Encrypting Windows 7 data. How to encrypt an entire hard drive using VeraCrypt. Architecture of this technology
In recent years, in various forums, in letters and during meetings, users are increasingly beginning to ask questions about what constitutes the relatively new functionality of the operating systems Windows Vista, Windows 7 and Windows Server 2008 / 2008 R2 - Windows BitLocker(with the release of the latest operating systems, this technology has acquired some changes and is now called BitLoker To Go). But after most users and novice system administrators hear the answer that this component is “just” a built-in security feature in modern operating systems, which provides reliable protection for the operating system itself, data stored on the user’s computer, as well as individual volumes and removable media, which allows you to leave user data intact during serious attacks, as well as physically removing hard drives for further autonomous data hacking, I often hear that such functionality will not be in demand at all and its use will only complicate the life of users. It is impossible to agree with such a statement, since the data must be secure. You don’t leave the keys to your house or the code to your organization’s electronic lock to everyone you meet, do you?
Home users usually justify their reluctance to use this technology by the fact that there is no “vital” data on their computers and even if they are hacked, nothing bad will happen except that someone will look at their profiles on the Odnoklassniki social networks and "VKontakte". Owners of laptops and netbooks believe that if their equipment is stolen, then the last thing they need to worry about is missing data. System administrators in some companies claim that they do not have any secret projects and absolutely all company employees can be trusted, and they take home documentation and products of intellectual work only in order to complete work for which there was not enough working time. And their organization's computers are protected by antivirus software and firewall settings by default. Why do you need to protect external drives if they simply store music and video files? And it’s okay that devices such as flash drives can be circulated both within organizations and among all your friends.
But we cannot agree with any of the above reasons. During an attack, home users can not only copy their entire collection of music and video files, but also seize all passwords to bank accounts and credentials on visited sites using cookies or, God forbid, text files with logins and passwords that are not rarely placed on the desktop. There is also a high chance that all mail correspondence, etc. will be viewed. Stolen laptops may contain sensitive data, the theft of which could negatively impact your company's business, and being fired with a corresponding "promotion" on your resume could have an extremely negative impact on your career in the future. And finally, in our time, any organization contains secret data that it is not advisable to show to its competitors. And if at least one of your organization’s computers is successfully attacked, there is a huge chance that soon your entire fleet of computers will be infected, which will entail Herculean efforts to bring your organization’s computers to their original state. There may be ill-wishers even in your organization. Even if security checks your bags as you leave the building, they won't check every employee's external storage device. But they can contain a lot of data that your competitors shouldn’t find out about for a few more months.
For this reason, you simply need to try to secure your data in any possible valid way. This is precisely what this component of modern Microsoft operating systems is designed for. BitLocker allows you to prevent unauthorized access to data even on lost or stolen computers, thereby improving the performance of your operating system. To improve the protection of your data, Windows BitLocker uses a Trusted Platform Module (TPM) - a specification that details the cryptoprocessor in which cryptographic keys are stored to protect information, as well as a generic name for implementations of the specified specification, for example, in the form of a “TPM chip”, which guarantees the integrity of components used even at the earliest stage of loading.
These technologies offer benefits for both home users and system administrators in organizations. For a home user, the main advantage of these technologies is ease of use, since for daily use of the BitLocker or BitLocker To Go functionality, protecting the computer and restoring it is completely transparent for the user. System administrators will certainly appreciate the ease of data protection management. To remotely manage BitLocker encryption, you can use the Active Directory Domain Services infrastructure, with advanced management through group policies and scripts.
It is these components of operating systems that will be discussed in this series of articles. You can already find quite a lot of useful information about these components and their functionality on the Internet, including wonderful video reports in which you can see live the principle of their operation. Therefore, in the articles of this series, I will try to consider in more detail most of the functionality for both home users and organizations so that you do not have to spend a long time looking for how to implement this or that scenario to apply certain actions.
Architecture of this technology
As you already know, when the operating system is active, it can be protected using local security policies, antivirus software and firewalls, but you can protect the operating system volume on the hard drive with BitLocker encryption. To take full advantage of BitLocker encryption and system authentication, your computer must meet requirements such as having TPM version 1.2 installed, which, when encryption is enabled, allows you to store a specific system startup key within the Trusted Platform Module itself. In addition to the TPM, the underlying input/output system (BIOS) must have the Trusted Computing Group (TCG) specification installed, which creates a chain of trust for actions before the operating system boots and includes support for a static root trust change object. Unfortunately, not all motherboards are equipped with a module such as TPM, but even without this module, the operating system allows you to take advantage of this encryption technology if you have USB storage devices that support UFI commands, and also if your hard drive is divided into two and more than a volume. For example, on one volume you will have the operating system itself, for which encryption will be enabled, and the second, system volume, with a capacity of at least 1.5 GB, contains the files that are needed to load the operating system after the BIOS loads the platform. All your volumes must be formatted with the NTFS file system.
The BitLocker encryption architecture provides manageable and functional mechanisms in both kernel and user mode. At a high level, the main components of BitLocker include:
- Trusted Platform Module Driver(%SystemRoot%System32DriversTpm.sys) – driver that accesses the TPM chip in kernel mode;
- Core TPM Services, which include custom services that provide user-mode access to the TPM (%SystemRoot%System32tbssvc.dll), the WMI provider, and the MMC snap-in (%SystemRoot%System32Tpm.msc);
- Related BitLocker Code in Boot Manager (BootMgr), which authenticates access to the hard drive and also allows you to repair and unlock the bootloader;
- BitLocker Filter Driver(%SystemRoot%System32DriversFvevol.sys), which allows you to encrypt and decrypt volumes on the fly in kernel mode;
- WMI BitLocker Provider and Script Management, which allow you to configure and manage BitLocker interface scripts.
The following illustration shows the various components and services that make BitLocker encryption technology work correctly:
Rice. 1. BitLocker architecture
Encryption keys
BitLocker encrypts the contents of a volume using whole volume encryption key(FVEK - Full Volume Encryption Key) assigned to it when it was initially configured to use BitLocker, using 128-bit or 256-bit AES key algorithms AES128-CBC and AES256-CBC with Microsoft extensions called diffusers. The FVEK key is encrypted using volume master key(VMK - Volume Master Key) and is stored on the volume in an area specially designated for metadata. Protecting a volume's master key is an indirect way of protecting volume data: padding the volume's master key allows the system to regenerate the key after keys have been lost or compromised.
When you set up BitLocker encryption, you can use one of several methods to protect your computer with VMK, depending on your hardware configuration. BitLocker encryption supports five authentication modes, depending on your computer's hardware capabilities and the level of security you require. If your hardware configuration supports Trusted Platform Module (TPM) technology, then you can save the VMK in both TMP and TPM and on a USB device, or save the VMK key in TPM and enter the PIN when the system boots. In addition, you have the opportunity to combine the two previous methods. And for platforms that are not compatible with TPM technology, you can store the key on an external USB device.
It is worth paying attention to the fact that when loading an operating system with BitLocker encryption enabled, a sequence of actions is performed that depends on the set of volume protection tools. These steps include system integrity checks as well as other authentication steps that must be completed before a lock can be released from a protected volume. The following table summarizes the different methods you can use to encrypt a volume:
Source | Safety | User Actions |
TPM only | Protects against software attacks, but is vulnerable to hardware attacks | None |
TPM+PIN | Adds protection against hardware attacks | The user must enter a PIN every time the OS starts |
TPM + USB key | Full protection against hardware attacks, but vulnerable to USB key loss | |
TPM + USB key + PIN | Maximum level of protection | Each time the OS starts, the user must enter a PIN code and use a USB key |
USB key only | Minimum level of protection for computers not equipped with TPM + there is a risk of losing the key | The user must use the USB key every time the OS starts |
Table 1. VMK sources
The following illustration shows how to encrypt volumes:
Rice. 2. Methods for encrypting volumes using BitLocker technology
Before BitLocker will grant access to the FEVK and decrypt the volume, you must provide the keys of an authorized user or computer. As stated above, if your computer has a TPM, you can use different authentication methods. In the following subsections, we will consider each of these methods in more detail.
Using TPM only
The operating system boot process uses TPM to ensure that the hard drive is connected to the correct computer and that important system files have not been damaged, and also prevents access to the hard drive if malware or a rootkit has compromised the integrity of the system. While the computer is being validated, the TPM unlocks the VMK and your operating system starts without user interaction, as you can see in the following illustration.
Rice. 3. Authentication using TPM technology
Using TPM with a USB key
In addition to the physical security that was described in the previous subsection, in this case the TPM requires a foreign key that resides on the USB device. In this case, the user needs to insert a USB drive that stores a foreign key designed to authenticate the user and the integrity of the computer. In this case, you can protect your computer from theft when you turn on the computer, as well as when you wake up from hibernation mode. Unfortunately, this method will not protect you from waking your computer from sleep mode. When using this method, to reduce the risk of your computer being stolen, you need to store the foreign key separately from your computer. In the following illustration you can see the use of TPM in conjunction with an external USB key:
Rice. 4. Authentication using TPM and USB key
Using TPM in conjunction with a PIN code
This method prevents the computer from starting until the user enters a personal identification number (PIN). This method allows you to protect your computer in the event that your switched off computer is stolen. Unfortunately, you should not use this method if the computer needs to start automatically without human intervention, which usually act as servers. When a PIN is requested, the computer's hardware TPM displays a request for a four-digit PIN with a special delay that is set by the manufacturers of the motherboard and the TPM itself. In the following illustration you can see this authentication method:
Rice. 5. TPM and PIN Authentication
Using a combined method (TPM+PIN+USB key)
In Windows 7 and Windows Vista operating systems, you can use a combined authentication method for the maximum level of protection for your computer. In this case, the TPM hardware authentication is supplemented by entering a PIN code and using a foreign key located on a USB drive. All of these tools provide the maximum level of BitLocker protection, which requires data that the user “knows” and “uses.” In order for an attacker to take over your data, which is located on a volume protected using BitLocker technology, he needs to steal your computer, have a USB drive with your key, and also know the PIN code, which is almost impossible. The following illustration illustrates this authentication method:
Rice. 6. Authentication using TPM, USB key, and PIN code
Authentication with USB startup key only
In this case, the user provides the VMK on a disk, USB drive, or any external storage devices to decrypt the FEVK and BitLocker-encrypted volume on a computer that does not have a TPM installed. Using a launch key without a TPM allows you to encrypt data without upgrading your hardware. This method is considered the most vulnerable, since in this case the boot integrity is not checked and when transferring the hard drive to another computer, the data from the encrypted drive can be used.
Conclusion
BitLocker Drive Encryption is a security feature in modern Windows operating systems that helps protect the operating system and the data stored on your computers. In an ideal combination, BitLocker is configured to use a Trusted Platform Module (TPM), which ensures the integrity of the boot and volume locking components are protected even when the operating system is not yet running. In this article in the series on data encryption, you learned about the architecture of this tool. In the following article, you will learn about implementing drive encryption using Windows BitLocker technology.
According to experts, laptop theft is one of the main problems in the field of information security (IS).
Unlike other information security threats, the nature of the “stolen laptop” or “stolen flash drive” problem is quite primitive. And if the cost of missing devices rarely exceeds several thousand US dollars, the value of the information stored on them is often measured in millions.
According to Dell and the Ponemon Institute, 637,000 laptops go missing every year at American airports alone. Just imagine how many flash drives go missing, because they are much smaller, and accidentally dropping a flash drive is as easy as shelling pears.
When a laptop belonging to a top manager of a large company goes missing, the damage from one such theft can amount to tens of millions of dollars.
How to protect yourself and your company?
We continue our series of articles about Windows domain security. In the first article in the series, we talked about setting up a secure domain login, and in the second, about setting up secure data transfer in an email client:
In this article we will talk about setting up encryption of information stored on your hard drive. You will understand how to make sure that no one but you can read the information stored on your computer.
Few people know that Windows has built-in tools that help you store information safely. Let's consider one of them.
Surely some of you have heard the word “BitLocker”. Let's figure out what it is.
What is BitLocker?
BitLocker (the exact name is BitLocker Drive Encryption) is a technology for encrypting the contents of computer drives developed by Microsoft. It first appeared in Windows Vista.
Using BitLocker, it was possible to encrypt hard drive volumes, but later, in Windows 7, a similar technology, BitLocker To Go, appeared, which is designed to encrypt removable drives and flash drives.
BitLocker is a standard component of Windows Professional and server versions of Windows, which means it is already available for most enterprise use cases. Otherwise, you will need to upgrade your Windows license to Professional.
How does BitLocker work?
This technology is based on full volume encryption performed using the AES (Advanced Encryption Standard) algorithm. Encryption keys must be stored securely, and BitLocker has several mechanisms for this.
The simplest, but at the same time the most insecure method is a password. The key is obtained from the password in the same way every time, and accordingly, if someone finds out your password, then the encryption key will become known.
To avoid storing the key in clear text, it can be encrypted either in a TPM (Trusted Platform Module) or on a cryptographic token or smart card that supports the RSA 2048 algorithm.
TPM is a chip designed to implement basic security-related functions, mainly using encryption keys.
The TPM module is usually installed on the computer motherboard, however, it is very difficult to purchase a computer with a built-in TPM module in Russia, since the import of devices without FSB notification into our country is prohibited.
Using a smart card or token to unlock a drive is one of the most secure ways to control who completed the process and when. To remove the lock in this case, you need both the smart card itself and the PIN code for it.
How BitLocker works:
- When BitLocker is activated, a master bit sequence is created using a pseudo-random number generator. This is the volume encryption key - FVEK (full volume encryption key). It encrypts the contents of each sector. The FVEK key is kept in the strictest confidence.
- FVEK is encrypted using the VMK key (volume master key). The FVEK key (encrypted with the VMK key) is stored on disk among the volume metadata. However, it should never end up on disk in decrypted form.
- VMK itself is also encrypted. The user chooses the encryption method.
- The VMK key is encrypted by default using the SRK (storage root key) key, which is stored on a cryptographic smart card or token. This happens in a similar way with TPM.
By the way, the system drive encryption key in BitLocker cannot be protected using a smart card or token. This is due to the fact that libraries from the vendor are used to access smart cards and tokens, and, of course, they are not available before loading the OS.
If there is no TPM, then BitLocker suggests saving the system partition key on a USB flash drive, which, of course, is not the best idea. If your system does not have a TPM, we do not recommend encrypting your system drives.
In general, encrypting the system drive is a bad idea. When configured correctly, all important data is stored separately from system data. This is at least more convenient from the point of view of their backup. Plus, encrypting system files reduces the performance of the system as a whole, and the operation of an unencrypted system disk with encrypted files occurs without loss of speed. - Encryption keys for other non-system and removable drives can be protected using a smart card or token, as well as a TPM.
If there is neither a TPM module nor a smart card, then instead of SRK, a key generated based on the password you entered is used to encrypt the VMK key.
When starting from an encrypted boot disk, the system queries all possible keystores - checking for the presence of a TPM, checking USB ports, or, if necessary, prompting the user (which is called recovery). Key store discovery allows Windows to decrypt the VMK key that decrypts the FVEK key that decrypts the data on the disk.
Each sector of the volume is encrypted separately, and part of the encryption key is determined by the number of that sector. As a result, two sectors containing the same unencrypted data will look different when encrypted, making it very difficult to determine encryption keys by writing and decrypting previously known data.
In addition to FVEK, VMK, and SRK, BitLocker uses another type of key that is created “just in case.” These are the recovery keys.
For emergencies (the user lost a token, forgot his PIN, etc.), BitLocker prompts you to create a recovery key in the last step. The system does not provide for refusal to create it.
How to enable data encryption on your hard drive?
Before you begin the process of encrypting volumes on your hard drive, it is important to note that this procedure will take some time. Its duration will depend on the amount of information on the hard drive.
If the computer turns off or goes into hibernation during encryption or decryption, these processes will resume where they stopped the next time you start Windows.
Even during the encryption process, the Windows system can be used, but it is unlikely to please you with its performance. As a result, after encryption, disk performance decreases by about 10%.
If BitLocker is available on your system, then when you right-click on the name of the drive that needs to be encrypted, the menu item that opens will display Turn on BitLocker.
On server versions of Windows you need to add a role BitLocker Drive Encryption.
Let's start setting up encryption of a non-system volume and protect the encryption key using a cryptographic token.
We will use a token produced by the Aktiv company. In particular, the Rutoken EDS token PKI.
I. Let's prepare Rutoken EDS PKI for work.
In most normally configured Windows systems, after the first connection to Rutoken EDS PKI, a special library for working with tokens produced by the Aktiv company - Aktiv Rutoken minidriver - is automatically downloaded and installed.
The installation process for such a library is as follows.
The presence of the Aktiv Rutoken minidriver library can be checked via device Manager.
If the download and installation of the library did not happen for some reason, then you should install the Rutoken Drivers for Windows kit.
II. Let's encrypt the data on the disk using BitLocker.
Click on the disk name and select Turn on BitLocker.
As we said earlier, we will use a token to protect the disk encryption key.
It is important to understand that in order to use a token or smart card with BitLocker, it must contain RSA 2048 keys and a certificate.
If you use the Certificate Authority service in a Windows domain, then the certificate template must contain the scope of the “Disk Encryption” certificate (more about setting up Certificate Authority in our series of articles about Windows domain security).
If you do not have a domain or you cannot change the policy for issuing certificates, then you can use a fallback method, using a self-signed certificate; details on how to issue a self-signed certificate for yourself are described.
Now let's check the corresponding box.
In the next step, we will select a method for saving the recovery key (we recommend choosing Print the recovery key).
The piece of paper with the recovery key printed must be stored in a safe place, preferably in a safe.
At the next stage, we will start the disk encryption process. Once this process is complete, you may need to reboot your system.
When encryption is enabled, the icon of the encrypted disk will change.
And now, when we try to open this drive, the system will ask you to insert a token and enter its PIN code.
Deployment and configuration of BitLocker and TPM can be automated by using the WMI tool or Windows PowerShell scripts. How the scenarios are implemented will depend on the environment. The commands for BitLocker in Windows PowerShell are described in this article.
How to recover BitLocker encrypted data if the token is lost?
If you want to open encrypted data in Windows
To do this, you will need the recovery key that we printed earlier. Just enter it in the appropriate field and the encrypted section will open.
If you want to open encrypted data on GNU/Linux and Mac OS X systems
To do this, you need the DisLocker utility and a recovery key.
The DisLocker utility operates in two modes:
- FILE - The entire partition encrypted by BitLocker is decrypted into a file.
- FUSE - only the block accessed by the system is decrypted.
For example, we will use the Linux operating system and the FUSE utility mode.
In the latest versions of common Linux distributions, the dislocker package is already included in the distribution, for example, in Ubuntu, starting from version 16.10.
If for some reason the dislocker package is not available, then you need to download the utility and compile it:
tar -xvjf dislocker.tar.gz
Let's open the INSTALL.TXT file and check which packages we need to install.
In our case, we need to install the libfuse-dev package:
sudo apt-get install libfuse-dev
Let's start assembling the package. Let's go to the src folder and use the make and make install commands:
cd src/ make make install
When everything has compiled (or you have installed the package), let's start setting up.
Let's go to the mnt folder and create two folders in it:
- Encrypted-partition - for an encrypted partition;
- Decrypted-partition - for a decrypted partition.
Let's find the encrypted partition. Let's decrypt it using the utility and move it to the Encrypted-partition folder:
dislocker -r -V /dev/sda5 -p recovery_key /mnt/Encrypted-partition(instead of recovery_key, substitute your recovery key)
Let's display a list of files located in the Encrypted-partition folder:
ls Encrypted-partition/
Let's enter the command to mount the partition:
mount -o loop Driveq/dislocker-file Decrypted-partition/
To view the decrypted partition, go to the Encrypted-partition folder.
Let's summarize
Enabling volume encryption with BitLocker is very easy. All this is done effortlessly and for free (provided you have a professional or server version of Windows, of course).
You can use a cryptographic token or smart card to protect the encryption key that encrypts the disk, which significantly increases the level of security.
Encryption adds another layer of security by ensuring that the file can only be read by its creator. If any other user - even one with administrator privileges - tries to open such a file, he will see either a meaningless set of characters or nothing at all. In other words, your encrypted data cannot be read unless you are logged into the system under your own account.
Encrypting files and folders in Windows 7 is a convenient way to protect sensitive data, but storing encrypted and unencrypted data on the same drive can lead to unpredictable results, as discussed in the File Encryption section. However, owners of Windows 7 Ultimate and Enterprise versions can solve this problem by taking advantage of the BitLocker Drive Encryption tool.
Bit Locker puts all the data on a disk into one huge archive and treats it as a virtual hard disk. In Windows Explorer, you treat BitLocker-encrypted files like any other data—Windows does the encryption and decryption silently in the background. The big advantage of BitLocker is that it encrypts Windows files and all system files, making it much more difficult for someone to hack your password and gain unauthorized access to the system. Additionally, when the entire drive is encrypted, there is no need to encrypt individual files.
To encrypt the drive, open the BitLocker Drive Encryption page in Control Panel. If you see a TPM was not found error, check to see if your computer has a BIOS update that supports TPM.
TPM, Trusted Platform Module, is a chip on the motherboard that stores the BitLocker encryption key. Thanks to it, the computer can boot from an encrypted drive. If the BIOS does not support TPM, then a regular USB drive can be used as such a chip.
You only mark the file as intended for encryption. Windows encrypts and decrypts files in the background while the file's creator writes or views it, respectively. True, in Windows 7, on-the-fly encryption can sometimes throw up surprises, and security is not an area where you can rely on chance.
File encryption
Encryption is a feature of the NTFS file system (discussed in the "Choose the Right File System" section) that is not available in any other file systems. This means that if you copy an encrypted file to, say, a memory card, USB drive, or CD, it will be impossible to decrypt it because the NTFS file system is not supported on these devices.
How to encrypt a file:
- Right-click on one or more files in Explorer and select Properties from the context menu.
- On the General tab, click Advanced.
- Select the Encrypt contents to secure data checkbox, click OK, then close the window by clicking OK again.
Launch the encryption tool on Windows by searching for "BitLocker" and selecting "Manage BitLocker." In the next window, you can enable encryption by clicking on “Enable BitLocker” next to the hard drive (if an error message appears, read the section “Using BitLocker without a TPM”).
You can now choose whether you want to use a USB flash drive or a password when unlocking an encrypted drive. Regardless of the option you choose, you will need to save or print the recovery key during the setup process. You'll need it if you forget your password or lose your flash drive.
Using BitLocker without TPM
Setting up BitLocker.BitLocker also works without a TPM chip - although this requires some configuration in the Local Group Policy Editor.
If your computer does not have a TPM (Trusted Platform Module) chip, you may need to make some adjustments to enable BitLocker. In the Windows search bar, type "Edit Group Policy" and open the "Local Group Policy Editor" section. Now open in the left column of the editor “Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating system disks”, and in the right column, check the entry “Required additional authentication at startup”.
Then, in the middle column, click on the "Edit Policy Setting" link. Check the box next to “Enable” and check the box next to “Allow BitLocker without a compatible TPM” below. After clicking on "Apply" and "OK", you can use BitLocker as described above.
An alternative in the form of VeraCrypt
To encrypt the system partition or entire hard drive using TrueCrypt's successor, VeraCrypt, select "Create Volume" from the VeraCrypt main menu, then select "Encrypt the system partition or entire system drive." To encrypt the entire hard drive along with the Windows partition, select “Encrypt the whole drive”, then follow the step-by-step setup instructions. Note: VeraCrypt creates a rescue disk in case you forget your password. So you will need a blank CD.
Once you've encrypted your drive, you'll need to specify PIM (Personal Iterations Multiplier) after your password when you boot up. If you did not install PIM during setup, just press Enter.