High security with BitLocker

[The$Hulk]

Step 1

Disk partition :

The first action we must undertake is to create two partitions on your hard drive: a 1.5 Gbytes, which is the system will not be encrypted and will house the files and settings of the pre, and one that will be the operating system that hosts the encryption . If you have Windows Vista installed, you will have to go to Disk Administrator and create the partition if you have free space or the operating system divide into two. We set the partition as active, reboot with the Vista DVD and, after selecting language and keyboard, choose Repair your computer. Then, choose the partition that contains the operating system and in the menu that appears, mark Startup Repair, but you can also use BitLocker Drive Preparation Tool, tool that facilitates this process of partition.

If we had installed Vista, the last menu that shows select Command Prompt and type the following commands: d iskpart, select disk 0, clean, create partition primary, assign letter = c (puts the letter that we want) shrink minimum = 1500 create partition primary, active, assign letter = e (or another we want), exit, format c: / and / q / fs: NTFS format e: / and / q / fs: NTFS exit. Of course, if, after you type each command, we must press Enter. Then we return to the home page and specify installation of Vista Install Now, loading on the volume C. You can also use BitLocker wizard for partition and get help, is in the path of Control Panel / BitLocker Encryption.

Step 2

Initialize the TPM :

Before initializing the TPM chip, which activate in the BIOS of the PC directly (it is recommended to have it password protected) or through the tools for modifying the BIOS to us by the manufacturer (recommended). This done, we'll Run, write tpm.msc and in actions, we chose TPM Initialization (again we can use the editing tools of TPM manufacturer). The wizard will ask us is launched Creating TPM owner password, if TPM was not activated, would give us the possibility to activate the TPM security hardware. But if we do not have compatible hardware TPM, we can not continue in the wizard. We will have to restart your computer and follow the instructions in the BIOS to activate the TPM, in addition, it will show a message of acceptance to ensure that we are not a virus that is manipulating TPM.

After activating it, we will assign the owner password to manage (disable or delete) and access to it. Thus, we begin again the TPM initialization wizard if we reboot, or go to Create the TPM owner password if you have not done that. Then select Create password automatically (recommended), keep the password in a secure location using Save Password Save dialog box TPM owner password and the file will be stored in a literal type nombre_equipo.tpm. It is highly advisable to save the file to a removable media and printed copy of the password on paper. Finally, we click on Initialize and wait a little until you complete the process.

[The$Hulk]

Step 3

Configures advanced features :

Before you activate the encryption you have to make some changes in group policy of your computer to access all the features of BitLocker. Again, we go to the command line and type gpedit.msc. In the console, we're going to Computer Configuration / Administrative Templates / Windows Components / BitLocker Drive Encryption and enable the following policies: Setting control panel: set options for recovery and Control Panel Setup: Enable advanced startup options. Politics cool our computer back to Run and entering cmd in the console, run gpupdate / force to confirm that there is no error.

Step 4

Enable BitLocker encryption :

Log on as Administrator, and Control Panel / Security, we opted for BitLocker Drive Encryption (when we get out the message from User Account Control, we must Go), where we select Enable BitLocker. For the TPM Only mode, choose Use BitLocker without additional clues, then follow the instructions to create password recovery and we specify how to store: a USB drive in a shared folder, display or print. Before starting the encryption, we asked whether we want to do a hardware check disk to avoid errors in areas that may contain encryption keys. Finally, Encrypt the selected disk volume, choose Encrypt. The encryption process takes about a minute to 1 Gbyte.

Password To Start mode (PIN), On BitLocker on the screen, choose Require a PIN on each startup and introduce the PIN we deem appropriate framework provides PIN (we can change it as often as you want) other steps are the same just seen. For mode Require USB startup key at every boot, the screen Enable BitLocker, we decided to save a startup key on a USB drive, enter the USB device and click on Save, the other steps are the same as we saw earlier. Obviously, it is feasible to encrypt the other units we have on our computer, however, before carrying it out must first encrypt the operating system.

Step 5

Use advanced options :

There is a command line script that allows us to take further action on BitLocker than those listed in the user interface. To use, access to Programs / Accessories, Command Prompt, you click the right mouse button to select Run as administrator r. In the console, run cdwindowssystem32. The script will stay here and run as 0 plus the appropriate options. With this script we can change, delete and add as many authentication methods as we like, and enable-disable BitLocker, encrypt, decrypt volumes and managing recovery keys.

[The$Hulk]

Step 6

Retrieves an encrypted drive :

If we do any of these changes on your computer will result in failure of system integrity by preventing release TPM BitLocker key, in this way, the disc is put into restore mode. These are the actions to which we refer to: move the encrypted hard drive to another computer, install a new motherboard with a new TPM chip, disable or delete the TPM, update the BIOS, forget the PIN, the authentication key to lose, change the MBR when you install another operating system, make new or modify partitions on your hard drive, or make changes to the boot sector, boot manager or components and pre-boot configurations. It also includes kernel debugging the system, the firmware update for your computer or TPM, running applications that update non-Microsoft boot components ... That it, updates to Windows Update does not put the disc into restoration mode.

You can avoid this behavior by disabling BitLocker before each change, however, we must distinguish between disabling and decipher. The latter option decrypts the operating system volume and cancels the protection offered by BitLocker. It is ideal to change the operating system version. For its part, disabling the volume remains encrypted, but the VMK (Volume Master Key) is encrypted with a password in plain text in the actual volume. Thus, you can even change the hard drive on the other, avoiding decrypt and encrypt the volume again and again. To re-enable BitLocker, re-encrypt the VMK with SRK (Storage Root Key) looking at the new configuration and key in plain text is deleted.

If you did not disable BitLocker, once we start the computer, our system will be in recovery mode and Recovery Console BitLocker Encryption will ask first we introduce the USB key that contains the recovery key. In the event that we do not, we claim the recovery password. At this point, it is important to note that you must enter the numbers using the function keys, since they are characters that are present in all environments preboot operating system and in all languages.

Step 7

Removes the configuration of BitLocker :

From here the computer will boot normally and can disable or remove the protection or re-configure BitLocker to create the startup key. To accomplish this, we started going to the control panel and checking Disable BitLocker Drive Encryption BitLocker. Here we have the choice between Disable BitLocker Drive Encryption or Decrypt the volume. If we chose this second alternative, tpm.msc console can do a delete and disable TPM in the BIOS to leave the computer without any security feature activated.

Step 8

Conclusion :

With all this and you are ready to take your computer more secure. It is a good option, especially in laptops, which are more vulnerable to loss and neglect. However, it also can be deployed on desktops and servers. Another advantage is that now we can recycle our old computers without dealing with the tedious task of deleting all information from the disks, especially considering he had to do it in a safe format (about 10 passes per sector erase), lest utilities may be removed by recovery.

For system administrators, they come with Active Directory can manage and store the recovery keys and the hash of the password of the owner of the TPM of your users. It is also feasible to use the tools and reading recovery key for BitLocker Recovery Password Viewer Active Directory, to view and locate key recovery, and BitLocker Repair Tool to decrypt data from a damaged disc. With all this, it will be easier to make images with BitLocker deployments enabled.