rvlsoft - Fotolia
How does Microsoft BitLocker secure local, cloud resources?
The BitLocker encryption technology continues to evolve from its roots as a Windows Vista feature to protect resources both in the local data center and in the Azure cloud platform.
Few technologies have been as important in IT and enterprise security as encryption, using a mathematical algorithm to scramble the contents of a file -- or even an entire disk.
Without the unique key used to encrypt the data, nobody else can -- at least, easily -- decrypt and discover the hidden contents. In the event of a breach or some other inappropriate event, the data remains private and inaccessible.
What is Microsoft BitLocker technology?
Microsoft BitLocker encryption is a longtime Windows feature that debuted with Windows Vista in 2007. Microsoft continues to develop BitLocker as a full-volume drive encryption platform. BitLocker employs the AES encryption algorithm -- in cipher block chaining or XTS mode -- with either a 128-bit or 256-bit key. The platform is commonly available in Windows 10 and Windows Server.
How does BitLocker work in Azure?
More recently, Microsoft added BitLocker technology as a service for Azure Windows virtual machines called Azure Disk Encryption (ADE). The ADE -- essentially a BitLocker -- encryption key is stored and protected by the Azure Key Vault service, and only authorized key users can read or run the protected Azure VM. ADE protects the VM host disks, local cache and any data in transit between an Azure VM and Azure Storage.
To use ADE, the administrator creates a key store for ADE and assigns user permissions. After a resource -- such as a VM -- is created, the administrator can attach a key vault and select a key to encrypt the resource.
How does Microsoft BitLocker work on networks?
But this is not the only evolutionary use of Microsoft BitLocker, which is also used as a secure means of booting on-premises servers on wired or wireless networks. The technology is called BitLocker Network Unlock. BitLocker Network Unlock adds a physical factor of authentication (the actual physical server), building security for vital systems without the need for user interaction.
Consider an example: A sensitive enterprise database server is off and locked down with BitLocker. The underlying physical server uses a Trusted Platform Module (TPM) and is configured to use network unlock. When the database server is powered on, it obtains a key from the TPM and then sends the key and a request to a separate Windows Deployment Server (WDS) on the local network. If the WDS recognizes the TPM key and request by determining the service exists on the local network, the WDS sends all of the credentials the database server needs to unlock the protected server, decrypting the disk and allowing the system to boot normally.
Dig Deeper on Windows Server OS and management
Related Q&A from Stephen J. Bigelow
What is data separation and why is it important in the cloud?
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ... Continue Reading
NAS vs. object storage: What's best for unstructured data storage?
There are advantages and disadvantages to using NAS or object storage for unstructured data. Find out what to consider when it comes to scalability, ... Continue Reading
Do hypervisors limit vertical scalability?
Knowing hardware maximums and VM limits ensures you don't overload the system. Learn hypervisor scalability limits for Hyper-V, vSphere, ESXi and ... Continue Reading