Knowledge Base 2016

Built as a Pre-Boot-Authentication (PBA) system, Secure Disk for BitLocker is a small security operating system that is loaded prior the start of Windows​. ​The software offers additional features and full management ​of the underlaying ​Windows encryption​.

The BitLocker add-on eliminates all limitations of BitLocker: easy deployment, multi-user / multi-factor authentication, central management and comfortable helpdesk features.

​The software supports all type of platforms: notebooks, convertible, tablets and desktops.

​For smart card authentication a compatible smart card and reader ist required. The PKI-token authentication requires a free USB slot at the time of boot. Smartphone authentication requires a Bluetooth interface and connects on Bluetooth LE - low energy - preferred.

​Within the successful authentication (password, AD password, smart card, token, X.509 certificate, help-desk, network-friendly-mode, smartphone app) it decrypts the BitLocker key and securely starts the BitLocker ​protected Windows operating system.

Secure Disk for BitLocker client supports the following client operating systems:

• Windows 7
  
• Windows 8
  
• Windows 8.1
  
• Windows 10 including version 1709, Fall Creators Update
  

Additional requirements

• Secure Disk for BitLocker is an add-on for Microsoft BitLocker, all client requirements to run BitLocker must be met.
  
• Microsoft BitLocker start partition ​is required.
  
• ​The start partition and Windows partition need to be on the same physical disk.
• Secure Disk for BitLocker generates a new 1.5 GB partition for the pre-boot-system. The required re-partition process requires typically 10 GB free space on the Windows partition to be successful. Alternative an unpartitioned area of 1.5 GB can be used.
  

Secure Disk for BitLocker central management console supports the following ​operating systems:

• Windows 7
• Windows 8
• Windows 8.1
• Windows 10
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
  

Additional requirements

• Microsoft .NET Framework 4.6.1 or higher need to be installed.
  
• A new Microsoft SQL database is required. The sql user need to be assigned to role "db_owner" and scheme "dbo". Sorting should not be case-sensitive.
  

Within the installation process Secure Disk for BitLocker will adapt graphic drivers, disk interfaces, LAN and WLAN network adapters and other hardware devices to an optimal configuration set. Therefore, basically all modern desktops, convertible, tablets and notebooks are supported.

Enclosed a list of known devices supported:

​Our Linux based Pre-Boot-Authentication OS supports BIOS and UEFI. All multi-factor authenticators are supported in both ​firmware options.

​Our additional BitLocker protectors "Active Directory Authentication" and "Friendly Network Mode" require network connection to central services. In PBA phase WLAN and LAN connections are supported.

​For helpdesk operation an active network connection, allows Secure Disk for BitLocker Online Helpdesk to transfers the challenge and response over a secure channel to the central helpdesk administrator, completely eliminating complex digit sequences to be entered.

The management console should be installed on a Windows Server 2012 or Server 2016. It requires a Microsoft SQL database instance as configuration and key repository. SQL Express is supported for customers not running MS-SQL servers or clusters.

All sensitive information stored in the SQL database is encrypted.

​All configration and keys are stored on the MS-SQL database configured in the Secure Disk for BitLocker management console. Simply installing multiple installing multiple instances of the management service while connecting to a MS-SQL cluster offers a high available and fault tolerant management cluster.

​Sure, just press start:

Transparent BitLocker encryption (without Secure Disk for BitLocker) fully automatically loads the BitLocker volume decryption key and starts Windows. That requires an initialized TPM chip and secure boot for protection of the boot process.

But, automated start of an encrypted client system will give attackers a wide range of attack vectors to the running Windows operating system.

Refering to https://wccftech.com/microsoft-patches-50-security-windows-10/ on November 14th 2017 the Microsoft patch KB4048955 (OS Build 16299.64) and patch KB4048954 (OS Build 15063.726 and 15063.728) fixes 53 security vulnerabilities. Where 20 of these are rated critical, with 30 rated as important.

Microsoft TechNet defines a critical ​vulnerabilities as:

"A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email. Microsoft recommends that customers apply Critical updates immediately."

For a stolen encrypted client machine that means that an attacker just need to wait for a couple of weeks to have tons of documented and unpatched critical exploits on a client system to break-in!

This easily can be avoided by an cryptographic lock (a Pre-Boot-Authentication system - PBA) before starting the Windows OS.

Do not use transparent encryption with Microsoft BitLocker, as this may secure your data today (a ​fully patched client), but definitly not tomorrow (an unpatched client with critical vulnerabilities)!