Wednesday, June 14, 2006
Session 2, Bitlocker Drive Encryption
Bitlocker Drive Encryption
Bitlocker for Vista will encrypt the partition that the OS resides on so put all your data on that partition if you want it to be encrypted.
Bitlocker for Longhorn (windows server 2007) will allow encryption of multiple partitions.
This provides for pre OS protection so if hackers get ahold of your encrypted drive it won't boot because they don't have the certificates.
The certificates are stored in TPM 1.2 hardware on the mother board, you can also store them on a USB key, use a PIN to boot, or password protect the certs, or store them in AD)
using bitprotected does cause a hit in performance (10%)
group policy support, scriptiable interface
if you want to decomission the HD, just destroy the cerficates (this is probably hippa comliant)
The Boot files are not encrypted and have to reside on a different partition than the OS files.
With Vista on a domain you can send the commands from a server to a client to take ownership of bitprotector on the client, turn on bitprotector, and set a PIN #
you don't have to use TPM but it is recommended
http://blogs.msdn.com/si_team/default.aspx
or
bdeinfo @ microsoft . com
Bitlocker for Vista will encrypt the partition that the OS resides on so put all your data on that partition if you want it to be encrypted.
Bitlocker for Longhorn (windows server 2007) will allow encryption of multiple partitions.
This provides for pre OS protection so if hackers get ahold of your encrypted drive it won't boot because they don't have the certificates.
The certificates are stored in TPM 1.2 hardware on the mother board, you can also store them on a USB key, use a PIN to boot, or password protect the certs, or store them in AD)
using bitprotected does cause a hit in performance (10%)
group policy support, scriptiable interface
if you want to decomission the HD, just destroy the cerficates (this is probably hippa comliant)
The Boot files are not encrypted and have to reside on a different partition than the OS files.
With Vista on a domain you can send the commands from a server to a client to take ownership of bitprotector on the client, turn on bitprotector, and set a PIN #
you don't have to use TPM but it is recommended
http://blogs.msdn.com/si_team/default.aspx
or
bdeinfo @ microsoft . com
