BitLocker
In a previous employment life I talked to Steve Lamb about some work he was doing to gather peoples experiences of BitLocker but as the then employer had a somewhat less liberal view on ownership of out of hours work like this than my rather more enlightened current employer nothing ever came of the discussion until now.
Having got my new work laptop, Lenovo X61s, with a built in TPM and XP installed I set about putting Vista Enterprise SP1 and Server 2008 onto it for various projects.
For the most part on automatic pilot I took ownership of the TPM saved the resulting TPM password file in various locations and encrypted the C: drive again backing up the recovery file in various locations. Nothing unusual. Next installed the December release of Server 2008 as I was wanting to use Hyper-V for testing and demonstrations and since I was installing the relevant wireless network awareness feature also installed the BitLocker feature and encrypted the C: drive (different volume of course as Vista and server 2008 are a lot smarter than previous Microsoft operating systems about allocating volume drive letters).
Was only a couple of days later it dawned on me that with all the fuss last year about BitLocker breaking dual or multiple boot systems especially those with a non Microsoft operating system installed which it does not if done right many people will have been scared of using BitLocker. A number of Microsoft and non Microsoft people have posted the ways to save a GRUB boot sector and use the Vista boot loader to start Linux just fine. In addition if you stop the TPM while you make changes to the boot system and start it again afterward as will be required installing Vista SP1 new measurements of the boot files will be taken and all will be just fine. Anyway if you follow the wizard and save appropriate copies of the TMP and volume recovery files you will be able to use the recovery console and access you system just fine.
Don't be scared of BitLocker understand it and you can realise a significant boost to security of your systems and data. I do not have Linux on this machine at the moment but I have built machines before with an XP partition, two Linux partitions (/ and /swap) and a Vista partition in that order. Put the XP partition on first and XP assigns the C: drive to itself and as it will not be encrypted provides he later BitLocker install a location with the necessary 1.5GB of free space to put the boot files that must be unencrypted but are still measured (TPM parlance for validity checked at each boot). Install your Linux of choice and use DD to save the boot sector to the XP partition. Install Vista which will overwrite the Linux boot sector, add the saved Linux boot sector as an option using BCDEDIT take ownership of the TPM and encrypt the Vista C: drive.
As noted above you can install multiple copies of Vista or Server 2008 and encrypt the volumes independently and each will have a separate recovery file and you will have a single TPM recovery file.
One thing for those of you building machines in a corporate environment and wanting to use BitLocker which unless you have nothing that could compromise you, your clients or staff you would be mad in my humble not to is that if you script BitLocker from the command line before you join the machine to Domain Services the recovery keys are not stored in the directory. The machine must be domain joined before starting BitLocker for it to automatically save to Domain Services and you must have extended the schema appropriately as well.
One of the reasons I tend to work like this is that I use multiple installs to separate my work and test environments especially as much of the testing involved beta software and thus does not always have anti-virus installed and while I have been lucky up to now and never knowingly had a problem I believe in limiting my risk. While I was writing this I saw the write up of an attack vector against Windows systems over at http://www2.gmer.net/mbr/ of which I have included the initial section below. Please read this through to see where I am going.
Stealth MBR rootkit
Jan 2th, 2008
In 2005 Derek Soeder and Ryan Permeh, researchers from eEye Digital Security, presented eEye BootRoot. The technique used in their project wasn't new and had been popular in DOS times, but they first successfully used it in Windows NT Environment. The eEye Digital Security researchers skipped one part - BootRoot didn't hide the real content of affected sectors like old DOS Stealth MBR viruses, but it had only been created to show the possible way to compromise Windows NT OS.
Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected !
Rootkit in the wild
At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected.
"Good points" of being MBR rootkit:
full control of machine boot process-code is executed before the OS starts rootkit does not need a file - code could exists in some sectors of the disk and it cannot be deleted as a usual file rootkit does not need any registry entry because it is loaded by MBR code to hide itself, rootkit needs to control only a few sectors of the disk How MBR rootkit works :
Installer MBR loader Kernel patcher Kernel driver loader Sectors hider/protector Kernel driver Detection Rootkit removal
One of the things a TPM does during startup is to check the boot information has not been modified since it last measured them to ensure that it is booting the system in the state it has been told to expect it in. Turn on your TPM and encrypt your Vista partitions and regardless of what the XP, Linux or even another Vista partition does to the boot information the TPM will detect the change and warn you on the next boot and those installs have no direct access to your partition to read or write data either unless you were to leave the recovery files on an unencrypted partition and a program or user was smart enough to find and use them.
I am using this little laptop with a slow mobile drive and BitLocker encrypted virtual hard disks for Hyper-V for small scale testing just fine and performance for Vista is just fine for everything I do even with the machine as a road warrior knowledge worker and I feel a lot more secure about client and personal data I store.
Oh for those sceptics about backdoors etc in BitLocker Microsoft and the staff on the BitLocker team have been very vocal about there not being any and have recently published the algorithms behind BitLocker and expect to obtain US Federal FIPS accredition this year.