Bitlocker using TPM

BitLocker was introduced in 2007 when Windows Vista was released. it is the gatekeeper to the data on your Hard drive, secured with the TPM Chip.

The common misinterpretation is the fact people think BitLocker is only Full Volume Encryption, aka encrypting all data on your hard drive. In fact BitLocker has 2 purposes:

  • Full Volume Encryption
  • Preboot-Attack Protection

Understanding this, makes BitLocker better managed. It allows you to understand when you need to suspend BitLocker, when not and its goals. BitLocker is also a must-have in environments where DirectAccess is implemented.

In Windows 7 (let’s forget Vista ever existed), we have a few things to remember:
– BitLocker was introduced in the Enterprise and Ultimate Editions.. it is after all a premium feature.
– Default encryption algorithm: AES-128bit + Diffuser.
– It is immediate full volume encryption: Once you turn on BitLocker, it will encrypt the hard drive entirely, this implies you need to have at least 6GB of unused disk space. This process goes as followed:

  • BitLocker moves data to the unused disk space up
  • Encrypts the disk sectors where the data used to live.
  • moves the data back to the encrypted disk space

this process takes a while, depending on the speed of your disk and the data to be encrypted. This usually took at least, at the bare minimum an hour extra in deployment times.

Preprovisioning BitLocker was originally introduced with Windows 8, but later on Windows 7 was supported as well. Preprovisioning is a method to start encrypting your disk before Windows is actually installed.

In Windows 8 and 8.1 the default encryption algorithm changed to AES-128 only. Windows 8 and later also allows to do Used Disk Space Only. So if you have a disk of 256GB, and only 60GB is used, BitLocker would encrypt only 60 GB, and this increasing the more data you generate, the more BitLocker will encrypt data instantly. Right before saving it to disk the BitLocker service kicks in, encrypts the designated place, before the data is stored.

As of Windows 10 1511 BitLocker supports XTS-AES128 and is the default encryption algorithm. Both Windows 8 and 10 have by default the used disk space only on.

BitLocker is both symmetric as well as indirect asymmetric multifactor encryption.When using encryption methods, you need to know the following, either you have symmetric or asymmetric encryption:

  • Symmetric encryption: You have a key to a lock. this key is used to open the door. This implies for example in the certificate world, you have a certificate to encrypt data with. it is the Private Certificate that encrypts the data, but is also used to decrypt the data. Encryption = Decryption
  • Asymmetric encryption: this implies you have a key to lock a lock, but you need another key to open it. This implies in the certificate world your certificate to encrypt your data with is not the certificate you can decrypt the data with. You need another certificate or key or factor to decrypt your data. Encryption does not equal decryption. This is also called a Key Pair.
  • Let’s simplify:
    • The VMK encrypts and decrypts the disk
    • The VMK is encrypted by the TPM SRK + PCRs (+ PIN + USB in case you enabled it). To Decrypt the VMK you need the algorithm encrypting all of them mentioned above. It is not an “or”… it is an “and” operator.

BitLocker using the TPM Chip means it is asymmetric by default. Let’s go a bit more down the rabbit hole:

When BitLocker is initiated it generates the Volume Master Key (VMK). While BitLocker initiates, it initiates the TPM chip (if not already done), during this process the TPM is requested to seal-signs the Volume Master Key with the TPM’s Storage Root Key (SRK) and the TPM Platform Configuration Registers used by Bitlocker. These PCRs are configurable through GPO. If you enable the TPM+PIN then the VMK is sealed with the TPM’s SRK + PCRs used by BitLocker or configured via GPO + PIN. Same goes if you add the USB Startup Key, you get the drill. If any of these factors is incorrect BitLocker ends up in BitLocker Recovery Mode and you are presented to type with the 48 digits. That’s it? No… but let’s go a bit deeper. Step by Step….

Platform Configuration Registers:

TPM PCR BIOSTPM PCR UEFI

Depending on your type of firmware, running on the CMOS (BIOS or UEFI) different PCRs are used. PCRs are, again as mentioned before, configurable via the following GPOs:
Windows 7:
Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows S
http://gpsearch.azurewebsites.net/#8149

Windows 8+:
Configure TPM platform validation profile for BIOS-based firmware configurations
http://gpsearch.azurewebsites.net/#8150

Configure TPM platform validation profile for native UEFI firmware configurations
http://gpsearch.azurewebsites.net/#8151

By default the following PCRs are used:
BIOS: 0, 2, 4, 8, 9, 10, 11
– PCR0: Dynamic Root of Trust, BIOS Code, Platform Extensions
– PCR2: ROM Code
– PCR4: MBR Code
– PCR8: NTFS Boot Sector
– PCR9: NTFS Boot Block
– PCR10: NTFS Boot Manager
– PCR11: BitLocker’s Volume Master Key (VMK) and its critical components

this implies the following:
BitLocker creates the Volume Master Key, encrypts the Hard Drive with this key.
This is your treasure! So yes please, protection required! TPM to the rescue.

So what happens now is key:

BitLocker’s VMK is sealed (encrypted) with the TPM’s Storage Root Key (SRK) + PCR0 + PCR2 + PCR4 + PCR8 + PCR9 + PCR10 + PCR11.

This implies:

  • Set the TPM SRK, BitLocker VMK Sealing done, Clear TPM afterwards: SRK is not available = BitLocker Recovery Mode
  • Set the TPM SRK, BitLocker VMK Sealing done, Clear TPM afterwards, Take Ownership again: SRK available however it is no longer the same = BitLocker Recovery Mode
  • Change the BIOS boot order = PCR0 changes = BitLocker Recovery Mode
  • Flash the BIOS = PCR0 changes = BitLocker Recovery Mode
  • Flash the TPM Chip = changes the Dynamic Root of Trust of the TPM = PCR0 Changes = BitLocker Recovery Mode
  • Change flash able chips on your motherboard (CMOS, … ) = PCR2 Changes = BitLocker Recovery Mode
  • Change the Master Boot Record or the Device has another MBR (replace disk) (See ITRIS OS Project) to inject another binary coded kernel = MBR Code value in PCR4 no longer the same = BitLocker Recovery Mode
  • Change the Boot Sector (Manipulation of the ‘physical’ Sector 0) : PCR8 changes = BitLocker Recovery Mode
  • Change the Boot Configuration Data (BCD) Store or the Windows Boot Manager inside on your bootable partition = PCR9 changes = BitLocker Recovery Key. This is a tricky one, to understand this one you need to review BCDEdit to understand what the BCD Store does:
    • Win7BCDStoreBIOS.PNG
    • Replace the Windows Boot Manager: Game Over: BitLocker Recovery Key
    • replace the partition of the Windows Boot Manager: Game Over: BitLocker Recovery Key
    • Change the System Locale language to another language than en-us (as mentioned here above) : Game Over: BitLocker Recovery Key, this is one of the reasons why the System Locale is protected with User Account Control
    • Change any of these settings = Game Over: BitLocker Recovery Key
    • end up in Startup repair or other Windows Recovery Environment scenario’s = BitLocker Recovery Mode
  • and last but not least, if you manipulate the VMK of BitLocker or the files of BitLocker itself outside the chain of trust between BitLocker and the TPM = BitLocker Recovery Key

Thank you Bitlocker and TPM for keeping us safe!
Now, these PCRs were the ones for a BIOS booted machine. When using UEFI booted machines we have different PCRs involved. There is no MBR for example in UEFI, so why measuring it? We don’t use winload.exe to boot to Windows, we use winload.efi to boot… so why measuring winload.exe? we don’t boot to a disk, so why measuring these?

So how does it work for UEFI?

UEFI: PCR 0, 2, 4, 7, 11
– PCR0: Core System Firmware executable code
– PCR2: extended or pluggable executable code
– PCR4: UEFI Boot Manager
– PCR7: Secure Boot State
– PCR11: BitLocker’s Volume Master Key (VMK) and its critical components

BitLocker’s VMK is sealed (encrypted) with the TPM’s Storage Root Key (SRK) + PCR0 + PCR2 + PCR4 + PCR7 + PCR11.

  • Flash the UEFI with unauthorized code =BitLocker Recovery Mode
  • Change anything to the Windows Boot Manager =BitLocker Recovery Mode
  • Switch Secure Boot on or off = BitLocker Recovery Mode
  • Last but not least, if you manipulate the VMK of BitLocker or the files of BitLocker itself outside the chain of trust between BitLocker and the TPM = BitLocker Recovery Key

That in a nutshell of course.

How to overcome this? So you have a faulting device, but the disk is still ok: You move the disk to another laptop, all the PCRs and TPM chip won’t be able to decrypt the VMK of BitLocker so it will result in a Recovery Scenario, you type in the 48 digits that come along with this BitLocker setup, allowing you to pass through to Windows where BitLocker and the TPM realign with each other. As of then the new values are accepted as is.

If you know you will end up in a BitLocker Recovery scenario, but you’re still in Windows, make it yourself easy and suspend BitLocker for 1 reboot, for example with Mighty PowerShell :

Suspend-BitLocker -MountPoint “C:” -RebootCount 1

Did you know this is also recommended when you patch Windows? Most patches don’t trigger BitLocker, however it happens once in a while the Boot Manager requires an update…. (or other components) You don’t want all your machines to end up in BitLocker Recovery Mode, do you?

Neither do I.