Secret Way to encrypt full Windows Operating System PC

amit08255 By amit08255, 13th Apr 2014 | Follow this author | RSS Feed
Posted in Wikinut>Guides>Technology>Computer Software

In this article we will talk about how you can encrypt your complete windows operating system PC to protect if from attackers.

Secret Way to encrypt full Windows Operating System PC

With the introduction of Windows Server and Windows Vista came an additional security
feature, BitLocker Drive Encryption (BDE, or BitLocker), which protects the confidentiality
and integrity of the operating system volume during the boot sequence and while the
operating system is not loaded. Windows Server will also extend this capability to protect
data volumes as well. BDE was designed to mitigate offline attacks, such as removing
the physical drive from a lost or stolen laptop and accessing the data from an attacker-
controlled operating system.
BitLocker Confi gurations:----
As mentioned, BitLocker can be configured in a variety of ways. In this section we discuss
each, along with its strengths, weaknesses, and prerequisites. BitLocker can be configured
to operate in the following modes:
• BitLocker with a Trusted Platform Module (TPM)
• BitLocker with a TPM + Startup PIN
• BitLocker with a TPM + USB Token
• BitLocker without TPM
• BitLocker without TPM + USB
• BitLocker without TPM + Startup PIN

Depending on the desired configuration for BitLocker, your system must also satisfy
other hardware and software prerequisites. To determine whether your Windows Vista
computer meets these requirements, perform the following steps:
1. Click Start.
2. Click Control Panel.
3. Click Security.
4. Click BitLocker Drive Encryption.
At a high level, these configuration options represent different combinations of the
following:
• Systems with the TPM
• Systems without the TPM
• Systems using single-factor authentication
• Systems using two-factor authentication
Of these, the most secure configuration is a system that has a TPM and utilizes two-
factor authentication, and here’s why: The TPM provides BitLocker with the ability to
validate each component of the boot process. This ensures the platform is in a known
secure state before decrypting the volume. (We will touch more on this a bit later in the
section “BitLocker with TPM.”)
With most authentication systems, and barring implementation flaws, the degree of
difficulty to authenticate as another principal increases with the number of “factors”—
each factor introduces an additional test that must be passed by the entity attempting to
authenticate. Common authentication factors include the following:
• Something you have
• Something you know
• Something you are
Currently, BitLocker supports two of these: something you have (a USB or TPM), and
something you know (a PIN). In the next section, we take a deeper look at the desired
solution—BitLocker equipped with a TPM and an additional form of authentication,
such as a PIN or USB token.

BitLocker with TPM:---
The preferred BitLocker configuration leans heavily on a technology designed by the
Trusted Computing Group, called a Trusted Platform Module. A TPM is a microcontroller
that resides on the computer’s motherboard and is utilized primarily for protecting the
confidentiality of encryption keys and validating the integrity of early boot components,
such as the BIOS, Master Boot Record, and boot sector. BitLocker utilizes the TPM for
full-volume encryption by storing the root encryption key on the TPM hardware. By
moving the encryption key from the hard drive to a device that is resilient to software-
based attacks, the confidentiality of this key, and ultimately the volume, is ensured.
However, there are a couple caveats to this:
• The TPM is not designed to resist sophisticated hardware attacks.
• Once the operating system is booted, protection is out of the TPM’s hands.
In addition to storing the encryption key, BitLocker utilizes the TPM to collect and
store measurements of components involved with the boot process. These characteristics
act as a digital fingerprint of the system that is acquired when the system is known to be
in a secure state. This fingerprint will remain constant in the absence of any deliberate
modifications. Some legitimate instances, such as upgrading the BIOS, may cause this
fingerprint to change, and BitLocker has procedures for this. However, if an unplanned
modification to any of these characteristics occurs, they are considered unauthorized.
During subsequent boot processes, these characteristics are reacquired and compared to
the original set. If the fingerprints do not match, the system is considered untrustworthy
and the boot process is halted. If the fingerprints do match, the TPM decrypts the keys
used to encrypt the volume, and execution is passed to the operating system.
Because BitLocker relies on the TPM, we will spend some time discussing its finer
points, including the mechanisms that support the boot validation process and the
actions taken during the boot validation process.
The Role of the Trusted Platform Module
Before we jump into the details of the boot validation process, we will briefly discuss the
TPM capabilities that support it. The TPM provides BitLocker with the ability to encrypt
cryptographic keys in such a manner that they can be decrypted only by the TPM chip
that encrypted them. However, this must occur during recovery scenarios in which a
recovery key or recovery password will allow decryption. To achieve this, each TPM
contains an asymmetric key called the Storage Root Key (SRK), which is used to protect
the confidentiality of other keys. This process is commonly referred to as key “wrapping.”
Like other asymmetric key deployments, the private portion of the SRK is never shared.
Additionally, the private portion of the SRK is not at risk to software-based attacks
because the TPM maintains separation between it and memory accessible by the operating
system.
This wrapping process can be taken a step further, and this is one of the cornerstones
of BitLocker. The TPM can wrap a key in such a manner that it cannot be unwrapped
unless current platform characteristics are equivalent to those during the time the key
was created. This capability, called “sealing,” is utilized by BitLocker to create a Volume
Master Key (VMK), which protects the Full Volume Encryption Key (FVEK), which is
ultimately used to encrypt the operating system and data volumes. By utilizing a sealed
key, sensitive data cannot be decrypted outside the context of a Trusted Computing
Platform.

Determining Trustworthiness During the Boot Sequence:-----
Determining the trustworthiness of a platform in the absence of a trusted hardware
component is an extremely difficult task. This is because an attacker can reverse-engineer
and modify the very software components used to protect and validate the platform. The
TPM solves this problem by providing the platform with a trusted entity that can anchor
a chain of trust, which we will dig into now.
Upon initializing BitLocker, when the platform is in a known secure state, the TPM’s
Static Root of Trust Measurement (SRTM) mechanism is utilized to measure various
components of the platform and stores a digest of each measurement in a secure location
within the TPM, called Platform Configuration Registers (PCR). Upon boot, PCRs 0
through 15 are reset and execution is passed to a trusted portion of the TPM firmware
that comprises, in part, the Core Root of Trust Measurement (CRTM). This kickstarts a
series of validations and execution handoffs until the operating system is loaded. During
this process, each boot component is first validated before execution is passed, which
ensures the chain of trust is never broken.
The default TPM platform validation mechanism ensures the following platform
components have not been tampered with. Validation and execution is performed in this
order as well:
• Core Root of Trust Measurement (CRTM)
• BIOS
• Platform extensions
• Option ROM code
• Master Boot Record
• Boot sector
• Boot block
• Boot Manager
• OS Loader
• Operating system
At this point, the operating system is responsible for validating and ensuring the
integrity of the platform. In upcoming sections, we discuss features of Windows that
pick up where the secure boot process left off.

Visit here to know more.SHARE US YOUR REVIEWS.

moderator Steve Kinsman moderated this page.
If you have any complaints about this content, please let us know

Comments

Add a comment
Username
Can't login?
Password