Disk Organization for Data Safety
RAID arrays are no
longer exotic. Most late-model desktop computers have provision for RAID
0 or RAID 1 arrays, and many systems have four or more SATA host
adapters, making RAID 0+1 arrays possible. Which are the safest types of
RAID arrays in common use?
RAID 5 provides maximum
safety. With RAID 5, which requires the use of three or more hard disks
in a single array, you can rebuild the contents of the array even if one
drive fails. RAID 5 sets aside space on each drive for the information
needed to rebuild the array in case of drive failure. However, RAID 5 is
not yet implemented in desktop computers’ onboard host adapters. You
must purchase a RAID 5 host adapter and compatible SATA or SCSI hard
disks.
RAID 0+1 combines data
striping (for performance) and mirroring (for safety). It requires four
drives and is supported on many recent desktop computers. It provides a
high level of data safety against failures and is inexpensive to
implement with SATA or ATA/IDE (PATA) drives.
RAID 1 mirrors the contents
of one drive to a second hard disk. It is supported on many desktop
systems that are up to several years old, through either a motherboard
RAID host adapter chip or the motherboard’s integrated chipset. It is
inexpensive to implement with SATA or IDE drives.
RAID
0 stripes data across two drives to improve read/write performance. If
either drive fails, the array is wiped out. Thus, RAID 0 actually has no
redundancy. It should be used only on drives that do not contain data.
BitLocker Disk Encryption
With
the widely reported loss or theft of laptops containing sensitive
personal and financial information in the last year, hundreds of
thousands of people have been forced to change credit card information
and worry about identity theft. Thus, the time is ripe for a new
approach to protecting hard disk contents from unauthorized use:
BitLocker.
BitLocker, available
on Enterprise and Ultimate editions, encrypts the entire system hard
disk. Originally known as Secure Startup, BitLocker stops unauthorized
access, even if the hard disk is moved to a different computer.
|
It’s
been known that a thief can get around BitLocker’s protection if he
steals your computer while it’s suspended (sleeping) or powered up. To
truly protect your computer, you must completely shut it down when you
finish using it (or at least invoke hibernation), and don’t let it out
of your sight for at least 10 minutes after shutdown. This time frame is
especially important because Princeton University researchers have
discovered that memory chips can be frozen with “canned air,” preserving
their contents for retrieval, even after the system has been turned
off.
Following
these procedures is especially important with laptops because the
default action when you close the lid or click the little power button
on the Start menu is “suspend.” You must instead click the options arrow
and select Shut Down. When you power up the computer, it should display
the black BitLocker protection screen. If it goes directly to Windows,
your computer was not protected!
For greater protection,
you can use the Power Options applet in the Control Panel (available
directly in Small Icons or Large Icons view) to change the default
actions for closing the lid or pushing the power button to shut down.
You should also use file encryption to further protect any sensitive
files on your hard drive.
|
BitLocker System Requirements
BitLocker in Windows
Vista requires that your hard disk have a second partition of at least
1.5GB that is used for the BitLocker encryption tools. You must also
have a way to provide credentials to permit the system to recognize you
as the authorized user, such as a Trusted Platform Module (TPM)
microchip and BIOS or, for systems that lack onboard TPM 1.2 support, a
USB flash memory drive.
Customers that
didn’t deploy Windows Vista with the required two-partition
configuration found that enabling BitLocker was entirely too cumbersome.
Windows 7 automatically creates the necessary disk partitions during
installation and now includes the ability to right-click a drive to
enable BitLocker protection. BitLocker also adds a supportive Data
Recovery Agent (DRA) for all protected volumes, allowing IT
administrators to dictate that all such volumes are appropriately
encrypted.
If you are unable to use BitLocker, check the following: Is
the hard disk properly partitioned? The hard disk must have a 1.5GB
primary partition and a separate system partition for Windows (it can be
any size above the minimum requirements for Windows 7). You cannot
enable BitLocker on a system with a single hard disk partition. If
the system has a TPM chip, is the feature enabled in the system BIOS?
If it is, check with the system or motherboard vendor for a BIOS
upgrade. If the system does not have a TPM chip, follow the procedure to enable BitLocker in the Group Policy Object Editor. If you get the error message BitLocker could not be enabled. The system firmware failed to enable clearing of system memory on reboot
after restarting your system during the BitLocker setup process, it
means that BitLocker has determined your system does not clear out
memory during the reboot process. Hackers could analyze the contents of
memory for the BitLocker encryption key and use it to bypass BitLocker
encryption. To enable
your system to run BitLocker, contact your system vendor for a BIOS
upgrade that includes the clearing of system memory upon reboot option.
If this option is not available, you cannot run BitLocker on the system.
|
|
BitLocker To Go
Windows 7
introduces a subset of the BitLocker Drive Encryption technology with
BitLocker To Go, which extends BitLocker Drive Encryption to USB storage
devices. Designated USB drives can be passphrase-protected with
controllable length and complexity, and IT administrators can set user
policies to apply BitLocker To Go protection on removable drives before
they are made usable.
Microsoft permits Windows XP
SP3, Windows Vista SP1, and Windows Vista SP2 users to read BitLocker
To Go devices using the passphrase. Plugging a BitLocker To Go encrypted
USB storage device into Windows 2000 or Windows XP SP2 computers shows
an inaccessible unformatted volume.
To encrypt your removable USB media with BitLocker To Go, follow these steps:
1. | Open the System and Security category in Control Panel and click BitLocker Drive Encryption.
|
2. | Locate the desired drive entry and click Turn On BitLocker.
|
3. | Choose
either a password or smartcard to unlock the drive. For simplicity, we
recommend using a reasonably long passphrase—something memorable (to
you) but not easily guessable (to others). Enter it twice and click
Next.
|
4. | Determine
where to store the recovery key. You’re given the option of saving it
to a file (recommended) or printing the key (not recommended). We
suggest you save the key to a file that will be kept on a separate
storage volume from the USB drive and the computer itself. Save the key
and then click Next.
|
5. | The
last dialog box gives you a final option to cancel out of this process.
Click Start Encrypting and wait for the process to finish, which takes
longer for large storage volumes.
|
Once the USB storage
volume is encrypted, you can unlock and utilize it using the passphrase
you entered earlier. Every time the USB drive is inserted, the BitLocker
Drive Encryption password dialog box appears. Should you forget the
passphrase, BitLocker To Go’s recovery key method enables you to access
the storage volume. Remember not to leave this recovery key accessible
to anyone but yourself, because otherwise the passphrase is ineffective
in safeguarding your protected files and data.
Enabling the TPM
The easiest way to use
BitLocker is to use your computer’s TPM microchip (if it has one). To
determine whether your system supports TPM 1.2 and to learn how to
enable this feature in the system BIOS, see your system’s documentation.
A lot of 2006 and newer laptops have onboard TPM 1.2, but older laptops
(and most desktops) don’t support it.
After you enable TPM in the system BIOS, use the TPM Management Console (tpm.msc)
to turn on TPM support in Windows (use the Turn On the TPM Security
Hardware dialog box) and set up a TPM password (use the Create the TPM
Owner Password dialog box). A TPM password is saved as computer_name.tpm. Thus, if your computer is named WildThing, the password is stored as WildThing.tpm.
Tip
Be sure to print your TPM password using the Print option and save it to a location you can access later, such as a CD or DVD. |
If your system doesn’t
support TPM, you can still use BitLocker. However, to use BitLocker
without a TPM, you must use a USB flash memory drive to store your
credentials, and it must be plugged into the system to permit the system
to boot. You must also enable BitLocker Drive Encryption with the Group
Policy Object Editor:
1. | Click Start, All Programs, Accessories, Run.
|
2. | Type gpedit.msc
and click OK to open the Group Policy Editor. Click Continue or provide
Administrator-level credentials (if prompted by UAC) to continue.
|
3. | Open
Computer Configuration, Administrative Templates, Windows Components,
BitLocker Drive Encryption, Operating System Drives: Require Additional
Authentication at Startup.
|
4. | Select Enabled. Under Options, verify that the option Allow BitLocker Without a Compatible TPM is checked (see Figure 1).
|
5. | Click Apply, then OK.
|
6. | Close the Group Policy Object Editor.
|
Encrypting the Drive with BitLocker
To
start the encryption process, open the BitLocker Drive Encryption
applet in the Control Panel (via either the System and Security category
or the BitLocker Drive Encryption entry in Small Icons or Large Icons
view) and select Turn on BitLocker next to the appropriate drive entry
(if there are several). The BitLocker Drive Encryption Wizard walks you
through the paces of setting up necessary drive layout. It starts by
establishing space on an existing drive partition or unallocated space
on the existing partition. There are really only two quick steps: drive
preparation and drive encryption. Upon reboot, the system drive goes
through a lengthy encryption process that takes longer for larger drives
than for smaller-capacity volumes.
If your system has a TPM,
you can choose either to use the TPM chip along with your logon password
to access an encrypted BitLocker volume or to assign a PIN that is used
along with the TPM. If your system does not have a TPM, you must use a
Startup USB key. Make sure you have a USB flash drive available to use
for BitLocker key storage. The BitLocker Drive Encryption Wizard
provides three options for TPM-enabled systems, and a single option for
those without—Require a Startup Key at Every Startup. This is where your
Startup USB drive comes into play. You’ll also be asked
where to store the recovery key, which can also go to the flash drive.
Finally, a BitLocker system check ensures that everything is functioning
properly, which requires a restart with the drive key plugged in.
When you create the
BitLocker volume, you must create a recovery key password, in case
BitLocker enters a locked state. If you lose the password, you can be
locked out of your data; be sure to save the password to an accessible
location and print it for safekeeping. Note that this is not the same as
the TPM management password discussed in the previous section.
If you choose to store
the recovery key password on a USB drive or in a folder, it is stored in
a plain text file. The name of the file matches the administrative
password ID: four hex digits, followed by three groups of two hex
digits, followed by six hex digits:
aabbccdd-ee-ff-gg-001122334455.txt
The password recovery key
file contains the name of the disk volume, the drive letter, and the
date of encryption, as well as the password itself, which is stored as
eight groups of six digits each:
000000-111111-22222-333333-444444-555555-666666-777777
Recovery keys can be stored on Active Directory servers for systems that are members of a domain.
After you store and
print the recovery key password, BitLocker performs a system check to
ensure that the recovery and encryption keys can be read before it
begins the encryption process. If you use a USB device to enable
BitLocker, insert it when prompted. After the system check is performed
successfully, BitLocker restarts your system and encrypts your system
drive. During the encryption process, an icon in the notification area
appears. Hover your mouse over the icon or double-click it to see
encryption progress. You can pause encryption if necessary, but you can
use your computer normally while encryption progresses. When you start
your system, you must provide the appropriate credentials (entering the
PIN when prompted or inserting the USB flash drive before starting the
system or when prompted). Otherwise, the system will not boot.
In Windows 7, after
BitLocker encrypts the system volume and you restart your system, you
can encrypt any other volumes on the system drive. To encrypt additional
volumes, open the BitLocker Disk Encryption tool in Control Panel and
turn the encryption status from Off to On for other system drives you
want to encrypt.
BitLocker Drive Encryption Recovery
If you do
not provide the appropriate credentials when you attempt to boot a
BitLocker-encrypted volume, you are prompted to press the Enter key to
enter into the Windows BitLocker Drive Encryption Password Entry dialog
box. The drive label, system drive letter, BitLocker encryption date,
and key filename are provided so you can locate the correct recovery key
password.
Instead of using the
normal 1–9 keys on the keyboard, use F1–F9 for digits 1–9, and F10 for
0. If you use the normal 1–9 keys, the password will not work. As soon
as you correctly enter the recovery key password, the system starts
normally.
How BitLocker Protects Your Information
During
normal use, a BitLocker-encrypted volume appears as a normal drive
using the NTFS file system, and you can use EFS or disk compression on
individual files and folders as with any normal NTFS volume.
Note
Backups
made of a BitLocker-encrypted drive with Windows system image or other
backup utilities are not encrypted. Keep them in a safe place. Once data is transferred from a BitLocker-encrypted drive to any other nonencrypted storage media, it is no longer encrypted. |
However, if you attempt
to bypass BitLocker security by booting the system from a Windows DVD
and using the Recovery Environment, BitLocker Drive Encryption Recovery
will prompt you to provide the password from removable media or by
entering it. When you provide the password, you can access the volume
for repair or data-recovery processes.
If you cancel the
recovery process, the Recovery Environment will continue, but you will
not be able to access the drive without providing the recovery password.
If you attempt to
access the drive from the Recovery Console command prompt, you will see
this message: “This volume is locked by BitLocker Drive Encryption.
Return to the control panel to unlock volume.”
If you connect a
BitLocker-encrypted volume to another computer running Windows and
attempt to access its contents, the volume shows up as a drive letter in
Windows Explorer with a size of 0MB, no disk label, and no file system.
Note
By
default, BitLocker’s AES encryption method uses a 128-bit key and uses
the Diffuser algorithm, which protects against ciphertext manipulation
key-cracking methods while providing excellent performance. Through the
Group Policy Object Editor, you can select other options, including
128-bit without Diffuser, 256-bit with Diffuser, and 256-bit without
Diffuser. To select other options, open Computer Components,
Administrative Templates, Windows Components, BitLocker Drive
Encryption, Configure Encryption Method. Click the Enabled radio button,
and select the desired encryption method. Click Apply, then OK. |
If you connect a
BitLocker-encrypted volume to another computer running Windows XP or
other operating systems, the file system is listed as RAW (unformatted).
Third-party data-recovery programs are unable to determine the file
system or other information about the drive. The drive can be formatted,
but its contents cannot be accessed.
BitLocker prevents access
to the drive by unauthorized Windows systems, and prevents other OSs
from detecting the file system. BitLocker does this by encrypting the
drive with a full volume encryption key using AES encryption, and then
encrypting that key with a volume master key, also using AES encryption.
The volume master key is unlocked when you provide the proper
credentials at boot time, and it, in turn, unlocks the full volume
encryption key that is used by a file system driver to decrypt the
volume. In recovery mode, the recovery password (eight groups of six
digits) unlocks the volume.
Differences Between BitLocker and EFS Encryption
Although EFS
encryption is familiar to many Windows users because of previous
experience with Windows 2000, Windows XP, and Windows Vista, it may be
useful to review the differences:
In
the initial version of Windows Vista, BitLocker secures the entire
system volume, but not other volumes (drive letters) on a system, while
EFS encryption can be used on any volume formatted with NTFS. However,
Windows Vista SP1’s version of BitLocker can secure additional volumes
on the system drive at the user’s option.
BitLocker
uses a TPM chip or a USB flash memory drive to provide credentials,
while EFS uses a personal certificate stored as part of the OS to
provide credentials.
Neither
EFS nor BitLocker encryption protects files once they have been copied
to another drive. However, when EFS files are transferred via a file
migration program, they retain their encryption attributes, and the
original user’s EFS certificate must be exported from the source system
and imported to the target system to enable encrypted files to be opened
on the target system.
Note
Use the Windows command-line utility robocopy.exe with the /EFSRAW option to migrate EFS-encrypted files from Windows to another system. |
EFS
encryption is retained when files are backed up, but BitLocker volume
encryption is not retained on a backup of a BitLocker volume.
Tip
Although
Previous Versions can be a lifesaver, it’s no replacement for making
backup copies of important files or saving different versions of a file
in progress. The last-available previous version might be days or weeks
old in some cases, so you might need to reconstruct changes you
performed on the current version. In such cases, you may want to use the
Open or Copy option, rather than the Restore option, with the most
recent previous version. If
you use a drive other than the system drive for data, be sure to enable
restore points (System Protection) on that drive if you want shadow
copies. A drive without restore points cannot provide shadow copies. In
such cases, only backup copies (if they exist) will be available as
previous versions. System Restore uses up to 15% of each NTFS drive of
at least 1GB in size for restore points. On systems with limited disk
space, Windows 7 removes older restore points, which can also cause
shadow copies to be lost. If you upgrade to Windows 7 on a system with
limited disk space, all existing restore points will be removed and
replaced with a single restore point. |
EFS
encryption can be used by Windows editions that do not support
BitLocker, and on systems that are not compatible with BitLocker.
BitLocker
encryption cannot protect files on systems in Sleep or Hibernate mode,
although EFS encryption can protect files on systems in these modes
provided that the user has configured the system to request a strong
password when waking up the system.
As
you can see, BitLocker and EFS are complementary security features. You
can use EFS to protect files on removable hard disks that are not
secured with BitLocker, but you can use BitLocker to prevent anyone from
using a stolen laptop or desktop computer.
