Rsat Bitlocker Drive Encryption Administration Utilities Download ##BEST##
May Mcgriff
BitLocker provides AD integration with Group Policy as well as solutions for backing up recovery information for encrypted drives to AD computer account objects. BitLocker offers an effective option for encrypted drives for IS and the tools to support the service for domain-joined workstations. Additionally, drive encryption may aid in protecting IS from FERPA violations.
We restrict the ability to encrypt USB sticks with BitLocker-To-Go to a couple help-desk computers. Employees cannot encrypt drives themselves, and unencrypted USB devices are not recognized at all by the computers. That way, the recovery key is stored in AD on the computer that performed the encryption and we maintain the required security for our domain computers.
TPM + PIN: When TPM and a PIN are specified, BitLocker uses both to protect the encryption key. Use the -TpmAndPinProtector switch parameter to establish this key protector and specify a PIN as a secure string. You could use the ConvertTo-SecureString cmdlet to generate a secure string.
- TPM + Startup Key (USB drive): BitLocker uses both TPM and a startup key (a removable USB flash drive containing an external key) as key protectors to protect the encryption key. Use the -TpmAndStartupKeyProtector switch parameter to define this key protector.
- TPM + Startup Key + PIN: BitLocker uses TPM, a startup key, and a PIN as key protectors to protect the encryption key. To work with a combination of all these key protectors, use the -TpmAndPinAndStartupKeyProtector switch parameter.
- Startup Key: BitLocker uses a removable USB storage drive to protect the encryption key. For this key protector, use the -StartupKeyProtector switch parameter and the -StartupKeyPath parameter to specify the path of the key.
- Recovery Key: BitLocker uses a recovery key stored as a file to protect the encryption key. When you establish a startup key or a recovery key as a key protector, you must specify a path to store the key. To define this, use the -RecoveryKeyProtector switch along with the -RecoveryKeyPath parameter to specify a folder in which a randomly generated recovery key is stored.
- Password: BitLocker uses a password to protect the encryption key. The -PasswordProtector switch specifies this key protector, and the -Password parameter passes a secure string.
- Recovery Password: BitLocker uses a recovery password to protect the encryption key. To establish this key protector, use the -RecoveryPasswordProtector switch parameter. If you use this key protector without specifying a password, a random 48-digit recovery password will be generated automatically.
- AD Account: BitLocker uses an AD account to protect the encryption key.
- Encryption Method: By default, BitLocker uses XTS-AES-128, but you can specify the encryption method using the -EncryptionMethod parameter, which accepts values of Aes128, Aes256, XtsAes128, and XtsAes256.
- Used Space Only: By default, BitLocker encrypts the entire volume, including any unallocated space; this can be a time-consuming process for large volumes. To speed up the encryption process, you can use the -UsedSpaceOnly switch. The unallocated space remains unencrypted, but it is automatically encrypted as the data is stored.
- Hardware Encryption: By default, BitLocker uses software encryption but supports hardware encryption as well. You can use the -HardwareEncryption switch on supported disks. As per this security advisory, there are vulnerabilities in certain self-encrypting drives (SEDs), so Microsoft recommends using software-only encryption instead.
This command establishes the startup key (USB) as a key protector and specifies the path of a flash drive to store the BitLocker encryption key. The encryption key is stored with the .BEK file extension as a hidden system file, so you need to use the Get-ChildItem cmdlet with the -Force parameter, as shown in the screenshot:
f5d0e4f075