Bitlocker is a component of Pro and Enterprise editions of Windows 8 and Windows Server 2012 that enables you to protect the contents of your hard drive through encryption. It is also available in Enterprise versions of Windows Vista and 7.
It is viewed as more of a business option vs. a consumer option, but consumers can acquire equivalent functionality through 3rd-party software. Bitlocker guards against the consequences of the employee’s notebook or desktop computer coming into the possession of an unauthorized person.
Bitlocker prevents unauthorized access by:
Encrypting the entire Windows operating system drive on the hard disk. BitLocker encrypts all user files and system files on the operating system drive, including the swap files and hibernation files.
Checking the integrity of early boot components and boot configuration data. On computers that have a Trusted Platform Module (TPM) version 1.2 or 2.0, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.
Three approaches can be used to implement Bitlocker:
- Automatic unlock. Fixed data drives can be set to automatically unlock on a computer where the operating system drive is encrypted. Removable data drives can be set to automatically unlock on a computer running Windows 8 after the password or smart card is initially used to unlock the drive. However, removable data drives must always have either a password or smart card unlock method in addition to the automatic unlock method.
- Password. When users attempt to open a drive, they are prompted to enter their password before the drive will be unlocked. This method can be used with the BitLocker To Go Reader on computers running Windows Vista or Windows XP, to open BitLocker-protected drives as read-only.
- Smart card. When users attempt to open a drive, they are prompted to insert their smart card before the drive will be unlocked.
- Active Directory Account or Group. A key can be assigned to an Active Directory user, group, or computer account and when those credentials are presented the drive will be unlocked.
Windows Server 2012 has an additional BitLocker protector option for Operating System Volumes called Network Unlock. Network Unlock allows managed desktops to be automatically unlocked at system reboot when connected to a trusted wired corporate network. The client hardware must have a DHCP driver implemented in its UEFI firmware, however.
Security will continue to increase in importance and the encryption-based Bitlocker is a useful way to protect an organization’s distributed data assets.