BitLocker originated as a part of Microsoft's Next-Generation Secure Computing Base architecture in 2004 as a feature tentatively codenamed "Cornerstone"[4][5] and was designed to protect information on devices, particularly if a device was lost or stolen. Another feature, titled "Code Integrity Rooting", was designed to validate the integrity of Microsoft Windows boot and system files.[4] When used in conjunction with a compatible Trusted Platform Module (TPM), BitLocker can validate the integrity of boot and system files before decrypting a protected volume; an unsuccessful validation will prohibit access to a protected system.[6][7] BitLocker was briefly called Secure Startup before Windows Vista's release to manufacturing.[6]
Initially, the graphical BitLocker interface in Windows Vista could only encrypt the operating system volume.[13] Starting with Windows Vista with Service Pack 1 and Windows Server 2008, volumes other than the operating system volume could be encrypted using the graphical tool. Still, some aspects of the BitLocker (such as turning autolocking on or off) had to be managed through a command-line tool called manage-bde.wsf.[14]
The version of BitLocker included in Windows 7 and Windows Server 2008 Release 2 adds the ability to encrypt removable drives. On Windows XP or Windows Vista, read-only access to these drives can be achieved through a program called BitLocker To Go Reader, if FAT16, FAT32 or exFAT filesystems are used.[15] In addition, a new command-line tool called manage-bde replaced the old manage-bde.wsf.[16]
Starting with Windows Server 2012 and Windows 8, Microsoft has complemented BitLocker with the Microsoft Encrypted Hard Drive specification, which allows the cryptographic operations of BitLocker encryption to be offloaded to the storage device's hardware, for example, self-encrypting drives.[17][18] In addition, BitLocker can now be managed through Windows PowerShell.[19] Finally, Windows 8 introduced Windows To Go in its Enterprise edition, which BitLocker can protect.[20]
Device encryption
Windows Mobile 6.5, Windows RT and core editions of Windows 8.1 include device encryption, a feature-limited version of BitLocker that encrypts the whole system.[21][22][23] Logging in with a Microsoft account with administrative privileges automatically begins the encryption process. The recovery key is stored to either the Microsoft account or Active Directory (Active Directory requires Pro editions of Windows), allowing it to be retrieved from any computer. While device encryption is offered on all editions of Windows 8.1, unlike BitLocker, device encryption requires that the device meet the InstantGo (formerly Connected Standby) specifications,[23] which requires solid-state drives and a TPM 2.0 chip.[21][24]
Starting with Windows 10 1703, the requirements for device encryption have changed, requiring a TPM 1.2 or 2.0 module with PCR 7 support, UEFI Secure Boot, and that the device meets Modern Standby requirements or HSTI validation.[25]
Device encryption requirements were relaxed in Windows 11 24H2, with the Modern Standby or HSTI compliance no longer required and the DMA interfaces blocklist removed.[26]
In September 2019 a new update was released (KB4516071[27]) changing the default setting for BitLocker when encrypting a self-encrypting drive. Now, the default is to use software encryption for newly encrypted drives. This is due to hardware encryption flaws and security concerns related to those issues.[28]
Encryption modes
Three authentication mechanisms can be used as building blocks to implement BitLocker encryption:[29]
Transparent operation mode: This mode uses the capabilities of TPM 1.2 hardware to provide for transparent user experience—the user powers up and logs into Windows as usual. The key used for disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. The pre-OS components of BitLocker achieve this by implementing a Static Root of Trust Measurement—a methodology specified by the Trusted Computing Group (TCG). This mode is vulnerable to a cold boot attack, as it allows a powered-down machine to be booted by an attacker. It is also vulnerable to a sniffing attack, as the volume encryption key is transferred in plain text from the TPM to the CPU during a successful boot.
User authentication mode: This mode requires that the user provide some authentication to the pre-boot environment in the form of a pre-boot PIN or password.
USB Key Mode: The user must insert a USB device that contains a startup key into the computer to be able to boot the protected OS. Note that this mode requires that the BIOS on the protected machine supports the reading of USB devices in the pre-OS environment. BitLocker does not support smart cards for pre-boot authentication.[30]
The following combinations of the above authentication mechanisms are supported, all with an optional escrow recovery key:
BitLocker is a logical volume encryption system. (A volume spans part of a hard disk drive, the whole drive or more than one drive.) When enabled, TPM and BitLocker can ensure the integrity of the trusted boot path (e.g. BIOS and boot sector), in order to prevent most offline physical attacks and boot sector malware.[37]
In order for BitLocker to encrypt the volume holding the operating system, at least two NTFS-formatted volumes are required: one for the operating system (usually C:) and another with a minimum size of 100 MB, which remains unencrypted and boots the operating system.[37] (In case of Windows Vista and Windows Server 2008, however, the volume's minimum size is 1.5 GB and must have a drive letter.)[38] Unlike previous versions of Windows, Vista's "diskpart" command-line tool includes the ability to shrink the size of an NTFS volume so that this volume may be created from already allocated space. A tool called the BitLocker Drive Preparation Tool is also available from Microsoft that allows an existing volume on Windows Vista to be shrunk to make room for a new boot volume and for the necessary bootstrapping files to be transferred to it.[39]
Once an alternate boot partition has been created, the TPM module needs to be initialized (assuming that this feature is being used), after which the required disk-encryption key protection mechanisms such as TPM, PIN or USB key are configured.[40] The volume is then encrypted as a background task, something that may take a considerable amount of time with a large disk as every logical sector is read, encrypted and rewritten back to disk.[40] The keys are only protected after the whole volume has been encrypted when the volume is considered secure.[41] BitLocker uses a low-level device driver to encrypt and decrypt all file operations, making interaction with the encrypted volume transparent to applications running on the platform.[40]
Encrypting File System (EFS) may be used in conjunction with BitLocker to provide protection once the operating system is running. Protection of the files from processes and users within the operating system can only be performed using encryption software that operates within Windows, such as EFS. BitLocker and EFS, therefore, offer protection against different classes of attacks.[42]
In Active Directory environments, BitLocker supports optional key escrow to Active Directory, although a schema update may be required for this to work (i.e. if the Active Directory Services are hosted on a Windows version previous to Windows Server 2008).
BitLocker and other full disk encryption systems can be attacked by a rogue boot manager. Once the malicious bootloader captures the secret, it can decrypt the Volume Master Key (VMK), which would then allow access to decrypt or modify any information on an encrypted hard disk. By configuring a TPM to protect the trusted boot pathway, including the BIOS and boot sector, BitLocker can mitigate this threat. (Note that some non-malicious changes to the boot path may cause a Platform Configuration Register check to fail, and thereby generate a false warning.)[37]
Security concerns
TPM alone is not enough
The "Transparent operation mode" and "User authentication mode" of BitLocker use TPM hardware to detect whether there are unauthorized changes to the pre-boot environment, including the BIOS and MBR. If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device. This cryptographic secret is used to decrypt the Volume Master Key (VMK) and allow the bootup process to continue.[43] However, TPM alone is not enough:
In February 2008, a group of security researchers published details of a so-called "cold boot attack" that allows full disk encryption systems such as BitLocker to be compromised by booting the machine from removable media, such as a USB drive, into another operating system, then dumping the contents of pre-boot memory.[44] The attack relies on the fact that DRAMretains information for up to several minutes (or even longer, if cooled) after the power has been removed. The Bress/Menz device, described in US Patent 9,514,789, can accomplish this type of attack.[45] Similar full disk encryption mechanisms of other vendors and other operating systems, including Linux and Mac OS X, are vulnerable to the same attack. The authors recommend that computers be powered down when not in physical control of the owner (rather than be left in a sleep mode) and that the encryption software be configured to require a password to boot the machine.[44]
On 10 November 2015, Microsoft released a security update to mitigate a security vulnerability in BitLocker that allowed authentication to be bypassed by employing a malicious Kerberos key distribution center, if the attacker had physical access to the machine, the machine was part of a domain and had no PIN or USB flash drive protection.[46]
BitLocker still does not properly support TPM 2.0 security features which, as a result, can lead to a complete bypass of privacy protection when keys are transmitted over Serial Peripheral Interface in a motherboard.[47]
All these attacks require physical access to the system and are thwarted by a secondary protector such as a USB flash drive or PIN code.
Upholding Kerckhoffs's principle
Although the AES encryption algorithm used in BitLocker is in the public domain, its implementation in BitLocker, as well as other components of the software, are proprietary; however, the code is available for scrutiny by Microsoft partners and enterprises, subject to a non-disclosure agreement.[48][49]
According to Microsoft sources,[50] BitLocker does not contain an intentionally built-in backdoor, so there is no Microsoft-provided way for law enforcement to have guaranteed access to the data on a user's drive. In 2006, the UK Home Office expressed concern over the lack of a backdoor and tried entering into talks with Microsoft to get one introduced.[51] Microsoft developer and cryptographer Niels Ferguson denied the backdoor request and said, "over my dead body".[52] Microsoft engineers have said that United States Federal Bureau of Investigation agents also put pressure on them in numerous meetings to add a backdoor, although no formal, written request was ever made; Microsoft engineers eventually suggested that agents should look for the hard copy of the encryption key that the BitLocker program suggests that its users make.[53]
Niels Ferguson's position that "back doors are simply not acceptable"[52] is in accordance with Kerckhoffs's principle. Stated by Netherlands-born cryptographer Auguste Kerckhoffs in the 19th century, the principle holds that a cryptosystem should be secure, even if everything about the system, except the encryption key, is public knowledge.
Since 2020, BitLocker's method and data structure is public knowledge due to reverse engineering; the Linux cryptsetup program is capable of reading and writing BitLocker-protected drives given the key.[54]
Other concerns
Starting with Windows 8 and Windows Server 2012, Microsoft removed the Elephant Diffuser from the BitLocker scheme for no declared reason.[55] Dan Rosendorf's research shows that removing the Elephant Diffuser had an "undeniably negative impact" on the security of BitLocker encryption against a targeted attack.[56] Microsoft later cited performance concerns, and noncompliance with the Federal Information Processing Standards (FIPS), to justify the diffuser's removal.[57] Starting with Windows 10 version 1511, however, Microsoft added a new FIPS-compliant XTS-AES encryption algorithm to BitLocker.[1] Starting with Windows 10 version 1803, Microsoft added a new feature called "Kernel Direct Memory access (DMA) Protection" to BitLocker, to protect against DMA attacks via Thunderbolt 3 ports.[58][59] "Kernel Direct Memory access (DMA) Protection" only protects against attacks through Thunderbolt. Direct Memory Access is also possible through PCI Express. In this type of attack an attacker would connect a malicious PCI Express Device,[60] which can in turn write directly to the memory and bypass the Windows login. To protect again this type of attack, Microsoft introduced "Virtualization-based Security".[61][62]
In October 2017, it was reported that a flaw enabled private keys to be inferred from public keys, which could allow an attacker to bypass BitLocker encryption when an affected TPM chip is used.[63] The flaw is the Return of Coppersmith's Attack or ROCA vulnerability which is in a code library developed by Infineon and had been in widespread use in security products such as smartcards and TPMs. Microsoft released an updated version of the firmware for Infineon TPM chips that fixes the flaw via Windows Update.[64]
^"BitLocker Drive Encryption". Data Encryption Toolkit for Mobile PCs: Security Analysis. Microsoft. April 4, 2007. Archived from the original on October 23, 2007. Retrieved March 7, 2020.
^ abcAndrew, Bettany; Halsey, Mike (2013). Exam Ref 70-687: Configuring Windows 8 (1 ed.). Microsoft Press. p. 307. ISBN978-0-7356-7392-2. OCLC851209981.
Duta Besar Indonesia untuk PortugalLambang Kementerian Luar Negeri Republik IndonesiaPetahanaRudy Alfonsosejak 17 November 2021KantorLisbon, PortugalDitunjuk olehPresiden IndonesiaPejabat perdanaHarry Pryohoetomo HaryonoDibentuk2000[1]Situs webkemlu.go.id/lisbon/id Berikut adalah daftar diplomat Indonesia yang pernah menjabat Duta Besar Republik Indonesia untuk Portugal: No. Foto Nama Mulai menjabat Selesai menjabat Diangkat oleh Ref. 1 Harry Pryohoetomo Haryono 2001 2004 ...
العلاقات البحرينية الدومينيكانية البحرين جمهورية الدومينيكان البحرين جمهورية الدومينيكان تعديل مصدري - تعديل العلاقات البحرينية الدومينيكانية هي العلاقات الثنائية التي تجمع بين البحرين وجمهورية الدومينيكان.[1][2][3][4][5] مقارنة بين ا�...
Bagian dari seriIslam Rukun Iman Keesaan Allah Malaikat Kitab-kitab Allah Nabi dan Rasul Allah Hari Kiamat Qada dan Qadar Rukun Islam Syahadat Salat Zakat Puasa Haji Sumber hukum Islam al-Qur'an Sunnah (Hadis, Sirah) Tafsir Akidah Fikih Syariat Sejarah Garis waktu Muhammad Ahlulbait Sahabat Nabi Khulafaur Rasyidin Khalifah Imamah Ilmu pengetahuan Islam abad pertengahan Penyebaran Islam Penerus Muhammad Budaya dan masyarakat Akademik Akhlak Anak-anak Dakwah Demografi Ekonomi Feminisme Filsafat...
Branch of chemistry and electronics For quantum mechanical study of the electron distribution in a molecule, see stereoelectronics. This Information visualization methods related to molecular electronics are lacking. is missing information about Diagram. Please expand the Information visualization methods related to molecular electronics are lacking. to include this information. Further details may exist on the talk page. (November 2022) Molecular electronics is the study and application of m...
County in South Dakota, United States County in South DakotaCharles Mix CountyCountyCharles Mix County Courthouse in Lake AndesLocation within the U.S. state of South DakotaSouth Dakota's location within the U.S.Coordinates: 43°13′N 98°35′W / 43.21°N 98.59°W / 43.21; -98.59Country United StatesState South DakotaFounded1862 (created)1879 (organized)Named forCharles Eli MixSeatLake AndesLargest cityWagnerArea • Total1,150 sq mi (3,...
Penggambaran perjalanan Marco Polo ke Timur selama Pax Mongolica Pax Mongolica (dikenal juga sebagai Pax Tatarica)[1] atau Kedamaian Mongol adalah frasa yang dibuat oleh ahli-ahli Barat untuk mendeskripsikan pengaruh penaklukan Kekaisaran Mongol terhadap kehidupan sosial, budaya dan ekonomi wilayah Eurasia yang ditaklukan Mongol pada abad ke-13 dan ke-14. Istilah ini digunakan untuk mendeskripsikan kemudahan komunikasi dan perdagangan dari pemerintahan yang bersatu, dan periode perdam...
Oud-Jacatraweg di awal abad ke-20 Jalan Pangeran Jayakarta, dahulu Bernama Oud-Jacatraweg, adalah salah satu jalan tertua di Jakarta, sebagai bagian Batavia yang berkembang di luar tembok kota lama. Nama Jacatraweg tidak berkaitan dengan Pangeran Jayakarta.[1] Sebelah utara jalan ini berbatasan dengan dinding dalam kota. Selama masa VOC, dibangun sebuah benteng yang sekarang berada di ujung timur Jl. Dr. Suratmo, bernama Benteng Jacatra.[1] Di utara jalan terdapat Halte Transj...
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: Maria Wörth – news · newspapers · books · scholar · JSTOR (May 2014) (Learn how and when to remove this message) Place in Carinthia, AustriaMaria Wörth Coat of armsMaria WörthLocation within AustriaCoordinates: 46°37′N 14°10′E / 46.617�...
River in Victoria, AustraliaBenedoreSunset over the Sandpatch Wilderness Area, Benedore River Estuary. Croajingolong National Park, VictoriaBenedore River in VictoriaLocationCountryAustraliaStateVictoriaRegionSouth East Corner (IBRA), East GippslandLocal government areaShire of East GippslandPhysical characteristicsSource • locationBenedore River Reference Area • elevation184 m (604 ft) MouthBass Strait • locationCroajingol...
Cet article est une ébauche concernant l’histoire et la géographie. Vous pouvez partager vos connaissances en l’améliorant (comment ?) selon les recommandations des projets correspondants. Le bassin méditerranéen. Les notions de bassin méditerranéen et de monde méditerranéen désignent les régions se trouvant autour de la mer Méditerranée. Ces régions méditerranéennes couvrent l'Europe du Sud (Espagne, France, Italie, Malte, Slovénie, Croatie, Monténégro, Albanie, ...
Eerste klasse 2001/02 Algemeen Continent Europa Confederatie UEFA Land België Bond KBVB Degradatie naar Eerste klasse B Bekercompetitie Beker van België Competitieniveau Niveau 1 Geschiedenis Opgericht 1895 Recordkampioen RSC Anderlecht (34x) Seizoen 2001/02 Aantal clubs 1818 Kampioen KRC Genk Degradatie Eendracht AalstRWD Molenbeek Europese kwalificatie 2× Champions League, 2× UEFA Cup Seizoensstatistieken Topscorer Wesley Sonck (30) Actueel Eerste klasse A seizoen 2023-24 Portaal ...
Road in England and Wales A483Route informationMaintained by National Highways (England), English local authorities, South Wales Trunk Road Agent and North and Mid Wales Trunk Road AgentLength153 mi (246 km)Major junctionsSouth endSwanseaMajor intersections A48 M4 A4067 A4217 A4118 A4216 A484 A48 M4 A4138 M4 A48 A474 A476 A40 A470 A4081 A44 A489 A490 A458 A495 A5 A539 A5152 A525 A541 A5152 A5156 A55 A5104 A5268 North endChester LocationCountryUnited KingdomPrimarydest...
Public park in Queens, New York Rockaway Beach and BoardwalkSeen at sunset in 2019LocationRockaway, Queens, New YorkCoordinates40°35′08″N 73°48′21″W / 40.585606°N 73.805880°W / 40.585606; -73.805880Area170 acres (69 ha) (beach and boardwalk)Operated byNew York City Department of Parks and Recreation The Rockaway Beach and Boardwalk is a public park in Rockaway, Queens, New York, composed of the 170-acre (69 ha) Rockaway Beach and the adjacent...
List of EastEnders characters introduced in 1985 EastEnders' logo A photo of most of the main characters and animals who first appeared in EastEnders in 1985 The following is a list of characters that first appeared in the BBC soap opera EastEnders in 1985, by order of first appearance. They were all introduced by executive producer Julia Smith. The first episode of EastEnders was broadcast on 19 February 1985, and twenty-three main characters were already created for their first appearan...
هذه المقالة يتيمة إذ تصل إليها مقالات أخرى قليلة جدًا. فضلًا، ساعد بإضافة وصلة إليها في مقالات متعلقة بها. (أكتوبر 2015) هذه المقالة غير مكتملة، وربما تنقصها بعض المعلومات الضرورية. فضلًا ساعد في تطويرها بإضافة مزيدٍ من المعلومات. (نوفمبر 2018) منذ زمن وغزة تقاوم القوات الإسرائي...
Artikel ini membutuhkan rujukan tambahan agar kualitasnya dapat dipastikan. Mohon bantu kami mengembangkan artikel ini dengan cara menambahkan rujukan ke sumber tepercaya. Pernyataan tak bersumber bisa saja dipertentangkan dan dihapus.Cari sumber: Mangkunegara III – berita · surat kabar · buku · cendekiawan · JSTOR (Desember 2020)Mangkunegara IIIꦩꦁꦏꦸꦤꦒꦫ꧇꧓꧇Kangjeng Gusti Pangeran Adipati AryaAdipati Mangkunegaran ke-3Berkuasa29 Janua...
William FriedkinFriedkin pada 2017LahirWilliam David Friedkin(1935-08-29)29 Agustus 1935Chicago, Illinois, A.S.Meninggal7 Agustus 2023(2023-08-07) (umur 87)Los Angeles, California, A.S.PendidikanSenn High SchoolPekerjaanSutradaraproduserpenulis skenarioTahun aktif1962–2023Suami/istriJeanne Moreau (m. 1977; c. 1979)Lesley-Anne Down (m. 1982; c. 1985)Kelly Lange ̴...
Ethnic group Armenians in the Middle EastTotal populationAbout 1,470,000[1]Regions with significant populations Lebanon150,000[2] Iran120,000[3] Syria[4]100,000[5] Turkey60,000[6]300,000–5,000,000 (Hidden Armenians)[7][8] Iraq10,000–20,000[9] Egypt6,500-12,000 Kuwait6,000[10] Palestine and Israel5,000[11]–6,000[12] United Arab Emirates5,000...
Royal family of Saudi Arabia Saud redirects here. For other uses, see Saud (disambiguation). House of Al Saudآل سعودRoyal houseRoyal Standard of the KingParent familyAl-Muqrin of house of Al-Muraydi of the Diriyah (1446; 578 years ago (1446)) of Banu Hanifa of Banu Bakr bin Wa'ilCountrySaudi Arabia (current)Historical: Emirate of Diriyah Emirate of Nejd Emirate of Riyadh Emirate of Nejd and Hasa Sultanate of Nejd Kingdom of Hejaz and Nejd Founded1720; 304 ...