There are significant usability concerns with requiring users to carry a flash drive and securely store a 48-digit recovery password, however. That makes BitLocker a viable option for individuals and small enterprises that do not rely on centralized management. Microsoft Bitlocker for small businessīitLocker is conveniently built into various versions of Windows, but it is primarily intended for local management. These products typically support BitLocker and Apple FileVault 2 management, meaning systems using either FDE solution can be managed from a single console.
If the user fails to record this recovery password, or loses the recording of the password, there may not be any way to recover access to the user's system.Īs mentioned above, there are third-party commercial products available that can add centralized management capabilities, authentication options and other features onto a Microsoft BitLocker deployment. There is a recovery password, but it is 48 digits long and it is only available locally, such as saved to a file or printed out. Some aspects of the FDE feature can be configured and controlled through Group Policy, but overall it is geared for local management.Īn example is the key recovery option for users. ManagementīitLocker is primarily intended for local management. These third-party products add a variety of authentication options, which can improve both the security and the usability of BitLocker authentication. If a TPM is not available, BitLocker can still be used, but the use of a flash drive for authentication becomes mandatory.Ī common practice when using BitLocker is to additionally deploy a third-party FDE product - such as Dell Data Protection | Encryption, McAfee Complete Data Protection or Sophos SafeGuard Enterprise Encryption - that can manage the BitLocker configuration. The feature is intended to be used with a Trusted Platform Module (TPM), and authentication can be achieved through specifying a PIN or storing a key on a flash drive, which the user would then need to insert in order to boot the system. This does not mean the cryptographic modules are vulnerability-free, but rather that no common vulnerabilities were detected during testing.Īuthentication options are rather limited when using BitLocker. This is a common practice, and the certification of the modules, not BitLocker, is what really matters.įIPS 140-2 certification means the cryptographic modules were tested to confirm the meeting of specified cryptographic requirements. The use of 256-bit keys with BitLocker is encouraged.Īlthough BitLocker has not been Federal Information Processing Standard (FIPS) 140-2-certified, the cryptographic modules it uses have been. Organizations that rely on 128-bit keys may need to convert those systems to 256-bit keys in the future, which requires re-encrypting the entire hard drive and inconveniencing users. It is generally recommended to use 256-bit keys because of their superior strength. Microsoft BitLocker uses the Advanced Encryption Standard (AES) encryption algorithm with either 128-bit or 256-bit keys.
What is bitlocker drive encryption windows 10#
Microsoft BitLocker is supported by the following versions of Windows: Windows 10 Enterprise and Pro, Windows 8 and 8.1 Professional and Enterprise, Windows 7 Ultimate and Enterprise, Windows Vista Ultimate and Enterprise, and Windows Server 2008 and later.