BitLocker Disk Encryption
BitLocker Disk Encryption (BDE) is a Microsoft Full Volume Encryption solution first included with the Enterprise and Ultimate editions of Windows Vista. It is also present in Windows 7 along with a system for encrypting removable storage media devices, like USB, which is called BitLocker To Go.
Volumes encrypted with BitLocker will have a different signature than the standard NTFS header. Instead, they have in their volume header (first sector): 2D 46 56 45 2D 46 53 2D or, in ASCII, -FVE-FS-.
Volumes encrypted with BitLocker To Go will have a hybrid encrypted volume, meaning that part of the volume is unencrypted and contains applications to unlock the volume and the other part of the volume is encypted. These volumes can be identifier by the BitLocker GUID/UUID: 4967d63b-2e29-4ad8-8399-f6a339e3d00.
The actual data on the encrypted volume is protected with either 128-bit or 256-bit AES and optionally diffused using an algorithm called Elephant. The key used to do the encryption, the Full Volume Encryption Key (FVEK) and/or TWEAK key, is stored in the BitLocker metadata on the protected volume. The FVEK and/or TWEAK keys are encrypted using another key, namely the Volume Master Key (VMK). Several copies of the VMK are also stored in the metadata. Each copy of the VMK is encrypted using another key, also know as key-protector keys. Several key-protectors are:
- TPM (Trusted Platform Module)
- recovery password
- start-up key
- clear key; this key-protector provides no protection
- user password
BitLocker has support for partial encrypted volumes.
- NVbit : Accessing Bitlocker volumes from linux, 2008
- Jesse D. Kornblum, Implementing BitLocker for Forensic Analysis, Digital Investigation, 2009
- Wikipedia entry on BitLocker
- Microsoft's Step by Step Guide
- Microsoft Technical Overview
- Microsoft FAQ
- Microsoft Description of the Encryption Algorithm
- Cold Boot Attacks, Full Disk Encryption, and BitLocker
- Project to read BitLocker encrypted volumes