MSP360 For IT PROs
Articles about cloud backup, cloud storage and more

Full Disk Encryption: Approaches and Solutions for MSPs

Full Disk Encryption: Approaches and Solutions for MSPs

Data leaks and ransomware infections are common threats nowadays, which you can avoid by using data encryption technologies. If no one can read your data, you do not need to be too afraid of its theft.

That is why it is becoming more popular to encrypt system drives. In this article, we are going to overview the BitLocker tool and a few of its alternatives.

Using BitLocker in Windows Environment

BitLocker encrypts any disk partition (including system drive) and makes it unreadable for untrusted users after PC shutdown or reboot. Then you need to provide an encryption password by one of the available ways - PIN, password, USB key - and BitLocker will unlock your files. You can enable full disk encryption by simply calling corresponding features from the Windows control panel.

Note: when installed on a new computer, Windows will automatically create the partitions that are required for BitLocker. But if configuring BitLocker after an update of the previous Windows version, you need to partition the drive onto, at least, two volumes.

BitLocker also supports Trusted Platform Module (hardware chip installed on the motherboard) allowing you to ensure that the computer has not been infected or data has not been changed when the system was offline. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM.

If you will use BitLocker as a corporate data protection tool, consider enabling the Network Unlock feature. Active Directory domain-connected PCs with BitLocker enabled can be automatically unlocked when the machine still connected to the corporate network. This convenient feature helps when users forget their passwords or USB key sticks, or in case the system was rebooted after unattended updates installation.

Since a lot of configuration options exist for BitLocker, you can configure almost anything using domain Group Policies.

BitLocker Group Policy

Group Policy Objects (GPO) allow you to centralize customized workstations and server settings at the enterprise network. It sets any parameter using Windows registry, and you need the GPO template for any applications being configured. Of course, Microsoft integrated BitLocker settings are in the GPO, thus allowing you to control drive encryption tasks and settings applied.

These settings are available in Local Group Policy Editor, under the section Administrative Templates > Windows Components > BitLocker Drive Encryption.

GPO contains a lot of settings, so we will highlight only a few interesting corporate preferences for BitLocker:

  • Enable and allow network unlock at startup.
  • Ability to choose additional startup authentication.
  • Configure password settings and requirements. You can also configure passwords using a policy for removable drives.
  • Control access and usage of removable drives not being protected by BitLocker.
  • Change hardware-based encryption settings for local drives.

BitLocker password recovery also allows you to store keys information in the Active Directory Domain Services, thus simplifying its management in corporate environments. But there are more ways to recover a lost password.

BitLocker Password Recovery

Most of BitLocker configurations require a user to enter a PIN or password to unlock the drive, but it is a typical scenario when a user forgets his or her password and asks a system administrator to help with drive unlocking. Microsoft allows a few disk unlocking ways in case you can’t unlock it normally, including cases when TPM chip blocks normal booting:

  • BitLocker Recovery Password Viewer - the tool is bundled with the Remote Server Administration Tools (RSAT) and lets you view BitLocker passwords stored in the Active Directory (AD). But remember that you need to pre-configure clients’ BitLocker to store such passwords in AD. Home users can store their passwords online in the Microsoft Account cloud service.
  • Using a locally stored recovery password. Users can print, or save elsewhere, a BitLocker recovery password after full disk encryption configuration. In case a user forgets the password or cannot unlock the drive normally, either way, he/she can type-in a previously saved recovery password.
  • Data Recovery Agent user role can unlock BitLocker drives in an organization.

You should also remember one peculiarity when unlocking the drive with help of a Data Recovery Agent user: in case you need to unlock the system drive, it is necessary to mount it as a regular volume on another PC.

BitLocker Alternatives

Since BitLocker runs only on Windows Pro and Enterprise editions, you have to choose a third-party solution to protect your sensitive data on a laptop. Even if you are home-user, it is a worst scenario to have a laptop with work documents, private files, and financial info stolen.

One of the available Open Source full disk encryption software is Veracrypt - a free and cross-platform data encryption tool allowing almost anything that you expect from BitLocker. Veracrypt is an ancestor of the well-known TrueCrypt, but improved and updated. This new tool supports AES, TwoFish, and Serpent encryption and allows you to create hidden volumes and protect system drives.

Though VeraCrypt is powerful, it is also a bit more complicated: you will need to dive into its configuration details for proper installation, but its everyday usage is simple enough to be a full-featured replacement for BitLocker, at least for home users. Enterprise administrators will be sad to see that there are no corporate-level management tools for VeraCrypt.

From a security perspective, VeraCrypt supports more encryption methods, stronger keys, etc. But in general, the protection level is high enough for both solutions, so you probably can’t see the difference.

NOTE: Using CloudBerry Backup and VeraCrypt might result in inconsistencies with the backup process. We have checked several use-cases, check them below

Use-cases that reportedly work

  • Encrypted file container, standard VeraCrypt volume > file backup, do not use block-level (do not force VSS)
  • Encrypted file container, encrypted file container > backup file, containing the encrypted volume, use block-level (force VSS)
  • Encrypt a non/system partition/drive, standard VeraCrypt volume > IBB of the source device (VSS used by default)
  • Encrypt a non/system partition/drive, standard VeraCrypt volume > file backup of the mounted encrypted volume, do not use block-level (do not force VSS)
  • Encrypt a non/system partition/drive, standard VeraCrypt volume > file backup of the mounted encrypted volume, use block-level (force VSS)
  • Encrypt a non/system partition/drive, hidden VeraCrypt volume > file backup of the mounted encrypted volume, do not use block-level (do not force VSS)

Test your use-case prior to using it in production

If you are running Mac, then you already have system-level FileVault software supporting full disk encryption. It provides 128 bit AES encryption for a whole drive, and is available on almost all Mac computers running OS X 10.3 or newer. The encryption process is easy and similar to turning on BitLocker. Apple also included a command-line tool allowing enterprise administrators to recover keys, manage user account configurations, unlock the disks, and the ability to manage the devices.

We will cover these encryption tools in more detail in our next posts.