BitLocker makes use of a hardware chip called a
Trusted Platform Module or
TPM. When you turn on the computer, BitLocker communicates with the TPM to make sure the Operating System hasn’t been tampered with. If everything is ok, BitLocker then sends a key to the software on your hard drive, allowing it to boot.
From Wikipedia:
Operation
Contrary to the official name, BitLocker Drive Encryption is a logical
volume encryption system. A volume may or may not be an entire
drive, and can span one or more physical drives. Also, when enabled TPM/Bitlocker can ensure the integrity of the trusted boot path (e.g. BIOS, boot sector, etc.), in order to prevent most offline physical attacks, boot sector malware, etc.
In order for BitLocker to operate, the hard disk requires at least two
NTFS-formatted
volumes: one for the
operating system (usually C
and another with a minimum size of 100MB from which the operating system
boots. BitLocker requires the
boot volume to remain unencrypted—on Windows Vista this volume must be assigned a drive letter, while on Windows 7 it does not. Unlike previous versions of Windows, Vista's "diskpart" command-line tool includes the ability to shrink the size of an NTFS volume so that the system volume for BitLocker can be created from already-allocated space. A tool called the "Bitlocker Drive Preparation Tool" is also available from Microsoft that allows an existing volume on Windows Vista to be shrunk to make room for a new boot volume, and for the necessary
bootstrapping files to be transferred to it;
[12] Windows 7 creates the secondary boot volume by default, even if Bitlocker is not used initially.
Once an alternate boot partition has been created, the TPM module needs to be initialized (assuming that this feature is being used), after which the required disk encryption key protection mechanisms such as TPM, PIN or USB key are configured. The volume is then encrypted as a background task, something that can take a considerable amount of time with a large disk as every logical sector is read, encrypted and rewritten back to disk. Only once the whole volume has been encrypted are the keys protected, and the volume considered secure. BitLocker uses a low-level device driver to encrypt and decrypt all file operations, making interaction with the encrypted volume transparent to applications running on the platform.
Encrypting File System may be used in conjunction with BitLocker to provide protection once the
operating system kernel is running. Protection of the files from processes/users within the operating system can only be performed using encryption software that operates within Windows, such as Encrypting File System. BitLocker and Encrypting File System therefore offer protection against different classes of attacks.
[13]
In
Active Directory environments, BitLocker supports optional
key escrow to
Active Directory, although a schema update may be required for this to work (i.e. if the Active Directory Directory Services are hosted on a Windows version previous to Windows Server 2008).
Other systems like BitLocker can have their recovery key/password entry process
spoofed by another bootmanager or OS install. Once the spoofed software captured the secret, it could be used to decrypt the VMK, which would then allow access to decrypt or modify any information on the user's BitLocker-encrypted hard disk. By configuring a
TPM to protect the trusted
boot pathway, including the
BIOS and
boot sector, this threat can be removed.
