Vista: BitLocker Blob Location/Backup

Secure Home | Search | About

Lost Password?

Microsoft Applications Security

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Vista: BitLocker Blob Location/Backup

tavis

06-22-2006

Re: Vista: BitLocker Blob Location/Backup

PA Bear

06-22-2006

Re: Vista: BitLocker Blob Location/Backup

tav

06-23-2006

Re: Vista: BitLocker Blob Location/Backup

Alun Jones

06-24-2006

Posted by =?Utf-8?B?dGF2aXM=?= on June 22, 2006, 7:03 pm

If you were Registered and logged in, you could reply and use other advanced thread options

In BitLocker for Vista, is it known, exactly, where the encrypted blobs used
to secure the encryption keys are stored on the protected volume?

The concerns:

1. According to the Technical Overview at
http://www.microsoft.com/technet/windowsvista/security/bittech.mspx, secure
decommissioning can be accomplished by using commands to delete the encrypted
blobs, including the recovery blob. If there is ever any doubt that these
blobs could be read or copied off of the drive, the thoroughness of the
decommissioning may be questioned.

2. On the other hand, some customers may be concerned about a denial of
service should someone/something delete these blobs (especially if a virus
affects a domain admin's system, and accesses the WMI commands to
"decommission" the volume!). The customer may want some way to backup these
blobs, and restore them if deleted. I know this begs the question - "why
would one ever embark on volume encryption without a good file backup
solution in place?", but it would be faster to restore the blobs than restore
all data from tape for an enterprise of laptops.

They're probably not regular files, or maybe I missed something using
WinHex...

Thanks!

Posted by PA Bear on June 22, 2006, 7:18 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Please post to this Vista-specific newsgroup:

microsoft.public.windows.vista.security

Web interface:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.vista.security

Via your newsreader:
news://msnews.microsoft.com/microsoft.public.windows.vista.security
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

tavis wrote:

> In BitLocker for Vista, is it known, exactly, where the encrypted blobs

> used to secure the encryption keys are stored on the protected volume?

> The concerns:

> 1. According to the Technical Overview at

> http://www.microsoft.com/technet/windowsvista/security/bittech.mspx,

> secure decommissioning can be accomplished by using commands to delete

> the encrypted blobs, including the recovery blob. If there is ever any

> doubt that these blobs could be read or copied off of the drive, the

> thoroughness of the decommissioning may be questioned.

> 2. On the other hand, some customers may be concerned about a denial of

> service should someone/something delete these blobs (especially if a virus

> affects a domain admin's system, and accesses the WMI commands to

> "decommission" the volume!). The customer may want some way to backup

> these blobs, and restore them if deleted. I know this begs the question

> - "why would one ever embark on volume encryption without a good file

> backup solution in place?", but it would be faster to restore the blobs

> than restore all data from tape for an enterprise of laptops.

> They're probably not regular files, or maybe I missed something using

> WinHex...

> Thanks!

Posted by =?Utf-8?B?dGF2aXM=?= on June 23, 2006, 7:56 am

If you were Registered and logged in, you could reply and use other advanced thread options

Thanks - I'm new to posting questions on these forums, so I'm wondering, what
is the best way to get direct answers to some very specific questions from
the BitLocker development team? Is posting on the public forum the only way?
Or can I simply email the team directly, somehow?

"PA Bear" wrote:

> Please post to this Vista-specific newsgroup:

> microsoft.public.windows.vista.security

> Web interface:

http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windows.vista.security

> Via your newsreader:

> news://msnews.microsoft.com/microsoft.public.windows.vista.security

> --

> ~Robear Dyer (PA Bear)

> MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

> tavis wrote:

> > In BitLocker for Vista, is it known, exactly, where the encrypted blobs

> > used to secure the encryption keys are stored on the protected volume?

> >

> > The concerns:

> >

> > 1. According to the Technical Overview at

> > http://www.microsoft.com/technet/windowsvista/security/bittech.mspx,

> > secure decommissioning can be accomplished by using commands to delete

> > the encrypted blobs, including the recovery blob. If there is ever any

> > doubt that these blobs could be read or copied off of the drive, the

> > thoroughness of the decommissioning may be questioned.

> >

> > 2. On the other hand, some customers may be concerned about a denial of

> > service should someone/something delete these blobs (especially if a virus

> > affects a domain admin's system, and accesses the WMI commands to

> > "decommission" the volume!). The customer may want some way to backup

> > these blobs, and restore them if deleted. I know this begs the question

> > - "why would one ever embark on volume encryption without a good file

> > backup solution in place?", but it would be faster to restore the blobs

> > than restore all data from tape for an enterprise of laptops.

> >

> > They're probably not regular files, or maybe I missed something using

> > WinHex...

> >

> > Thanks!

Posted by Alun Jones on June 24, 2006, 8:31 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> In BitLocker for Vista, is it known, exactly, where the encrypted blobs

> used

> to secure the encryption keys are stored on the protected volume?

> The concerns:

> 1. According to the Technical Overview at

> http://www.microsoft.com/technet/windowsvista/security/bittech.mspx,

> secure

> decommissioning can be accomplished by using commands to delete the

> encrypted

> blobs, including the recovery blob. If there is ever any doubt that these

> blobs could be read or copied off of the drive, the thoroughness of the

> decommissioning may be questioned.

Decommissioning the drive in such a manner requires overwriting the blobs
several times with random data, just as you currently decommission a drive
by overwriting the whole drive with random data several times.

Overwriting the blobs several times is simply a matter of seconds, rather
than hours, and provides essentially the same degree of protection.

> 2. On the other hand, some customers may be concerned about a denial of

> service should someone/something delete these blobs (especially if a virus

> affects a domain admin's system, and accesses the WMI commands to

> "decommission" the volume!). The customer may want some way to backup

> these

> blobs, and restore them if deleted. I know this begs the question - "why

> would one ever embark on volume encryption without a good file backup

> solution in place?", but it would be faster to restore the blobs than

> restore

> all data from tape for an enterprise of laptops.

Remember what encryption is for. It is for data that _you_ would rather
lose (by losing the encrypted data or the keys) than let _them_ have. [For
some value of "you" and "them".]

The "denial of service" attack simply means that if your laptop full of data
that you don't want them to have falls into their hands, they can make the
data irretrievably disappear. That's not a bad thing, it's a requirement of
your desire to protect your data in this manner.

If this "denial of service" is a bad thing for you, then encryption is
clearly not what you want.

You can, of course, mitigate this issue by using good backups, as you say.

Question - assuming your laptop has fallen into the hands of undesirables,
why do you think it is safe to trust it when it comes back? I'd scrub the
damn thing and then think very carefully about whether I wanted to re-image
it, just in case maybe they'd flashed the BIOS.

Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.

Similar Threads	Posted
Have you used bitlocker?	December 8, 2006, 2:56 pm
bitlocker and error 0X8007001B	April 30, 2008, 12:06 pm
About SCardEstablishContext in Vista	December 27, 2007, 9:33 pm
Vista is infected.	March 6, 2008, 5:14 am
L2TP vista x64 SP1	November 9, 2008, 2:44 am
Windows Vista and Rootkits	November 4, 2005, 12:49 pm
Microsoft Vista Technology	November 25, 2005, 1:18 pm
Windows Vista and TPM Services	December 29, 2006, 5:06 pm
DRA certificate on smartcard - vista	May 1, 2007, 3:20 pm
requesting a certificate in Vista.	February 6, 2008, 1:54 pm

The site map in XML format XML site map