Protect Your SMB with BitLocker


In an earlier post, Surviving a Stolen Laptop, I suggested enabling BitLocker encryption in order to protect data. While the technology is hardly new, I thought this an area worth looking into, given the dismal security track record of SMBs.


Why is data encryption relevant to your SMB?


It is a simple matter for a thief to access unprotected data on a hard disk. Regardless of password protection, swapping the disk drive out to another workstation or hard disk enclosure will typically allow authorized persons to access and make a copy of any data on the disk. Even worse is the fact that files that were previously deleted can often be retrieved this way by using data recovery software.


Yet the proliferation of laptops today means that a proportionately greater number of these devices will eventually wind up lost or stolen. Legal repercussions aside, the bad publicity can be especially severe for a small and medium-sized business. Clearly, data encryption is no longer a luxury that belongs to the domain of enterprise companies.


Fortunately, whole disk encryption technologies such as BitLocker will prevent the above scenarios from happening.


How does BitLocker work?


Data encryption can be performed either in hardware or software. Leaving hardware encryption aside for now, the software data encryption options found in the

Windows operating system would be the Encrypting File System (EFS) and BitLocker. EFS works on the file level, while BitLocker operates on the disk; we will be looking at the use of the latter here, also known as whole disk encryption.


BitLocker protects all the files stored on the drive that Windows is installed on by encrypting the entire system drive. On computers with a microchip called the Trusted Protection Module (TPM), the decryption key will be stored in the chip, and released only after it verifies that the system is not tampered with. Trying to swap the disk drive out to another system will not work, since it does not have the decryption key.


On systems without TPM support, the decryption key can be stored on a USB flash drive, which is used as a physical security token. Obviously, the USB flash drive should not be placed in the same bag as the laptop.


The beauty with BitLocker is that once authenticated, decryption occurs transparently and all software applications continue to work as normal.


Requirements for BitLocker


Ironically, the greatest barrier to BitLocker is not hardware related, but in the area of licensing. This is because BitLocker can only be found in Windows Vista Enterprise and Windows Vista Ultimate. Since the Enterprise edition of Vista is sold only to volume customers, most SMBs that want to implement BitLocker will probably have to get Vista Ultimate. The price premium is the reason that SMBs are unlikely to have implemented BitLocker yet.


Another requirement to implement BitLocker would be to use it on systems with TPM; alternatively, a flash drive can be used as a physical key.


I shall be talking more about the various authentication options for BitLocker as well as my own experiences enabling it in my next blog.