The stages of BitLocker startup are as follows:
- System integrity verification (if a TPM is present) Features of the computer and the Windows Boot Manager write values to the PCRs of the TPM as the boot process proceeds, including a measurement of the MBR executable code.
- User authentication (optional) If user authentication is configured, the Windows Boot Manager collects a key from USB storage or a PIN from the user.
- VMK retrieval The Windows Boot Manager requests that the TPM decrypt the VMK. If the hashes of the measurements written to the PCR match those taken when BitLocker was set up, the TPM will supply the VMK. If any measurement does not match the recorded value, the TPM does not supply the decryption key, and BitLocker gives the user the option to enter the recovery key.
- Operating system startup At this point, the Windows Boot Manager has validated
the system integrity and now has access to the VMK. The VMK must be passed to the
operating system loader; however, the Windows Boot Manager must avoid passing it
to a potentially malicious operating system loader and thus compromising the security
of the VMK. To ensure that the operating system loader is valid, the Windows Boot
Manager verifies that operating system loader executables match a set of requirements.
The Windows Boot Manager also verifies that the boot configuration data
(BCD) settings have not been modified. It does so by comparing them to a previously
generated digital signature known as a message authenticity check (MAC). The BCD
MAC is generated using the VMK, ensuring that it cannot be easily rewritten.
After the operating system loader is started, Windows can use the VMK to decrypt the FVEK and then use the FVEK to decrypt the BitLocker-encrypted volume. With access to the unencrypted data on the volume, Windows loads normally.
Prior to transitioning to the operating system, the OS Loader ensures that it will hand off at most one key (VMK) to the operating system. Prior to handing off the key to the operating system, the following conditions must apply:
- All features, up to and including BOOTMGR, must be correct. If they are not correct, the VMK will not be available.
- The VMK must be correct to validate the MAC of the metadata. BOOTMGR verifies this MAC.
- OS Loader must be the loader approved by metadata associated with the VMK. Verified by BOOTMGR.
- BCD settings must be the settings approved by metadata associated with the VMK. Verified by BOOTMGR.
- The VMK must correctly decrypt the FVEK stored in the validated metadata. Verified by BOOTMGR.
- The FVEK must successfully decrypt data stored on the volume. An incorrect
FVEK will result in invalid executable code or invalid data. In some cases, this
is caught by code integrity.
- The Master File Table (MFT) must be encrypted by the correct FVEK to access all files.
- Phase 0 drivers, including Fvevol.sys, must be encrypted by the correct FVEK.
- Registry must be encrypted by the correct FVEK.
- Kernel and Hardware Abstraction Layer (HAL) must be encrypted by the correct FVEK.
- Phase 1 features must be encrypted by the FVEK because Fvevol.sys (encrypted by the FVEK) will only decrypt using the same FVEK.
- Phase 2 features must also be encrypted by the FVEK as stated in the previous entry.
The last point is particularly important, and it is true only if the data on the volume is entirely encrypted. In other words, a volume in which encryption is paused halfway through is not secure.
In this tutorial:
- Managing Disks and File Systems
- Overview of Partitioning Disks
- How to Choose Between MBR or GPT
- Converting from MBR to GPT Disks
- GPT Partitions
- Choosing Basic or Dynamic Disks
- Working with Volumes
- How to Create a Simple Volume
- How to Create a Spanned Volume
- How to Create a Striped Volume
- How to Resize a Volume
- How to Delete a Volume
- How to Create and Use a Virtual Hard Disk
- File System Fragmentation
- Backup And Restore
- How File Backups Work
- File and Folder Backup Structure
- How System Image Backups Work
- How to Start a System Image Backup from the Command Line
- How to Restore a System Image Backup
- System Image Backup Structure
- Best Practices for Computer Backups
- How to Manage Backup Using Group Policy Settings
- Previous Versions and Shadow Copies
- How to Manage Shadow Copies
- How to Restore a File with Previous Versions
- How to Configure Previous Versions with Group Policy Settings
- Windows ReadyBoost
- BitLocker Drive Encryption
- How BitLocker Encrypts Data
- How BitLocker Protects Data
- TPM with External Key (Require Startup USB Key At Every Startup)
- TPM with PIN (Require PIN At Every Startup)
- TPM with PIN and External Key
- BitLocker To Go
- BitLocker Phases
- Requirements for Protecting the System Volume with BitLocker
- How to Enable the Use of BitLocker on the System Volume on Computers Without TPM
- How to Enable BitLocker Encryption on System Volumes
- How to Enable BitLocker Encryption on Data Volumes
- How to Manage BitLocker Keys on a Local Computer
- How to Manage BitLocker from the Command Line
- How to Recover Data Protected by BitLocker
- How to Disable or Remove BitLocker Drive Encryption
- How to Decommission a BitLocker Drive Permanently
- How to Prepare AD DS for BitLocker
- How to Configure a Data Recovery Agent
- How to Manage BitLocker with Group Policy
- The Costs of BitLocker
- Windows 7 Encrypting File System
- How to Export Personal Certificates
- How to Import Personal Certificates
- How to Grant Users Access to an Encrypted File
- Symbolic Links
- How to Create Symbolic Links
- How to Create Relative or Absolute Symbolic Links
- How to Create Symbolic Links to Shared Folders
- How to Use Hard Links
- Disk Quotas
- How to Configure Disk Quotas on a Single Computer
- How to Configure Disk Quotas from a Command Prompt
- How to Configure Disk Quotas by Using Group Policy Settings
- Disk Tools
- MoveFile and PendMoves