Bitlocker!

BitLocker_icon

Bitlocker is that often forgotten FDE tool from Microsoft.
It basically gives you the ability to encrypt your entire hard drive (or any external device), and roam safely around the globe without fear.

Default setting is AES with a 128 bit key with diffuser.

There are some powershell commands in windows with kernel 6.2+ and two bde-commands for other windowses 🙂
And the console of course…

Most configuration is done using Local Group Policies. Some of those changes must be made BEFORE encrypting your disk…
So check out the options before encrypting everything!

bitlocker components_2

To quickly check your current status (and which encryption type you’re using):

PS C:\Windows\system32> manage-bde -status
 BitLocker Drive Encryption: Configuration Tool version 6.3.9600
 Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
 BitLocker Drive Encryption:
 Volume C: []
 [OS Volume]
Size: 237,96 GB
 BitLocker Version: 2.0
 Conversion Status: Used Space Only Encrypted
 Percentage Encrypted: 100,0%
 Encryption Method: AES 128
 Protection Status: Protection On
 Lock Status: Unlocked
 Identification Field: Unknown
 Key Protectors:
 TPM
 Numerical Password

Sidenote on this subject

AES 256 isn’t safer then AES with an 128 bit key length.

Choose the encryption strength

BitLocker supports two levels of cipher strength for BitLocker: 128-bit and 256-bit. Both use the Advanced Encryption Standard (AES) to perform encryption. Longer encryption keys provide an enhanced level of security and are less likely to be successfully attacked by the use of brute-force methods. However, longer keys can cause slower encryption and decryption of data. On some computers, using longer keys might result in noticeable performance degradation. You can use Group Policy to change the length of the encryption key used by BitLocker.

In addition, BitLocker supports a Diffuser algorithm to help protect against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses. By default, BitLocker uses AES encryption with 128-bit encryption keys and Diffuser. You can also select encryption without Diffuser by using Group Policy if your organization is Federal Information Processing Standard (FIPS) compliant.

It is recommended that most organizations use AES 128-bit with Diffuser. For organizations that are required to use 256-bit encryption, the AES 256-bit with Diffuser option can be enabled by using Group Policy. => howto

http://lukenotricks.blogspot.be/2010/04/aes-128-versus-aes-256-encryption.html

http://security.stackexchange.com/questions/14068/why-most-people-use-256-bit-encryption-instead-of-128-bit

http://security.stackexchange.com/questions/6141/amount-of-simple-operations-that-is-safely-out-of-reach-for-all-humanity/6149#6149

https://www.schneier.com/blog/archives/2009/07/another_new_aes.html

http://www.bolehvpn.net/blog/2013/10/what-data-encryption-algorithm-should-we-use/

http://collaboration.cmc.ec.gc.ca/science/rpn/biblio/ddj/Website/articles/DDJ/2007/0710/070901me01/070901me01.html

http://technet.microsoft.com/en-us/library/ee706531%28v=ws.10%29.aspx

 

Sidenote on recovery key

Keep that key somewhere quickly accessible. Especially with windows 8…
On your phone, a hardcopy in your wallet, a tattoo on your arm…

When Windows 8 detects something has gone wrong booting itself, it will try to recovery.
But it can’t recover without the partition unlocked. So you’ll need to enter the key.
When you cannot unlock it, and reboot again, it’s just going to try to recover again.
And you’re looping forever…

Damn windows 8!

Advertenties

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s

%d bloggers liken dit: