial conception of BitLocker was over three years ago. It went through numerous design reviews and refinements. It was the desire from the start to put this into Vista.
Jamie [MS] (Expert):
Q: Will the recovery key escrow to AD feature require Longhorn server or will there be schema extensions that can be installed in Windows 2003 AD?
A: The key escrow requires WIndows Server 2003 with SP1. The service pack is required for security.
Jamie [MS] (Expert):
Q: is there any key chain that can be tied to certificate services in Windows Server?
A: There is no such mechanism for this version of BitLocker.
LeslieJ - Microsoft (Expert):
Q: Austin : Could you pls point me / us to a documentation on how to have BDE scripted for deployment? If this is possible and if you know who Purna is, could you get her to pass this info to richard.si@shell.com?
A: Check on TechNet for BitLocker documentation as it's added.
Jamie [MS] (Expert):
Thanks very much everyone for all the interesting questions.
I look forward to talking with everyone in the news groups.
Bye!
LeslieJ - Microsoft (Expert):
Hey all! I'm Leslie (User Research & Usability Engineer) for the BitLocker team - thanks for the AWESOME chat. I really appreciate all the questions & comments. Watch for us in the newsgroups! Thanks for your time. Signing out now.
Wendy [MSFT] (Moderator):
Thank you for joining us today to talk about Longhorn / Windows Vista BitLocker Team. We will have the transcript posted shortly on Connect and the team has agreed to do more chats for you!
Before you leave the chat, don’t forget to let us know how we’re doing! To the right of your emoticon pull-down box is a “Chat Feedback” option. If you don’t feel the chat was helpful, please ensure that you provide verbose comments on why you didn’t feel it was helpful and what we can do to improve the experience for you!! If you would like to provide more feedback than the 1000 characters will allow, feel free to eMail us at LHBeta@microsoft.com.