Losing a mobile device or theft can have serious consequences to a private individual or to a company. It’s almost always guaranteed that mobile device operating system can be compromised if attacker has physical access to the device and the device hard disks are not encrypted. In these kind of scenarios only guaranteed method of keeping data confidentiality is device hard disk encryption.
When using hard disk encryption the device hard disks are encrypted in such a way that access is possible only by using correct password or pin code (exact method depends on used software / hardware). Downside of the hard disk encryption is that if password / pin code / encryption keys are lost the data recovery is impossible.
In this blog series we look two popular encryption software for Windows – BitLocker and VeraCrypt.
BitLocker is very popular hard disk encryption software which have been included in Windows since Windows Vista. In Windows Vista and Windows 7 BitLocker has required Enterprise or Ultimate editions. Windows 8 and 8.1 has included BitLocker in Pro and Enterprise editions. Windows 10 extended support to Education edition as well. It this blog series we are going to focus on Windows 10 BitLocker.
BitLocker uses AES-XTS 128-bit algorithm in encryption. It also supports AES-XTS 256-bit, AES-CBC 128-bit and AES-CBC 256-bit as it’s encryption algorithm. BitLocker settings is set in Group Policy Editor if used in AD environment or in Local Group Policy Editor.
BitLocker use cases
BitLocker can be used in two different modes. Most straightforward for user is to use Transparent Operation Mode. In this case encryption key is inserted in to the computer’s TPM 1.2+ (Trusted Platform Module) circuit. Computer uses encryption key saved in TPM circuit in boot time without user’s input. Transparent Operation Mode is vulnerable to Cold Boot attack where encyption key is stolen from RAM using special operating system. Cold Boot attack requires physical access to computer.
Second mode is to use PIN, password, USB Flash Drive or Smart Card during boot. It is possible to combine different modes to gain extra layer of security. Based on Microsoft documentation, following modes are supported:
- TPM (Transparent Operation Mode – No user interaction)
- TPM + PIN Code
- TPM + PIN Code + USB Flash Drive or Smart Card
- TPM + USB Flash Drive or Smart Card
- USB Flash Drive or Smart Card
How BitLocker functions
Computer’s hard disk is divided at least two partitions during Windows installation. At first there is small, roughly 500 Mb partition that contains boot loader – software responsible for loading the main operating system. Next to the boot partition there is the main C:\ -drive which contains Windows, Program Files and user’s data files.
During the encryption of the disk, the encryption key also known as Volume Master Key (VMK) is saved in to the TPM-module if computer has one or it is saved on the computer in multiple different locations.
During the boot up, the boot loader is loaded from unencrypted partition. Boot Loader recognizes encrypted drives and loads encryption key from TPM-module or from hard disk and prompts PIN / Password / USB Flash Card / Smart Card from user if configured. When BitLocker is not using TPM the VMK is decrypted from hard disk using password as a key.
VeraCrypt is free open source disk encryption software for Windows, Linux and Mac OSX maintained by French based security company IDRIX. VeraCrypt is based on the previously terminated TrueCrypt software. VeraCrypt supports almost same features as BitLocker (excl. TPM hardware support) and adding some interesting features.
VeraCrypt is excellent choice if you are using antiqued operating systems (Windows 2003, XP, Vista) or you are using Home edition of newer Windows operating systems (Wind0ws 7+). By default VeraCrypt is using AES-XTS encryption algorithm although it offers wide range of different algorithms (AES, Serpent, Twofish, Camellia or combination of former).
VeraCrypt Modes and Operation
VeraCrypt is capable of encrypting hard disk completely (excl. first sector of bootloader) or only the Windows partition like BitLocker does. Unlike BitLocker, the VeraCrypt does not support TPM module as key storage.
VeraCrypt support following modes of disk encryption:
- Windows Partition Encryption
- Hard Disk Encryption
- Hidden Operating System
Windows Partition Encryption works quite similar as BitLocker drive encryption. Hard Disk Encryption encrypts hard disk entirely including Windows Boot partition.
Hidden Operating System is quite interesting feature as it allows plausible deniability. If faced torture, extortion or legal consequences it is possible to hand over the encryption key which will only open “clean” operating system which does not contain any sensitive data.