Microsoft BitLocker: Full disk encryption software overview

Expert Karen Scarfone examines the features of BitLocker, Microsoft's native full disk encryption software for Windows laptops, desktops and servers.

This is part of a series on the top full disk encryption products and tools in the market. For more, check out our FDE product roundup.

Microsoft BitLocker is full disk encryption software that is provided with particular versions of Windows and Windows Server. Full disk encryption (FDE) refers to the automatic encryption of the entire hard drive of a desktop, laptop or server so when the system is off, an attacker cannot access sensitive data from the drive. When the system is powered on, the user has to successfully authenticate in order to decrypt the hard drive.

Platform support

Microsoft BitLocker is supported by the following versions of Windows: Windows 10 Enterprise and Pro, Windows 8 and 8.1 Professional and Enterprise, Windows 7 Ultimate and Enterprise, Windows Vista Ultimate and Enterprise, and Windows Server 2008 and later.

Encryption and authentication support

Microsoft BitLocker uses the Advanced Encryption Standard (AES) encryption algorithm with either 128-bit or 256-bit keys. It is generally recommended to use 256-bit keys because of their superior strength.

Organizations that rely on 128-bit keys may need to convert those systems to 256-bit keys in the future, which requires re-encrypting the entire hard drive and inconveniencing users. The use of 256-bit keys with BitLocker is encouraged.

Although BitLocker has not been Federal Information Processing Standard (FIPS) 140-2-certified, the cryptographic modules it uses have been. This is a common practice, and the certification of the modules, not BitLocker, is what really matters.

FIPS 140-2 certification means the cryptographic modules were tested to confirm the meeting of specified cryptographic requirements. This does not mean the cryptographic modules are vulnerability-free, but rather that no common vulnerabilities were detected during testing.

Authentication options are rather limited when using BitLocker. The feature is intended to be used with a Trusted Platform Module (TPM), and authentication can be achieved through specifying a PIN or storing a key on a flash drive, which the user would then need to insert in order to boot the system. If a TPM is not available, BitLocker can still be used, but the use of a flash drive for authentication becomes mandatory.

A common practice when using BitLocker is to additionally deploy a third-party FDE product -- such as Dell Data Protection | Encryption, McAfee Complete Data Protection or Sophos SafeGuard Enterprise Encryption -- that can manage the BitLocker configuration. These third-party products add a variety of authentication options, which can improve both the security and the usability of BitLocker authentication.

Management

BitLocker is primarily intended for local management. Some aspects of the FDE feature can be configured and controlled through Group Policy, but overall it is geared for local management.

An example is the key recovery option for users. There is a recovery password, but it is 48 digits long and it is only available locally, such as saved to a file or printed out. If the user fails to record this recovery password, or loses the recording of the password, there may not be any way to recover access to the user's system.

As mentioned above, there are third-party commercial products available that can add centralized management capabilities, authentication options and other features onto a Microsoft BitLocker deployment. These products typically support BitLocker and Apple FileVault 2 management, meaning systems using either FDE solution can be managed from a single console.

Microsoft Bitlocker for small business

BitLocker is conveniently built into various versions of Windows, but it is primarily intended for local management. That makes BitLocker a viable option for individuals and small enterprises that do not rely on centralized management.

There are significant usability concerns with requiring users to carry a flash drive and securely store a 48-digit recovery password, however. Most organizations will find that BitLocker is a much better technology when paired with a third-party commercial product that offers BitLocker management features, such as centralized management and key recovery, not to mention a range of single-factor and multifactor authentication options.

Next Steps

Get more reviews of other full disk encryption products featured in this series: McAfee Complete Data Protection, Symantec Endpoint Encryption, Sophos SafeGuard, Dell Data Protection | Encryption, Check Point Full Disk Encryption, DiskCryptor and Apple FileVault 2.

Learn about the MDOP 2014 suite, including new BitLocker Group Policy settings.

Windows 8 tools and terminology to know for Windows troubleshooting, security, and Windows XP migration.

Dig Deeper on Data security and privacy