Vista - Bitlocker swap file

12-11-2006

Does bitlocker ecrypt the swap file? Is there anything on a bitlocker driver
that can be recovered?

How does this compare to freeware like compusec.

**niknik** · 12-11-2006

BitLocker Encrypts (almost) all sectors on the whole volume, including the swap file, hibernation file and unallocated/free space.

It is the newest and best encryption software. Very sound cryptographically. Very good for a domain beacuse it can escrow the computer key into the Active Directory.
It is very well made.

Nik

12-11-2006

BitLocker encrypts the page file (swap file), and even encrypts crash-dump
files and hibernation files (things often overlooked). Only the boot files
and portions of metadata are in clear text, none of which provide any
sensitive information.

Because BitLocker was designed in conjunction with Vista, these special
files are handled seamlessly, allowing all the OS functionality you would
expect... securely without requiring special workarounds.

When BitLocker is enabled, it encrypts the volume carefully to ensure that
no data is left unencrypted, and to ensure that if the computer crashes in
the middle of conversion of the volume, it is recoverable.

As I've never installed CompuSec, I can't give you a comparison, but why not
try both out and see which meets your needs better?

Things to consider when comparing products, for example, is if you use a
user-remembered password for boot authentication, how easy is it to crack?
When using TPM+PIN, then the TPM hardware helps mitigate brute-force
attacks, making an easily remembered PIN harder to crack than many password
solutions. The TPM also detects tampering of pre-boot files.

-
Jamie Hunter [MS]

"lvjobhunt" <lvjobhunt@discussions.microsoft.com> wrote in message
news

3186967-544F-4776-9FFA-8A123A438E28@microsoft.com...
> Does bitlocker ecrypt the swap file? Is there anything on a bitlocker
> driver
> that can be recovered?
>
> How does this compare to freeware like compusec.

12-12-2006

"Jamie Hunter [MS]" <jamiehun@nospam.microsoft.com> wrote in message
news:E830023B-789D-4F6C-ACF5-B9D6D55B02F3@microsoft.com...
> portions of metadata are in clear text
Which portions exactly?

**niknik** · 12-12-2006

The three .fve blob in system volume information. when you read those under a live system they are filled with \x00.
The $Boot file is also not encrypted. There are probably other boot files.
How does BitLocker know which files are encrypted and which are not?

12-12-2006

Specifically $BOOT is the first 8K of the disk, and contains information
such as file-system size; unused boot code; and some "snapshot" information.
It also points to the first copy of BitLocker metadata (see
http://blogs.msdn.com/si_team/archiv...itlocker.aspx).
Each copy of metadata (shadowed by the three .fve files in system volume
information) point to each other. The primary structure is decrypted, but
contains encrypted components. The entire structure has a MAC (Message
Authenticity Check).
The final piece of decrypted data is the backup boot sector at the end of
the volume immediately after the file-system. That's 5 decrypted and easily
identifiable regions in total. None of which contain sensitive information.

An example of decrypted data in the metadata is a label that helps identify
the volume and key labels to help find the recovery key.
An example of encrypted data in the metadata is the VMK (Volume Master Key)
encrypted by an externally provided (or TPM provided) key; and the FVEK
(Full Volume Encryption Key) encrypted by the VMK.

Hope this helps?
-
Jamie Hunter [MS]

"niknik" <niknik.2ipsca@no-mx.vista64.net> wrote in message
news:niknik.2ipsca@no-mx.vista64.net...
>
> The three .fve blob in system volume information. when you read those
> under a live system they are filled with \x00.
> The $Boot file is also not encrypted. There are probably other boot
> files.
> How does BitLocker know which files are encrypted and which are not?
>
>
> --
> niknik
> ------------------------------------------------------------------------
> niknik's Profile: http://vista64.net/forums/member.php?userid=637
> View this thread: http://vista64.net/forums/showthread.php?t=29093
>

**niknik** · 12-12-2006

Yes - this completely answers my last question.

I guess since BitLocker is a Full Volume Encryption (hence the .FVE extension) it only encrypts the OS volume and not the BCD partition needed for the booting or any other partitions.

Does BitLocker support external volumes yet?

Thank you.

12-12-2006

you can encrypt other volumes if you use the managebde script. Tread
lightly however is my best advice as you really need to understand what you
are doing here to do it correctly. Be sure to escrow that key.

--
Josh
http://windowsconnected.com

"niknik" <niknik.2iqeln@no-mx.vista64.net> wrote in message
news:niknik.2iqeln@no-mx.vista64.net...
>
> Yes - this completely answers my last question.
>
> I guess since BitLocker is a Full Volume Encryption (hence the .FVE
> extension) it only encrypts the OS volume and not the BCD partition
> needed for the booting or any other partitions.
>
> Does BitLocker support external volumes yet?
>
>
> Thank you.
>
>
> --
> niknik
> ------------------------------------------------------------------------
> niknik's Profile: http://vista64.net/forums/member.php?userid=637
> View this thread: http://vista64.net/forums/showthread.php?t=29093
>

**niknik** · 12-13-2006

Thank you!

12-11-2006	#1 (permalink)
lvjobhunt n/a posts	Bitlocker swap file Does bitlocker ecrypt the swap file? Is there anything on a bitlocker driver that can be recovered? How does this compare to freeware like compusec.
My System Specs

12-11-2006	#2 (permalink)
niknik 19 posts	BitLocker Encrypts (almost) all sectors on the whole volume, including the swap file, hibernation file and unallocated/free space. It is the newest and best encryption software. Very sound cryptographically. Very good for a domain beacuse it can escrow the computer key into the Active Directory. It is very well made. Nik
My System Specs

12-11-2006	#3 (permalink)
Jamie Hunter [MS] n/a posts	Re: Bitlocker swap file BitLocker encrypts the page file (swap file), and even encrypts crash-dump files and hibernation files (things often overlooked). Only the boot files and portions of metadata are in clear text, none of which provide any sensitive information. Because BitLocker was designed in conjunction with Vista, these special files are handled seamlessly, allowing all the OS functionality you would expect... securely without requiring special workarounds. When BitLocker is enabled, it encrypts the volume carefully to ensure that no data is left unencrypted, and to ensure that if the computer crashes in the middle of conversion of the volume, it is recoverable. As I've never installed CompuSec, I can't give you a comparison, but why not try both out and see which meets your needs better? Things to consider when comparing products, for example, is if you use a user-remembered password for boot authentication, how easy is it to crack? When using TPM+PIN, then the TPM hardware helps mitigate brute-force attacks, making an easily remembered PIN harder to crack than many password solutions. The TPM also detects tampering of pre-boot files. - Jamie Hunter [MS] "lvjobhunt" <lvjobhunt@discussions.microsoft.com> wrote in message news3186967-544F-4776-9FFA-8A123A438E28@microsoft.com... > Does bitlocker ecrypt the swap file? Is there anything on a bitlocker > driver > that can be recovered? > > How does this compare to freeware like compusec.
My System Specs

12-12-2006	#4 (permalink)
Roof Fiddler n/a posts	Re: Bitlocker swap file "Jamie Hunter [MS]" <jamiehun@nospam.microsoft.com> wrote in message news:E830023B-789D-4F6C-ACF5-B9D6D55B02F3@microsoft.com... > portions of metadata are in clear text Which portions exactly?
My System Specs

12-12-2006	#5 (permalink)
niknik 19 posts	The three .fve blob in system volume information. when you read those under a live system they are filled with \x00. The $Boot file is also not encrypted. There are probably other boot files. How does BitLocker know which files are encrypted and which are not?
My System Specs

12-12-2006	#6 (permalink)
Jamie Hunter [MS] n/a posts	Re: Bitlocker swap file Specifically $BOOT is the first 8K of the disk, and contains information such as file-system size; unused boot code; and some "snapshot" information. It also points to the first copy of BitLocker metadata (see http://blogs.msdn.com/si_team/archiv...itlocker.aspx). Each copy of metadata (shadowed by the three .fve files in system volume information) point to each other. The primary structure is decrypted, but contains encrypted components. The entire structure has a MAC (Message Authenticity Check). The final piece of decrypted data is the backup boot sector at the end of the volume immediately after the file-system. That's 5 decrypted and easily identifiable regions in total. None of which contain sensitive information. An example of decrypted data in the metadata is a label that helps identify the volume and key labels to help find the recovery key. An example of encrypted data in the metadata is the VMK (Volume Master Key) encrypted by an externally provided (or TPM provided) key; and the FVEK (Full Volume Encryption Key) encrypted by the VMK. Hope this helps? - Jamie Hunter [MS] "niknik" <niknik.2ipsca@no-mx.vista64.net> wrote in message news:niknik.2ipsca@no-mx.vista64.net... > > The three .fve blob in system volume information. when you read those > under a live system they are filled with \x00. > The $Boot file is also not encrypted. There are probably other boot > files. > How does BitLocker know which files are encrypted and which are not? > > > -- > niknik > ------------------------------------------------------------------------ > niknik's Profile: http://vista64.net/forums/member.php?userid=637 > View this thread: http://vista64.net/forums/showthread.php?t=29093 >
My System Specs

12-12-2006	#7 (permalink)
niknik 19 posts	Yes - this completely answers my last question. I guess since BitLocker is a Full Volume Encryption (hence the .FVE extension) it only encrypts the OS volume and not the BCD partition needed for the booting or any other partitions. Does BitLocker support external volumes yet? Thank you.
My System Specs

12-12-2006	#8 (permalink)
Josh n/a posts	Re: Bitlocker swap file you can encrypt other volumes if you use the managebde script. Tread lightly however is my best advice as you really need to understand what you are doing here to do it correctly. Be sure to escrow that key. -- Josh http://windowsconnected.com "niknik" <niknik.2iqeln@no-mx.vista64.net> wrote in message news:niknik.2iqeln@no-mx.vista64.net... > > Yes - this completely answers my last question. > > I guess since BitLocker is a Full Volume Encryption (hence the .FVE > extension) it only encrypts the OS volume and not the BCD partition > needed for the booting or any other partitions. > > Does BitLocker support external volumes yet? > > > Thank you. > > > -- > niknik > ------------------------------------------------------------------------ > niknik's Profile: http://vista64.net/forums/member.php?userid=637 > View this thread: http://vista64.net/forums/showthread.php?t=29093 >
My System Specs

12-13-2006	#9 (permalink)
niknik 19 posts	Thank you!
My System Specs

Similar Threads
Thread	Forum
Using swap file or not for VM	Virtual PC
swap file priority	Vista performance & maintenance
Swap file on USB flash drive?	Vista hardware & devices
Vista Swap File?	Vista General
swap file	Vista General