Data leaks and ransomware infections are common threats nowadays. You can mitigate them by using data encryption technologies. If no one can read your data, you do not need to worry about it being stolen.
That is why it is becoming more and more popular to encrypt system drives. In this article, we are going to explain how to do this using BitLocker and its main open-source alternative, VeraCrypt.
Using BitLocker in Windows Environment
BitLocker can encrypt any disk partition (including the system drive) and make it unreadable for untrusted users after PC shutdown or reboot. To decrypt the partitions, you need to provide an encryption password by one of several supported methods: Entering a PIN or password or using the USB key. BitLocker will then unlock your files. You can enable full disk encryption from the Windows control panel once BitLocker is installed.
When BitLocker is installed on a new computer, Windows will automatically create the partitions that are required for BitLocker. But if configuring BitLocker after an update of the previous Windows version, you need to partition the drive onto a minimum of two volumes.
BitLocker also supports the Trusted Platform Module (a hardware chip installed on the motherboard) that helps ensure that the computer has not been infected and data has not been changed when the system was offline. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM.
If you use BitLocker as a corporate data protection tool, consider enabling the Network Unlock feature. PCs connected to an Active Directory domain with BitLocker enabled can be automatically unlocked when the machine is still connected to the corporate network. This convenient feature helps when users forget their passwords or USB key sticks, or in case the system was rebooted after an unattended updates installation.
Group Policy Objects (GPO) allow you to centralize customized workstations and server settings at the enterprise network. Its settings are stored in the Windows registry, and you need the GPO template for any applications being configured. Of course, Microsoft-integrated BitLocker settings are in the GPO, thus allowing you to control drive encryption tasks and the settings applied.
These settings are available in Local Group Policy Editor, under the section Administrative Templates > Windows Components > BitLocker Drive Encryption.
GPO contains a lot of settings, so we will highlight only those that are likely to be of major interest to MSPs:
- Enable and allow network unlock at startup.
- Ability to choose additional startup authentication.
- Configure password settings and requirements. You can also configure passwords using a policy for removable drives.
- Control access and usage of removable drives not protected by BitLocker.
- Change hardware-based encryption settings for local drives.
BitLocker Password Recovery
BitLocker password recovery allows you to store keys information in the Active Directory Domain Services, thus simplifying management in corporate environments. But there are additional ways to recover a lost password.
Most BitLocker configurations require a user to enter a PIN or password to unlock the drive, but it is a typical scenario for a user to forget his or her password and ask a system administrator to help with drive unlocking. Microsoft allows a few disk unlocking techniques in these cases:
- BitLocker Recovery Password Viewer: This tool is bundled with the Remote Server Administration Tools (RSAT) and lets you view BitLocker passwords stored in Active Directory (AD). But remember that you need to pre-configure clients’ BitLocker installations to store such passwords in AD. Home users can store their passwords online in the Microsoft Account cloud service.
- Using a locally stored recovery password. Users can print, or save elsewhere, a BitLocker recovery password after full disk encryption configuration. In case a user forgets the password or cannot unlock the drive normally, either way, he/she can type in a previously saved recovery password.
- The Data Recovery Agent user role can unlock BitLocker drives within an organization.
You should also remember one peculiarity when unlocking the drive with the help of a Data Recovery Agent user: If you need to unlock the system drive, it is necessary to mount it as a regular volume on another PC first and unlock it from there.
Since BitLocker runs only on Windows Pro and Enterprise editions, you have to choose a third-party solution to protect sensitive data on a PC or laptop.
One of the available Open Source full disk encryption software is Veracrypt, a free and cross-platform data encryption tool that lets you do virtually all of the same things as BitLocker. Veracrypt is an ancestor of the well-known TrueCrypt, but improved and updated. This new tool supports AES, TwoFish, and Serpent encryption and allows you to create hidden volumes and protect system drives.
Though VeraCrypt is powerful, it is also a bit more complicated: You will need to dive into its configuration details for proper installation, but its everyday usage is simple enough to make it a full-featured replacement for BitLocker, at least for home users. However, enterprise administrators will be sad to learn that there are no corporate-level management tools for VeraCrypt.
From a security perspective, VeraCrypt supports more encryption methods, stronger keys, etc. than BitLocker. But in general, the protection level is high enough for both solutions that there is no discernible difference.
Using MSP360 Backup and VeraCrypt might result in inconsistencies with the backup process. See below for situations where this might pose a problem, and the steps to take to avoid it.
Use cases that reportedly work for VeraCrypt
- Encrypted file container, standard VeraCrypt volume > file backup, do not use block-level (do not force VSS)
Encrypted file container, encrypted file container > backup file, containing the encrypted volume, use block-level (force VSS)
Encrypt a non/system partition/drive, standard VeraCrypt volume > IBB of the source device (VSS used by default)
Encrypt a non/system partition/drive, standard VeraCrypt volume > file backup of the mounted encrypted volume, do not use block-level (do not force VSS)
Encrypt a non/system partition/drive, standard VeraCrypt volume > file backup of the mounted encrypted volume, use block-level (force VSS)
Encrypt a non/system partition/drive, hidden VeraCrypt volume > file backup of the mounted encrypted volume, do not use block-level (do not force VSS)
Test your configuration prior to using it in production.
If you are running a Mac, then you already have system-level FileVault software supporting full disk encryption. It provides 128 bit AES encryption for a whole drive and is available on almost all Mac computers running OS X 10.3 or newer. The encryption process is easy and similar to turning on BitLocker. Apple also included a command-line tool allowing enterprise administrators to recover keys, manage user account configurations, unlock the disks and manage the devices.
We will discuss these encryption tools in more detail in a future post.