Configure file and disk encryption Flashcards
TPM
Trusted platform module
Cryptography specification and name of the chip used in PC hardware to allow for Bitlocker
Bitlocker is available in what editions of Windows desktop
Windows Vista / 7 Ultimate
Windows Vista / 7 Enterprise
Windows Pro 8
Windows Enterprise 8
First server version to have bitlocker
Server 2008
FDE
Full Disk Encryption
Bitlocker
software-based full disk encryption data-protection security features.
Bitlocker is available in what editions of Server 2012
All of them
Bitlocker To Go
Data on a USB device is encrypted.
Bitlocker exe is put on the drive and requires a password to access the data on the drive.
Five Bitlocker implementation
TPM USB TPM+USB TPM+PIN TPN+PIN+USB
Note that this means Bitlocker does not need a TPM chip to store a trusted key. You can use the USB instead
TPM chip does what for Bitlcoker
Preboot execution security
Confirms that hardware has not been tampered with
Confirms that files were not accessed while PC was off
USB instead of TPM for Bitlocker
You must always have the USB plugged in, to even turn on…
You can simulate the TPM chip with the USB device.
One downside: You can’t detect system integrity / confirm there was no hardware tampering, or that files weren’t accessed from the HD while the PC was off.
Recovery Key
Optional key to use in the event that you lose the TPM chip (hardware failure) or the USB or any other requirement (PIN) to boot.
For emergencies.
Can be password, key stored on USB, can be printed, or distributed via Group Policy
BL requirements to use TPM
TPM 1.2 or 2.0
TCG-compliant BIOS or UEFI firmware
Support for USB mass storage devices
separate partition on the drive just for data that’s encrypted.
EPS
Encrypted File System
Allows users to right-click a file , open properties, and encrypt files / folders.
Add-BitLockerKeyProtector
Adds a key protector for a BitLocker volume.
Backup-BitLockerKeyProtector
Saves a key protector for a BitLocker volume in AD DS.
Clear-BitLockerAutoUnlock
Removes BitLocker automatic unlocking keys.
Disable-BitLocker
Disables BitLocker encryption for a volume.
Disable-BitLockerAutoUnlock
Disables automatic unlocking for a BitLocker volume.
Enable-BitLocker
Enables encryption for a BitLocker volume.
Enable-BitLockerAutoUnlock
Enables automatic unlocking for a BitLocker volume.
Get-BitLockerVolume
Gets information about volumes that BitLocker can protect.
Lock-BitLocker
Prevents access to encrypted data on a BitLocker volume.
Remove-BitLockerKeyProtector
Removes a key protector for a BitLocker volume.
Resume-BitLocker
Restores Bitlocker encryption for the specified volume.
Suspend-BitLocker
Suspends Bitlocker encryption for the specified volume.
Unlock-BitLocker
Restores access to data on a BitLocker volume.
Bitlocker implementation: TPM
Use just the TPM chip, which stores encryption keys and can detect hardware tampering and HD access while hardware is offline
Bitlocker implementation: USB
USB stick simulates the TPM chip. Provides encryption keys but does not detect hardware tampering or HDC access while hardware is offline
Bitlocker implementation: TPM+USB
TPM does what the TPM does (encryption, tamper detect) AND you require a USB stick just to boot the PC.
Bitlocker implementation:TPM+PIN
TPM does what the TPM does (encryption, tamper detect) AND you require a PIN just to boot the PC.
Bitlocker implementation:TPN+PIN+USB
TPM does what the TPM does (encryption, tamper detect) AND you require a PIN and the USB stick to boot the pc.
What version will allow you to store the recovery key in your .NET Passport account?
w8
This means the key is stored in the cloud
What are the hard disk requirements for BitLocker?
You need two disks, or one disk with two partition.
The boot / system volume cannot be encrypted.
The OTHER volume, with the OS and your encrypted data, is encrypted.
BitLocker Network Unlock
A service that allows PCs resuming from hibernation or rebooting to forgo the entering of a PIN on those startups if you use TPM + PIN or USB + PIN.
Bitlocker Network Unlock is available as of
Windows 8
Server 2012
Bitlocker Network Unlock requires clients to have what drivers
UEFI DHCP drivers
What server requirements are there for BitLocker Network Unlock?
The service must be installed on Server 2012
It must be on a server with WDS role installed
There must be a seperate DHCP server
You must have a properly configured public/private key pairing
You must select clients via group policy
UEFI
Unified Extensible Firmware Interface
Next generation for BIOS
manage-bde: status
Provides information about all drives on the computer, whether or not they are BitLocker-protected.
manage-bde: on
Encrypts the drive and turns on BitLocker.
manage-bde: off
Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.
manage-bde: pause
Pauses encryption or decryption.
manage-bde: resume
Resumes encryption or decryption.
manage-bde: lock
Prevents access to BitLocker-protected data.
manage-bde: unlock
Allows access to BitLocker-protected data with a recovery password or a recovery key.
manage-bde: autounlock
Manages automatic unlocking of data drives.
manage-bde: protectors
Manages protection methods for the encryption key.
manage-bde: tpm
Configures the computer’s Trusted Platform Module (TPM). This command is not supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management MMC snap-in or the TPM Management cmdlets for Windows PowerShell.
manage-bde: setidentifier
Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
manage-bde: forcerecovery
Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.
manage-bde: changepassword
Modifies the password for a data drive.
manage-bde: changepin
Modifies the PIN for an operating system drive.
manage-bde: changekey
Modifies the startup key for an operating system drive.
manage-bde: keypackage
Generates a key package for a drive.
manage-bde: upgrade
Upgrades the BitLocker version.
manage-bde: WipeFreeSpace
Wipes the free space on a drive.
EFS
Older alternative to BitLocker
Encrypting File System
EFS encryption is based on
The local user’s password.
Changing the password can invalidate that cert
EFS encryption for domains is based on
2 or more keys.
1st – the user’s key / agent
2nd – The domain’s recovery key / agent, set by group policy
This enables Admins to recover data if the user’s key is lost.
best practices for EFS
keep multiple recovery agents
encrypt folders, not files
export keys from AD so there’s a backup
Why should you encrypt folders, not files, for EFS
If you encrypt just the file, and not the folder containing the file, when users open the file Windows creates a clear-text copy of that file (it does this always, not just for bitlocker. That ~filename.doc) which will not be encrypted.
