Programs - Bitlocker how to implement in your organization

During this days I had the opportunity to implement bitlocker on Windows 7 O.S. for corporate company.

You must consider that, if you enable encription on pc/laptop, you wouldn't have the ability to access hard drive if you don't type pin or insert usb recovery key and, moving hd to a different pc, it would be unaccessible.

A TPM (Trusted Platform Module) is a microchip embedded in a computer that is used to store encrypted information, such as encryption keys. The information stored in the TPM are thus more protected from external software attacks and physical theft.

If your computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption key that protects the data. Therefore, you can access the keys until the TPM has not verified the status of the computer. The entire volume encryption allows you to protect all data, including the operating system itself and the Windows registry, temporary files and the hibernation file. Because the keys that allow you to decrypt data remain locked in TPM, an unauthorized user can not read the data by simply removing the computer's hard drive and installing it in another computer.

You can also use BitLocker without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the Setup Wizard BitLocker using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the encryption keys needed are stored in a USB flash drive to be submitted so that the data stored on a volume to be unlocked.

During the boot process, the TPM releases the key to the lock on the encrypted partition only after comparing a hash of values important configuration of the operating system with a snapshot taken earlier. In this way verifies the integrity of the boot process of Windows. The key is not released if the TPM detects tampering with the Windows installation. 

By default, the Setup Wizard BitLocker is configured to work properly with TPM. An administrator can use Group Policy or a script to enable additional features and options.

To improve security, you can combine the use of a TPM with a PIN entered by the user or a startup key stored on a USB flash drive.

On computers that do not have a compatible TPM, BitLocker can offer encryption but not the additional security locking keys with the TPM. In this case, the user must create a startup key to be stored in a USB flash drive.

A TPM is a microchip designed to provide basic security-related functions involving mainly the use of encryption keys. The TPM is usually installed on the motherboard of a desktop or laptop computer and communicates with the rest of the system through a hardware bus.

On computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can be decrypted only by the TPM. This process, often called wrapping key, helps protect the key from any spreading. Within each TPM stores a master key wrapping, called Storage Root Key (SRK). The private part of the key created in a TPM is never exposed to other components, software, processes, or users.

On computers that incorporate a TPM can also create a key to which is not only made the process of wrapping, but it is also linked to conditions specific hardware or software. This process is known as execution of the sealing of a key. When you first create the key sealed, the TPM records a snapshot of configuration values and file hashes. The sealing of the sealed key is removed or released only when those current system values match the ones in the snapshot. BitLocker uses sealed keys to detect attacks on the integrity of the Windows operating system.

When using a TPM, private parties of key pairs are kept separate from the memory controlled by the operating system. Because the TPM uses firmware and its own internal logic circuits for processing instructions, it does not rely on the operating system and is not exposed to external software vulnerabilities.

Here are easily step followed:

1. TPM processor enabled in bios

2. Executed gpedit.msc (if you like you can manage encription with GPO)

Here are some useful screenshot to enable pin request.

In case you don't remember it you need to use USB key that you created before encription process.

 here are some useful article that I followed during implementation:

BitLocker Basic Deployment

Prepare your organization for BitLocker: Planning and Policies

[update 04/2015]

If you like you can store Recovery Key in AD following these articles.

At the same time 

[update 2016.12.31]

You should be aware that TrueCrypt development was no longer maintained/updated  since 2014.

Hacker - Truecrypt alternatives

Several security bugs have been not resolved.

You fan review this article about some alternatives that I summarize them in this article too.,.

Here they are Truecrypt alternatives (from my side I use, normally, 2. and 7. options):

  1. VeraCrypt You can find a full list of improvements and corrections that VeraCrypt made on TrueCrypt here. It is open source and free.
  2. Bitlocker no encrypted containers ability and not open source.
  3. DiskCryptor supports encryption of external devices including hard drives, USB drives, CDs, and DVDs
  4. CipherShed
  5. FileVault 2 Apple’s answer to Bitlocker, no encrypted containers ability and not open source.
  6. LUKS
  7. SafeHouse Explorer – 3.01 Portable