Instead, the goal is to provide “better than nothing” encryption, which is far superior to leaving the disks in clear text. With all of that said, this form of implementation is not the most secure available, since, for example, it won’t allow for multi-factor authentication. Note that in this article, only TPM recovery key is covered, meaning that only the OS volume is managed, without PIN codes to remember, no usb key required at logon, 100% transparent as far as users are concerned! In order to ease the manageability effort required by BitLocker, we want to leverage a traditional System Management platform, such as System Center Configuration Manager, as well as the IDaaS (Identity as a service) feature offered by Azure Active Directory and the automation capabilities provided by Azure Automation, so as to allow the end-user to recover the BitLocker key protector by accessing the portal. The problem with enabling BitLocker, or any other security feature, is that it poses a significant burden on administrators in terms of: manageability, reliability and required knowledge. Therefore, drive encryption is an integral part of good security.
#BITLOCKER KEY PASSWORD#
Not only is the local data on an unencrypted disk at risk, but other sensitive data like password hashes could also be recovered and used for other malicious purposes. This can be done by simply docking the system’s HDD onto another computer to browse the file system or by running a live distro of Linux\WinPE where the data would be in clear text. With traditionally un encrypted disks (the vast majority of the world’s computers), attackers could extract all of the data available on the local disk. BitLocker is a free encryption feature in Windows that comes standard on most versions of the OS and allows for the encryption of drives on the system, as a layer of security.