Category: Allgemein

Let me explain the importance of pre-boot-authentication – PBA in client security:

I lock the door of my house, whenever I leave to work. I lock all doors of my car, when I reach my office. I unlock the office door when I am entering. I even lock my drawer, just to secure the ten coffee capsule I bought last week.

But when I start my notebook with highly sensitive data and tons of customer references my BitLocker encryption magically unlocks itself on power-on. That’s what most Microsoft consultants recommend enterprises.

Decryption must be an active user decision!

In my past security life, when I locked sensitive data I demand an user authorization process to reaccess the sensitive data. This should be similar to unlock a safe.

Refering to a current Microsoft article  “Protect BitLocker from pre-boot attacks”  for Windows 10, Microsoft confesses lack of adequate authentication options for native BitLocker implementations:

Pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs.

As Microsoft BitLocker offers few sophisticated and user convenient authentication methods – the BitLocker protectors – we added additional protectors in Secure Disk for BitLocker. These protectors include a Active Directory credential protector, a smart card protector, a X.509 protector, a modern smartphone app for authentication and multiple biometric options for user authentication.

PBA – Pre-Boot-Authentication for Microsoft Windows

Pre-Boot-Authentication – PBA – will give attackers less vectors in their attacks, as a cryptographic protection will secure the full operating system, before vulnerable services will start.

Secure Disk for BitLocker is available as standard edition, offering password and Active Directory authentication. In its multi-factor edition, we support all modern authentication methods including PKI-token, smart card, biometric / fingerprint authentication, smartphone app authentication via USB cable or Bluetooth. Request your evaluation today!

Did you ever try do dispose or resale a BitLocker encrypted client? You will need external erase / disposal tools, boot from a USB stick and invest a lot of time in clearing every single device that should leave.

But it could be so easy, as all data sectors are already strongly encrypted. You just need to dispose all BitLocker protectors (the internal keys to access the volume encryption keys) at once.

Luckily the command line tool manage-bde.exe can be used to delete protectors. But unfortunately, once you reach the last protector the tool will resist and not allow you to delete the last protector. The reason is clear, as if you do your client will not boot any more… But that’s exactly what we want!!!

Check the protectors on your Windows partition:

PS C:\> manage-bde -protectors -delete -type password C:

Delete a password protector from your Windows partition:

PS C:\> manage-bde -protectors -delete -password C:

Add a password protector from your Windows partition. After the command you are prompted for a password:

PS C:\> manage-bde -protectors -add -password C:

For testing I recommend to create a virtual partition with a few GB and activate BitLocker on this virtual partition to play with the manage-bde.exe command line tool.

Secure Erase for Microsoft BitLocker – Integrated Function in Secure Disk for BitLocker

To support enterprises and their client lifecycle management, Secure Disk for Enterprise includes a remote wipe function to securely erase all encryption keys on an Microsoft BitLocker encrypted client. Moreover, a central stored compliance report will let you identify wiped clients in case of an audit.

Secure Disk for BitLocker is a strong tool to fulfill EU-GDPR requirements and gives great compliance possibilities to prevent data breache notifications.

Secure Microsoft BitLocker operation requires user authentication during the pre-boot-phase, typically referred as pre-boot-authentication – PBA. Microsoft offers a very limited set of secure pre-boot-authentication methods including TPM+Pin, password authentication, and a cryptographic key stored in clear-text on a USB-stick (the startup key). But what if a user can not logon and require helpdesk support?

In case a user forgets his TPM-Pin, or BitLocker password or loses the USB-stick with the startup-key a BitLocker recovery is required. In enterprises the domain admin need to hand over the 48-hex-digit BitLocker recovery key to the user to unlock the client to allow to reset TPM-Pin or BitLocker password.

The BitLocker recovery key is a obviously dangerous master key for the client and allow unlimited access to the encrypted client. Therefore, the recovery key need to be changed immediatelly after emergency usage through the user. In case an active BitLocker recovery key is lost along with the client, this incident need to be treated as a data breach.

Prevent Data Breaches with Intelligent BitLocker Helpdesk Methods

As the BitLocker recovery key is hard to handle and very sensitive if ever lost, Secure Disk for BitLocker offers a user convenient challenge/response helpdesk method without the limitations of the BitLocker recovery key.

The Secure Disk for BitLocker response can freely be defined to allow a new password to be set, a new smart card to be learned, temporary booted with out authentication for a number of boots or a defined time. Even the Windows domain password can be bypassed in case the users Active Directory password is lost.

Request our helpdesk console manual for a full list of Secure Disk for BitLocker helpdesk options.

The lack of hardware based multi-factor authentication for Microsoft BitLocker like smart card, token or smartphone apps is an ongoing discussion with security experts. As Microsoft consultants preach to waive BitLocker authentication completely and rely on Secure Boot and Windows domain authentication only, this security consideration is a no-go for compliance decision maker.

Why? Because once Windows is started automatically without encryption authentication the BitLocker encryption key is already loaded into the computers memory. An attacker can steal the BitLocker encryption key from the memory, or use network services or external ports to break in to the running Windows client.

Enable the multi-factor authentication 98% of all users prefer!

In the latest version of Secure Disk for BitLocker our new Smartphone app for Apple iOS and Android can be initialized once and used for two-factor authentication and user self-service recovery.

Therefore, the smartphone will be connected by USB cable to Bluetooth during the pre-boot-phase. The client encryption key is securly send to the linked Windows client on user prompt.

In case of smart card or PKI-token authentication the Secure Disk for BitLocker smartphone app can be used as self-service recovery option in case of a forgotten or defective smart card. This user self-service option is fully independent from centralized IT helpdesk and the complex Microsoft BitLocker recovery keys stored in Active Directory.

If enterprises consider multi-factor authentication for client encryption, our smartphone authentication app is definitly the most user convenient way for strong authentication!

Biometric authentication is widely used on IT systems as an additional factor of user identification.  The are multiple physiological identifiers available, like fingerprint reader, finger vein reader, hand vein reader, iris scanner, voice recognition, 2D or 3D face recognition and many more.

The usage of physiological identifiers for client user authentication is typically limited by the available bio-metric readers on client machines. Often only inexpensive readers are available on client machines like simple fingerprint readers or 2D webcams.

Biometric Authentication as Windows option only?

Microsoft BitLocker in its Windows delivered featureset does not offer biometric authentication in the BitLocker pre-boot-phase. Microsoft encourage security decision maker to bypass the BitLocker pre-boot-authentication and use Windows Hello with biometric user authentication for Windows logon.

This bypassing approach results in a weak cryptographic protection of the BitLocker encryption and fully shift the security to the Windows authentication phase.

Why? Transparent BitLocker encryption (without Secure Disk for BitLocker) fully automatically loads the BitLocker volume decryption key and starts Windows. That requires an initialized TPM chip and secure boot for protection of the boot process.

So, automated start of an encrypted Windows client system will give attackers a wide range of attack vectors to the running Windows operating system.

Biometric Pre-Boot-Authentication with Microsoft BitLocker

By the use of Secure Disk for BitLocker security aware users and enterprises can use bio-metric authentication as an additional factor to decrypt the Windows client.

As physiological identifiers does not deliver a reproducable cryptographic key, the biometric factor can not used to decrypt the client machine. Therefore the biometric factor typically is used in addition to domain credentials, a PKI-token or smart card certificate or a smartphone stored key.

Secure Disk supports multiple Linux drivers for physiological user authentication. Use our contact form to receive a full list of available options.

Beginning with Windows 8, Microsoft BitLocker supports password authentication without any TPM requirement. To use the BitLocker password protector the TPM support need to be disabled on a client machine. This gives great encryption possibilities for older clients not offering a modern TPM chipset. By the use of the password protectors Windows Server systems as well as virtual systems can be encrypted.

Authentication Limitations

Unfortunately, the password protector does have multiple limitations, we asked customers to summarize:

1. Missing username in the authentication process. The password is a machine authentication and does not support multiple users.
2. The password does not synchronize with any Active Directory password; therefore users need to memorize the BitLocker boot password in addition to the domain credentials for Windows logon.
3. BitLocker does not support single sign-on after successful pre-boot-authentication.
4. The pre-boot password is not stored centrally therefore helpdesk support is not available for the password protector.
5. In case of a lost or forgotten BitLocker password users need to handle the 48-digit Microsoft recovery key to unlock the client.

Active Directory Credentials for Microsoft BitLocker

Enterprises complain about the missing domain credential authentication support of Microsoft BitLocker. This gap is closed with the BitLocker add-on Secure Disk for BitLocker, as the enhanced pre-boot-system offers LAN and Wireless network support for Active Directory authentication:

• Domain users can conveniently unlock Microsoft BitLocker in a fully graphical pre-boot-authentication system using their well-known domain credentials.
• Furthermore, the user provided domain credentials are used to single sign-on to the Windows operating system.
• Even if the Active Directory password is forgotten, domain administrators can set a new ADS password and allow an encryption user to unlock his client.
• Active Directory authentication greatly reduces user helpdesk and improves the user acceptance of client encryption.

Do see the advantage for enterprises we offer a 30-day evaluation for Secure Disk for BitLocker free of charge. Use our Secure Disk for BitLocker download option to request the software.

Typical strong authentication factors are not supported by Microsoft client encryption BitLocker. Enterprises need to stick to TPM-PIN authentication, password authentication or a quite unpopular USB stick authentication with a startup-key (a clear-text key file).

But there a many strong authentication mechanisms already deployed in enterprises that can be a perfect match for user authentication. These include smart cards, PKI crypto token, OTP token, smartphone authentication and multiple biometric identification options.

The Microsoft BitLocker add-on Secure Disk for BitLocker adds multiple multi-factor authentication methods to Microsoft BitLocker encryption including smart card authentication, PKI token authentication, biometric / fingerprint authentication, X.509 certificate support and smartphone app authentication in addition to the password or TPM based authentication methods.

All authentication methods are true user based identification methods and not machine authentication, as the Secure Disk for BitLocker pre-boot-authentication (PBA) supports multiple users per client.

Enhanced Multi-Factor BitLocker Protectors

This is a great enhancement to BitLocker standard two-factor authentication methods TPM+PIN and USB-stick and allows enterprises maximum flexibility in their security policies.

Clients can be configured to support different multi-factor authentication methods simultaneously, e.g. users can authenticate with their preferred smart card or fingerprint plus active directory password or smartphone authentication.

In large enterprise networks multi-factor authentication is widely used for administrator or support accounts on client machine.

Browser the full feature list of Secure Disk for BitLocker to see all strong authentication options for your BitLocker deployment.