This article will review some basic concepts, give some "how-to" recipes and experience, then will finish with some new VB code that can help out with older TPMs.
"'The time has come,' the Walrus said,
'To talk of many things:
Of shoes and ships and sealing wax,
Of cabbages and kings,
And why the sea is boiling hot,
And whether pigs have wings.'
'To talk of many things:
Of shoes and ships and sealing wax,
Of cabbages and kings,
And why the sea is boiling hot,
And whether pigs have wings.'
Lewis Carroll Alice in Wonderland
The basics
First let's review some basics.FDE - Full Disk Encryption
Bitlocker is Microsoft's version of full disk encryption. What is good about full disk encryption?
- FDE is usually transparent to the user. After some pre-boot initialization, you run as usual. Performance (unless very intensive disk activity is involved – eg major software install / upgrade) is normal.
- FDE protects "data at rest", i.e. when the laptop or PC is powered down.
What is not so good about FDE?
- FDE does not protect data while the PC is running. Anything running on the PC (or accessing the PC from the network) can access the data (subject to normal OS restrictions). If the PC sends the data across the network, the data is sent in the clear.
- If an encrypted disk has problems (and especially if this is the main PC boot disk!) then recovery can become complex. Typical offline recovery scenarios involve using a special WinPE boot disk with FDE drivers to decrypt the disk / effect repairs.
- The Wikipedia article on BL (see Wikipedia: BitLocker) points out that BL, like most software-based FDE solutions, is susceptible to side-channel attacks (e.g. Hardware key-logger, “cold boot” attack, acoustic cryptanalysis).
- Bitlocker (especially when used with the TPM) is a complex technology that unfortunately tends towards cryptic error messages. One of the ongoing challenges is trying to understand what is stopping everything from working this time.
File-Folder encryption
In contrast to FDE is file / folder encryption.3rd-party vendors such as McAfee and PGP, as well as open source software such as GNUPG can encrypt selected files or entire folders.
In this case, some level of user interaction is generally required (e.g. move the file to the special folder, activate the software, enter a symmetric encryption key passphrase).
What is good about file / folder encryption?
Once encrypted, then the data stays encrypted whether the PC is booted or not, whether the data is sent across the network as an email attachment, or if the data is copied to a network-based file share. The user must again intervene in some fashion to cause the data to be decrypted.What is not so good about file / folder encryption?
There are two basic difficulties with file / folder encryption:- It depends on the user "doing the right thing". Users can either tend to forget to protect critical / sensitive data or can find security cumbersome and then try to bypass controls / protection.
- There can be performance issues as well as usability concerns depending on a) the quantity of data, and b) the number of files to be encrypted.
TPM – Trusted Platform Module
From Wikipedia:Trusted Platform Module (TPM) is a secure crypto-processor embedded in the motherboard that can be used to authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication. It can be used to verify that the system seeking the access is the expected system.
A limited number of full disk encryption solutions have support for TPM. These implementations can wrap the decryption key using the TPM, thus tying the hard disk drive (HDD) to a particular device.
Basic TPM functions
Here are some of the functions offered by the TPM chip (see Wikipedia - TPM article)- Secure generation of cryptographic keys
- Pseudo-random number generator
- "Remote attestation": A crypto hash representing PC hardware and software configuration
- Binding: Encryption using the TPM endorsement key which is an RSA key provided by the chip manufacturer during production
- Sealing: Encrypts data similar to binding but specifies a state that the TPM must be in for the data to be decrypted (i.e. unsealed)
- Enable / disable: "Enable" turns on the TPM function – think of a light switch. This value can be set repeatedly and persists across boot cycles. "Enable" can be set by the TPM owner's (cryptographically) authorized cmds (remotely) or by physical presence cmds.
- Clear: TPM values are reset and all key material is deleted.
- Take ownership: Someone (probably the PC administrator) takes control of the TPM function by installing a secret. A TPM is designed to have only 1 owner at a time.
- Activate / deactivate: This also turns off the TPM function but is a volatile TPM flag that can be set by anyone. The flag persists until the next boot cycle. When it is off, ownership of the TPM can be taken. "Activate" can also be set off through multiple boot cycles by physical presence cmds.
"A word from our sponsor" …
Here is what the Windows BitLocker Drive Encryption Design Guide has to say about TPMs:Physical presence interface
The Trusted Computing Group (TCG) TPM specification requires physical presence to perform some TPM administration functions, such as turning on and turning off the TPM. Physical presence means a person must physically interact with the system and the TPM interface in order to confirm or reject changes to TPM status. … The following are examples of TPM administrative tasks that require physical presence:
Activating the TPM
Clearing the existing owner information from the TPM without owner password
Deactivating the TPM
Temporarily disabling the TPM without the owner password
TPM states of existence
For each of the TPM states of existence, the TPM can transition into another state (for example, moving from disabled to enabled). The states are not exclusive.
Important
BitLocker cannot use the TPM until it is in the following state: enabled, activated, and owned. When the TPM is in this state and only when it is in this state, all operations are available.
The state of the TPM exists independent of the computer's operating system. Once the TPM is enabled, activated, and owned, the state of the TPM is preserved if the operating system is reinstalled.
Endorsement keys
For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM does not contain an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup.
An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM.In practice, some of the older Dell laptops shipped with TPMs that did not have endorsement keys. Most, if not all, recent PCs do have endorsement keys.
The BL Design Guide claims that the BL setup will automatically generate an endorsement key if one does not exist. In my experience, this is not necessarily true. In any case, code is provided as part of this article to manually generate an endorsement key.
What is good about using TPM-based protection?
Whether / how the TPM is actually used depends on the OS, the encryption software, the BIOS configuration, as well as the configuration of the TPM itself.By building on the basic TPM functions, a software-based FDE such as BL can offer the following advantages:
- Since each TPM has a unique RSA key burned into it at manufacture (at least in theory!), the TPM can be used to authenticate the PC. If the HDD is removed from a particular PC and placed in another, the decryption process will fail.
- Depending how the TPM is configured, it can also be used to verify the integrity of the hardware and software configuration. That is, the TPM gives assurance that the hardware and software being booted have not been tampered with.
- The TPM also can be used to provide a reliable hardware-based source of entropy (i.e. randomness) for crypto function on the PC.
- During PC decommissioning, the contents of FDE-encrypted disks can be securely wiped by clearing the TPM and destroying the accompanying FDE recovery key material.
What is not so good about using TPM-based protection?
Here are some of the problems associated with use of TPMs:- Software maintenance becomes more complex since with BL the TPM by default will verify the hardware and software configuration. Applying regular maintenance can cause the TPM to refuse to give up its keys. The user then has to initiate recovery procedures to reinitialize the TPM.
In a corporate setting, the corresponding requirement is for maintenance to boot PCs (perhaps several times for a large install) and generally modify system software without requiring user intervention at some point in the process.
- A related problem can occur after BL initial install. The TPM can continually "detect" spurious hardware or software changes. Until this is corrected, BL recovery procedures have to be used continuously.
- The TPM is still vulnerable to a cold boot attack which targets the BL disk encryption keys in PC RAM memory.
The Wikipedia article linked to mentions that using a pre-boot PIN along with the TPM enables BL to have 2-factor authentication that helps mitigate the risk of this attack. Configuring Power Mgmt to shut down the PC instead of sleep / hibernate also helps mitigate this risk. Setting a BIOS boot password in addition to the BL PIN places yet another obstacle for the attacker to overcome.
- Some older TPMs were shipped without endorsement keys. They have to be set up before they can be used. At time of writing, this is notably the case with some of the older Dell laptops.
- If the TPM is physically damaged, then FDE recovery procedures have to be used to access the encrypted disk. Idem if the TPM is cleared by some hostile process.
Bitlocker in practice
Let's put the cart before the horse and first talk briefly about how BL actually works out in practice. Being a strong believer in the "eat your own dog food" principle, I have actually used BL on my personal PC for the past year.For purposes of this discussion, discussion of deployment in a corporate environment are out of scope. However the comments made here generally should translate to the corporate setting.
Direct from the trenches
Here are some probably subjective comments about BL use. YMMV.- For normal use, performance is transparent. Really truly. Unless you are installing that major software upgrade that is disk-intensive.
- I have seen some "flakiness" in the encrypted disk. An encrypted disk just seems to be less robust. Be prepared to use chkdsk regularly to keep things cleaned up. Possibly some of this was due to an unstable driver that caused some PC outages which in turn exacerbated the random hard disk corruption that resulted in more outages that …
- Idem for the BL-encrypted USB HDD partition that I use to offload user data. Sometimes the disk doesn't decrypt properly. Windows then asks me if I want to format the partition – No! – and then I have to dismount / remount the USB disk.
- Buy, implement, and use a reliable PC backup solution. The BL offline recovery procedures in particular should be considered as a secondary recourse only.
- In a 1-PC 1-user scenario, a good place for the TPM key as well as the BL recovery key is on a USB flash drive. With a default TPM configuration, be sure to keep the flash drive tool handy – you'll need it regularly. Since use of this flash drive bypasses all protection mechanisms, it obviously should not be stored with or near the laptop.
The hidden BL partition
BL system partition
BL needs an unencrypted hidden partition on the system drive to bootstrap itself for the initial boot.BL requires 2 partitions on the hard drive. The main system partition (usually c: ) is BL-encrypted. The other small (100MB) partition is the actual active partition. It is ordinary NTFS and contains the BL bootstrap code. Ordinarily this drive has no letter and is not visible when the OS is up and running.
Win7 will normally create the hidden partition automagically during install. If the disk has existing partitions, the Win7 installer will attempt to repartition the disk to insert the new partition.
Under certain circumstances, manual intervention is required to create the new partition. To help things out, MS provides the BL Drive Preparation Tool. (See MS Technet: Using the BL Drive Preparation Tool for Win 7 for more information.)
On Vista, user intervention was normally always required, so the accepted wisdom was to use diskpart to format the hard drive before installing anything.
Here is a screenshot showing the hidden partition on Win7:
BL To GO
Win7 introduced BitLocker To Go, which is BL protection on FAT-formatted USB flash and other drives.BL2Go is Win7-specific. To facilitate use of BL2G0-protected drives on XP and Vista, BL creates a new partition on the drive. This is the "discovery drive".
The new partition is hidden on Win7, but visible on XP / Vista. The BL2Go reader is placed on the "discovery drive" so that legacy OS users have a way to decrypt the BL-protected USB flash. The BL2Go reader can also be accessed as a separate download from MS Download Center.
Note that Group Policy controls whether BL creates the “discovery drive” or not. For more information see Technet: Unlocking Removable Drives on XP / Vista.
Pre-implementation advice
Before implementing BL in production:- BL can be a complicated technology to install the first time around. Before you start the install of a new, read about BL in order to understand the requirements. In general, it's best to try out FDE technology in a lab setting before actually deploying in production (even if just used on one PC). Be sure you understand clearly the various recovery scenarios, impact of PC maintenance, and so forth.
- If you are installing a new PC, finish all the rest of the installation before turning on BL. Why pay the performance penalty as well as risk possible instability before you have to?
- Just before turning on BL, do a chkdsk /F to clean the disk up. Then do a full defrag. This will increase disk performance, and help minimize future problems.
- The first time through, the FTE software has to encrypt the whole partition. Depending on the speed of the CPU, and the size of the partition, this is a time-consuming operation. A vanilla Win7 install (70GB data on c: system disk) took approximately 75 min with AES 128 Diffuser encryption on a Dell Latitude D630.
While this first-time encryption process is running, it is not clear to me how robust BL really is. The BL FAQ does say that BL is robust across sleep / hibernate / power outages. (See BL FAQ: What happens if the computer is turned off during encrypt / decrypt?) However in another place, Technet warns against removing removable disks while encrypting. (See Technet: Scenario 2: Turning On BL Encryption on a Data Drive.) I would play it safe by trying to avoid hibernate / sleep / power outages / etc during BL initial encryption.
BL does provide a function to pause / resume the encryption. This function is available through manage-bde and also via the normal BL GUI. Remember to pause the encryption before doing anything else to the computer while initial encryption is running.
BL – TPM : "The" magic recipe
Sigh. If only that were true! However Win7 is starting to smooth out some of the rough edges that were present in Vista. (For instance, more enterprise-wide management control is possible (including enterprise-wide recovery). Also the disk partitioning process has been made more automatic. Support for USB flash drives was added as well.)Actually, there are many ways to deploy BL - TPM. This section will walk through a one possible deployment scenario.
Initial requirements
Let's suppose that a fairly paranoid implementation is desired. The laptop is a recent Dell Latitude. After researching the possibilities, the decision is to lock down the PC as follows:- BIOS master password to lock down the BIOS against modifications.
- BIOS setup password to prevent unauthorized booting of the laptop.
- Pre-boot PIN to help protect BL against "cold-boot" attacks.
- TPM will be used to tie BL to this PC as well as verify general PC integrity at boot time.
- User control will be maintained throughout the BL install process.
Win7 – BL GUI
On Win7 at least, the BL GUI can automate the installation of BL on a system disk. See Technet: Scenario 1: Turning On BitLocker Drive Encryption on an Operating System Drive (Windows 7) for the details.The rest of this discussion assumes that more control is desired, and shows how to obtain the same result (or perhaps find out why the automated process doesn't want to work!).
BIOS
In the BIOS on the Dell laptop:- Enable the TPM.
- Clear the TPM. This will clear out all previous keys as well as deleting the previous owner. Note that any encrypted disks hanging around that depend on the old key material in the TPM will now be unreadable. Unless of course there is some backdoor offline recovery key or some other method that bypasses the TPM for emergency situations.
- Next Activate the TPM. The TPM will now be in "Activated" and "Enabled" states, and ready to be owned.
- Set a BIOS Admin Password and a BIOS Setup Password if this hasn't been done already.
- This completes what you do in the BIOS.
These actions can be also done in other ways (e.g. The manage-bde cmdline tool, the TPM GUI). But generally this still requires physical presence at the PC. IMHO it is easier + quicker to do it directly in the BIOS.
Management tools
For BL, the tool of choice is the command line. The error messages are more explicit when things aren't working properly.On Vista, a WSF script is provided. On Win7, this has become an executable.
Fire up an administrator cmd shell, then:
cscript manage-bde.wsf -h (Vista)
ormanage-bde –h (Win7)
To manage the TPM itself, probably the best choice is the TPM management GUI (tpm.msc).
Finally, since group policy is used to manage BL, gepedit.msc is needed sometimes to configure local computer GP.
tpm.msc – Initialize and take ownership of the TPM
Using tpm.msc to manage the TPM is described in detail in Technet: Win TPM Mgmt Step-by-Step Guide.Have the TPM GUI create a random TPM owner password. Save this password on a removable USB flash drive. The corresponding file will have a ".tpm" suffix. This is actually a text file in XML format.
After saving the ".tpm" file, on the bottom of the dialog box where you won't think to look, there will be an "initialize" button. Click this to actually take ownership of the TPM.
In Win7, tpm.msc has a new function "Reset TPM Lockout". The TPM can decide that it is being attacked and go into lockout mode. This function resets the TPM to normal operation. Just remember you get only one chance to reset the TPM. After that, you have to either shut down / restart the PC, or possibly clear the lockout mode by just waiting long enough. (See Technet: Changes in TPM Mgmt.)
Using manage-bde to manage the TPM
manage-bde can also be used to manage some of the TPM functions.manage-bde - tpm already enabled / activated
Once the TPM is enabled / activated, if you do happen to run manage-bde to try to turn on the TPM, this is the message you get:manage-bde - enable / activate the tpm
But if the TPM is not on for some reason, then you will see this:After rebooting, the BIOS will prompt you with a screen to confirm that you actually do want to modify the TPM status. Select "yes" and continue the PC boot sequence. This is the "physical presence" sequence that was referred to above.
manage-bde – taking ownership of the TPM
Although the TPM MSC GUI is preferable, manage-bde can be used to take ownership. This takes quite a while to execute and gives the following result on Vista:
C:\Windows\system32>cscript manage-bde.wsf -tpm -o xxxmypwdxxx
Microsoft (R) Windows Script Host Version 5.
Copyright (C) Microsoft Corporation. All rights reserved.
The TPM is now owned and ready for use.
Type "manage-bde -on -?" for information on enabling BitLocker.
A script to create the TPM endorsement key pair
It was mentioned above that some of the older Latitude D630's shipped with a TPM that had no endorsement key set by the vendor.In this case, before using the TPM, this key pair has to be set in the TPM.
When you try to take ownership, if you get the following cryptic error message (at least on Vista), then this is the problem.
C:\Windows\system32>cscript manage-bde.wsf -tpm -takeownership xxxsomepwdxxx
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
ERROR: An error occurred while taking ownership of the TPM. (code 0x80280023)
Microsoft provides a general WMI script to install BL. This script will test for the presence of an endorsement key pair, and will create one if needed.
Since the above script is quite general and complex, I wrote a simple VB script that just generates a key pair in the TPM by using the WMI API methods.
C:\Users\asdfgs\Documents\temp>cscript tpm_gen_key_pair.vbs
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Tpm Endorsement Key pair created successfully.
C:\Users\asdfgs\Documents\temp>cscript tpm_gen_key_pair.vbs
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
Call failed : 80280008
Notice that I ran the script twice. The first time there is quite a pause, and then the script claims success.
The second time the cryptic error message (which is documented here ) says that the endorsement key is already generated.
The actual script is here: tpm_gen_key_pair.vbs
A script to determine TPM status precisely
All of this led me to try to find how to determine the precise status of the TPM.Here is a VB script that uses the WMI interface to query the TPM status: tpm-verify.vbs
Run this script from an administrative cmd prompt.
Cd to the directory where this script is located, then execute the script.
Here is a sample output for a TPM chip where nothing is right:
C:\Users\asdfgs\Documents\temp>cscript tpm-verify.vbs
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.
TPM Is Disabled
TPM Is Not Activated
TPM Is Not Owned
Owner can clear the TPM
TPM does not seem to have an endorsement key pair. Note that TPM must 1st be ena
bled / activated to check this. Need a key pair to use the TPM.
Owner cannot be installed on this TPM
A TPM physical presence operation can clear the TPM.
This computer does not support a dedicated hardware path to signal physical pres
ence.
The Storage Root Key (SRK) authorization value must be reset to be able to be us
ed with Windows Vista
Tpm Status script finished.
And here is a TPM chip that is ready to go:
This script has been tested and works on Win7.
Win7: Configure local group policy
On Win7, to obtain the protection we are aiming for, the local group policy has to be configured.Run Gepdit.msc.
Then: Local Computer Policy /Computer Configuration /Administrative Templates /Windows Components /BitLocker Drive Encryption
Set "Choose how users can recover BL protected drives" to "Enabled" Keep the default values ("require recovery key", and "require recovery password")
Next, BL Drive Encryption /Operating System Drives. Set "Require additional authentication at startup" to "enabled". Keep the defaults that allow various types of authentication at startup.
While you are in here, notice the "Configure TPM Platform validation profile" This setting fine-tunes what the TPM will actually check at system boot.
Encrypt the c: system partition
Now let's quickly walk through the actual encryption of the c: Windows partition on Win7.manage-bde will be used for more control / better error messages.
A recovery key will be generated for those rainy days when BL doesn't want to open up the drive / boot the system. This is a file that will be saved to the same USB flash where the TPM file is.
We will also generate a recovery password that can be entered manually during the boot process.
Either one of the recovery key or the recovery password will bypass all normal protection mechanisms so that the BL disk can be accessed.
You should take a screenshot of the recovery password and store it away in a safe place. manage-bde can also list the recovery password if needed (see below).
2-factor authentication is set for pre-boot authentication. The user enters a PIN manually ("what I know") and the TPM is accessed to obtain credentials / verify integrity ("what I have"). When the 2-factor authentication is satisfied, BL will open the c: partition for normal boot.
(Note that in the screenshot, the cmd specified does not ask for a recovery password - i.e. "-rp". I actually added this protector to the disk after the encryption. This shows the flexibility that is possible with the cmdline mode.)
Leave the USB key in the computer and reboot. BL will do a hardware test to ensure that everything is working before proceeding to do the actual encryption.
Enter the PIN you specified at the prompt. Don't forget that you have to use the PF keys, and not the ordinary keyboard number keys.Once the system is rebooted, check the status (i.e.manage-bde -status c:) Normally BL will have started the encryption.
Reboot, sit back, and enjoy your shiny new encrypted system disk
Remove the USB flash drive with the BL and TPM recovery material and reboot.If all goes well, you should see the pre-boot BL prompt asking for the BL PIN. Enter the PIN remembering to use the function keys for numbers.
Enter the PIN and watch the system boot to normal operation.
Well almost …
It is possible that you might want to encrypt a data partition on the same system.This is quite similar to the foregoing. Normally the system partition is encrypted first. Then the data partitions are encrypted.
The commands to encrypt partition g: and have it automatically unlock on system startup would be something like:
manage-bde -on g: -rp -rk "z:\" –SkipHardwareTest
manage-bde -autounlock -enable g:
The dreaded "recovery key needed" message
It is almost certain that you will eventually see something like the following:Windows BitLocker Drive Encryption Information
The system boot information has changed since BitLocker was enabled.
You must supply a BitLocker recovery password to start this system.
Confirm that the boot changes to this system are authorized.
If the changes to the boot system are trusted, then disable and re-enable BitLocker. This will reset BitLocker to use the new boot information.
Otherwise, restore the system boot information.
ENTER=Continue ESC=Recovery
This can happen after Windows Update installs software and changes the system software configuration enough to make the TPM unhappy.
Insert the USB flash drive with the BL recovery key. Reboot the PC with the USB flash inserted. BL will read the recovery key, reset the TPM and things should go back to normal after that.
If you are unlucky like me, then you might start seeing the "recovery key" message at every boot regardless of what you do.
The BL FAQ has a long list of things that could cause this. (See BL FAQ: What causes BL to start into recovery mode when attempting to boot the OS?) Some of the more usual gotchas:
Things that change the hardware configuration that the TPM sees:
- Adding or removing hardware. For example, inserting a new card in the computer, including some PCMIA wireless cards.
- Docking or undocking a portable computer.
- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated.
- Pressing the F8 or F10 key during the boot process.
- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
- Changing the BIOS boot order to boot another drive in advance of the hard drive.
- Failing to boot from a network drive before booting from the hard drive.
- Failing the TPM self test
- Having a BIOS or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer.
When the TPM starts thinking that the hardware config has been tampered with, it sometimes refuses to be "reset" (ie by the user so that it now accepts the new config as valid).
I have found that the following sequence seems to work (at least some of the time):
- Disable BL (eg manage-bde -protectors -disable c:)
- As admin, use tpm.msc to manage the tpm. Turn the tpm off. This requires the tpm password or password file.
- Then turn the TPM back on again.
- Then enable BL.
6 comments:
Hello , if my laptop shows "me is in recovery state" after flashing the wrong bios..is there anything to be done??
Let's say we implement Group Policy to enable TPM and PIN and, upon boot, the computer prompts for the PIN.
Is there any way to get the TPM PIN listed in Active Directory in the event the end-user forgets it? Or is it easier just to have a protected spreadsheet listing the PIN code per user?
Thanks in advance,
Joe
very good! this is exciting and you have surly listed some amazing technical ideas. really proud of you and your efforts. wish you the very best of luck for your future blogs and your life in general.
Nice Blog Post !
Nice Blog Post !
Windows 7 is though now outdated but still it was one of the user friendly windows. It was easy for a young kid even to handle and work with. But of course developments should be done to everything and IT field is growing so rapidly that we can not rely on old versions any more.
Post a Comment