Implementing Whole Disk Encryption with Microsoft Windows Vista Bitlocker at the McIntire School of Commerce

The McIntire school, as part of a University of Virginia wide effort to eliminate and protect sensitive data, selected Microsoft Windows Vista's bitlocker drive encryption for securing data on mobile computers.

The McIntire school of Commerce at the University of Virginia was seeking a way to implement whole disk encryption for mobile computing. McIntire required a solution that was transparent to the end user and provided a mechanism for automated recovery key escrow in a secure central repository. The mobile computing environment consists of 125 Dell latitude D620s and D630s, as well as a handful of Lenovo thinkpads. All of these laptops contained at least Trusted Platform Module (TPM) 1.2 hardware (most newer commercially available laptops do). The school also maintained a windows 2003 active directory domain. After evaluating a number of options, including the open source truecrypt solution, we settled on using the bitlocker feature of Windows Vista. Bitlocker, included with windows Vista Enterprise and Ultimate editions, provides entire volume encryption with up to 256 bit AES encryption. There are three modes to use bitlocker, transparent operation mode (which requires TPM 1.2 hardware), user authentication mode (which requires a PIN or USB token to boot), and USB key mode (no TPM hardware required). The school settled on transparent mode to balance enhancing security with usability impact. Microsoft provides a free bitlocker deployment kit, which includes the tools necessary to prepare active directory and group policy to store the bitlocker and TPM keys in active directory.