Most Wanted BitLocker Features
Pre-Boot-Authentication for Win 7 / 8.x / 10 » No TPM Required » Multi-User Support » Active Directory Credential Authentication » Smart Card Authentication » PKI-Token Authentication » YubiKey 5 Support » Biometric Support » OTP App Authentication » Smartphone Authentication » Two-Factor-Authentication » Multi-Factor-Authentication » X.509 » Wake-on-LAN » Network-Unlock Protector » 802.1x Network Authentication for LAN and WLAN » Central Policy Management » Central Helpdesk - Online HelpDesk » Challenge/Response HelpDesk » Smartphone HelpDesk » Secure Erase on Disposal » Compliance Report
AES-NI Hardware Encryption
By using CPUs build-in AES functions the encryption performance can dramatically be increased. AES-NI allows optimized AES-128 and AES-256 operations for high-throughput disk encryption.
BitLocker does fully support CPU based AES-NI encryption, therefore full disk encryption does not noticeable affect the PCs overall application performance.
Secure Disk for BitLocker fully rely on Microsoft BitLocker AES-NI encryption, supporting all available encryption methods: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit (default) and XTS-AES 256-bit.
Using BitLocker Password Protector any Windows partition can be encrypted by the use of an independent encryption password. The password is typically set by the user during BitLocker activation and follows the group policy policies.
Unfortunately, BitLocker Password Protector password does not synchronize with Active Directory domain credentials. BitLocker users need to enter the BitLocker password in the pre-boot phase and after Windows startup the domain password need to be given for Active Directory domain authentication.
Secure Disk for BitLocker offers a user-friendly solution by adding an Active Directory synchronizing password protector in its pre-boot-authentication.
Transparent TPM Authentication
BitLocker in its standard configuration requires a Trusted Platform Modules (TPM) to be available on all clients to hold the encryption key. In transparent mode the disk encryption key is loaded fully automated without any user authentication.
As the encryption key is automatically loaded into the computer's memory an attacker can retrieve the encryption key from a memory dump, the hibernation file, or by any exploit that searches the RAM.
The German BSI (Federal Office for Information Security) defines state-of-the-art client encryption using AES-128 or AES-256 plus an explicit user authentication using a strong password or a cryptographic key media. Therefor transparent TPM authentication of an encryption solution does not comply to state-of-the-art security.
Learn more on public available references:
TPM + PIN Authentication
Key operations of a Trusted Platform Module (TPM) can be protected by a TPM-PIN, like a smart card pin. BitLocker offers TPM+PIN as a client authentication to enable disk encryption.
Unfortunately, TPM can only be protected by a single PIN. Therefore, multiple users sharing a workstation / notebook / tables need to share the TPM-PIN if PIN authentication is enabled. Furthermore Microsoft does describe TPM-PIN authentication as client authentication and not user authentication.
Secure Disk for BitLocker offers various convenient multi-factor user authentication methods eliminating the need of TPM-PIN client/machine authentication.
Active Directory Credential Authentication
BitLocker standard pre-boot-authentication does not have network connection to the Active Directory. Therefore, Active Directory Credential Authentication is not supported by Microsoft BitLocker.
The unique Secure Disk for BitLocker Active Directory Protector uses the pre-boot-authentication network stack to verify Active Directory credentials or uses cached credentials in offline mode.
After successful user authentication the user can automatically be registered to Windows - a single sign-on to the operating system.
OTP App Authentication
There are many One-Time-Password (OTP) apps available for Android and iOS mobile phones. Unluckily BitLocker does not support any of those OTP authenticator apps.
Beginning with version 7.1, Secure Disk for BitLocker offers native support for various HOTP apps including FreeOTP, LinOTP, Google Authenticator and many others.
OTP authentication is fully supported in offline mode, for both the Windows client and the smartphone using the OTP app. Single sign-on is supported after OTP authentication.
BitLocker does not support 802.1x network authentication for LAN or WLAN in its pre-boot-environment, therefore "Network Unlock" does not work in 802.1x authenticated LAN or WAN environments.
For more information on Network Unlock see:
The Secure Disk for BitLocker feature "Friendly Network Mode" as well as our Active Directory Protector and Online Help Desk allow direct network connection to domain services. 802.1x network authentication for WLAN and LAN is implemented to offer all above features in secure network environments.
BitLocker protection scheme allows multiple BitLocker protectors to be activated for a volume. These protectors are: (1) recovery password, (2) external [USB] key, (3) certificate*, (4) TPM, (5) TPM and [USB] startup key, (6) TPM and PIN, (7) TPM and [USB] startup key and PIN, (8) network unlock, (9) password.
BitLocker does not support username and password authentication, only a simple password is allowed. Therefore, multi-user scenarios that require multiple username and password combinations to be definable are not supported by native BitLocker encryption. Even IT administrators that do not know the user defined password or PIN do need to use the BitLocker recovery key to access an encrypted device.
Secure Disk for BitLocker replaces Pre-Boot-Authentication (PBA) with an advanced and network-enabled boot system, that offers user authentication for thousands of users, including Active Directory authentication and multi-factor authentication like smart cards, PKI/token and smartphone app. IT administrator accounts are centrally enrolled to all enterprise clients including their preferred authentication method.
*) only available for non-start volumes like D: or USB-drives
Typically, enterprises use Wake-on-LAN (WoL) or the new Wake-on-WLAN (WoWLAN) to activate workstations and mobile devices during night time to enforce anti-virus scanning or software upgrades.
If clients are not prepared with MBAM or scripts to temporary disable BitLocker encryption these wake ups will end in hundreds or thousands of clients waiting for a user authentication instead of a successful booting process to automate planned maintenance services.
Using Secure Disk for BitLocker you can enable "Friendly Network Mode", a network based authentication where clients will retrieve their authentication key from a central key server, if the client itself is not compromised and within his secure enterprise LAN.
Online Help Desk
Microsoft does offer an online user self-help service with MBAM. Therefore, the user need to get access to a company protected MBAM web service to retrieve his 48-hex-digit BitLocker recovery key. This may be challenging as the computer he need to get access to the VPN protected MBAM service stuck in the authentication process... Using a company managed smartphone or a colleague PC may be solution for this dilemma.
To avoid dealing with complicated BitLocker recovery keys Secure Disk for BitLocker offers an intuitive graphical online help desk. Where network connected clients can send their help desk request to a central console. After informing the help desk team the help desk response is conveniently received over a secure network channel. The BitLocker recovery key is not required within any process, so it does not need to be changed after usage.
Offline Challenge/Response Help Desk
User who are locked out from encryption and not network connected can use the integrated challenge/response help desk feature of Secure Disk for BitLocker.
The challenge can be transferred by telephone, email or SMS to the help desk agent. The response can allow the user to reset his authentication password, or allow a defined number or unauthenticated boots or disable authentication for a given time period. In addition to pre-boot services the help desk response can bypass the Windows domain authentication using single sign-on techniques.
There are many more help desk options available in Secure Disk for Bitlocker. Contact us using our contact form to get a full list of options.
Microsoft BitLocker requires multiple tools for its management: group policies, scripts, MBAM or 3rd party BitLocker management tools.
Secure Disk for BitLocker is a one-stop solution for BitLocker management and compliance reporting. The graphical console gives all configuration options you require to deploy full-disk encryption in large scale environments. Different configurations can be grouped for Active Directory groups or individual clients. The Secure Disk client connects regularly to the central management server to receive configuration updated and send his client security protocols.
Single Sign-On to the Windows Operation System
BitLocker does not offer single sign-on to the Windows operating system after successful pre-boot-authentication.
Secure BitLocker environments require a user authentication in the client's pre-boot-authentication phase, e.g. password, key, TPM-pin or by the use of 3rd party add-ons advanced user authentication like smart card logon, PKI/token, certificate or smartphone app.
One of the major feature of Secure Disk for BitLocker is to offer Windows single sign-on after all user enforced authentication methods.
Network Unlock - Network Friendly Mode
Network authentication is an authentication method where a boot key is automatically deployed to clients. Boot key deployment is only allowed within the company's security boundary and after an advanced integrity check of the client to avoid client manipulation.
Like Microsoft feature "Network Unlock" which supports LAN environments only Secure Disk for BitLocker "Friendly Network Mode" offers support for 802.1x authentication and support for LAN and WLAN.
Typical environments to enable network authentication:
- Industrial workstations, industry 4.0
- Medical analytical systems
- Automated teller machine - ATM
- Desktop workstations within company's LAN and WLAN boundary
- Notebooks / tables within company's LAN and WLAN boundary
All biometric authentication methods do a have similar approach: A biometric print (fingerprint, vein recognition, face recognition, iris scan, etc.) is taken from the user and calculated in a mathematic scheme. Then the taken biometric print is compared to a previous recorded print in the same scheme. If the comparison of the two prints is greater that a defined equality, e.g. 98% then it is assumed that the user is authentic.
This biometric yes or no comparison does not result in a cryptographic key to be used for encryption, as a biometric print is not an exact reproduceable function. Therefore biometric support is less secure than other multi-factor authentications and typically need to be combined with passwords that are able to deliver cryptographic keys.
Secure Disk for BitLocker offers biometric support, often by fingerprint readers, in combination with other user authentication factors.
Smart Card Support
Best cryptographic key support is given by a smart cards key storage. Private keys stored on a smart card are normally protected by a smart card pin and protected from brute force attacks, as smart cards will lock themselves after a couple of wrong pins given.
BitLocker does support smart card authentication for BitLocker to Go and non-system volumes. Unfortunately, you cannot authenticate the Windows boot partition with BitLocker, as the BitLocker pre-boot system does not support X.509 and smart card authentication.
With Secure Disk for BitLocker in its multi-factor edition you get support of more than 60 current smart cards to be used for pre-boot authentication. We support different typed of X.509 certificate including RSA keys and elliptic curve cryptography (ECC). Furthermore, the authenticated session to the smart card can be passed over to the Windows session and used for single sign-on with X.509 certificate authentication in Windows.
Ask for a list of all supported smart cards and readers using our contact form.
Instead of using a smart card reader and smart card many vendors offer USB connected crypto-token. These devices do have the same operating system and middleware as PKI smart cards and therefore the same authentication limitations apply o BitLocker users: you cannot authenticate a Windows boot partition with a PKI-token like Gemalto, Alladin/SafeNet, Rainbow iKey, Marx, RSA SecureID, Vasco Digipass, Kobil mIDentity, Omnikey 6321 USB, Identive uTrust.
The PKI middleware implemented in Secure Disk for BitLocker supports more than 60 smart cards and PKI-token with different smart card operating systems. A X.509 certificate on the PKI-token is required for cryptographic authentication.
Ask for a list of all supported PKI-token using our contact form.
YubiKey 5 Support
The YubiKey offers superior security by combining hardware-based authentication and public key cryptography to effectively defend against phishing attacks and eliminate account takeovers. It offers multi-protocol support including FIDO2, Yubico OTP, OATH HOTP, U2F, PIV, and Open PGP. Users have the broadest options for strong authentication including not only two-factor authentication, but also support for single factor passwordless login and multi-factor authentication in conjunction with user touch and PIN .
Secure Disk for BitLocker offers YubiKey support in two operating modes: (1) cryptographic challenge-response authentication using a pre-shared key, and (2) PKI authentication using a pre-installed X.509 certificate.
Secure Disk authenticator app is available for Android and Apple iOS and offers cryptographic authentication for Secure Disk for BitLocker clients. The enrollment of the app is performed by the user by exchanging keys using QR codes. After initialisation the app authentication is performed at pre-boot phase within seconds using a Bluetooth LE (low energy) connection.
The authenticator app is free of charge.
Secure Erase on Disposal
Once you use client encryption the disposal of clients sounds so easy, as you just need to delete all encryption keys of the BitLocker protected client.
Unfortunately, Microsoft BitLocker does not offer a command locally or over a central console to wipe a BitLocker encrypted client. You can trick BitLocker by deleting most of the existing protectors and set a random number to a password protector to prevent further usage, but this trick is still vulnerable for brute-force-attacks.
Compliance Tip: Safe Your Money for Hardware Wipe
A unique feature of Secure Disk for BitLocker is a central function to remote wipe managed clients. All encryption keys are deleted on the client within seconds, leaving a data-clean hardware that can be reinstalled or disposed. A compliance report of all disposed clients is available centrally.
That's what our customers encrypted for:
How will state-of-the-art security will help your GDPR compliance?
If you skip encryption because of complexity, we have the best solution!
See the top 5 actions how to regain control on your confidential data.