Hey everyone,

I'm doing research about the difference between Bitlocker Drive Encryption and McAfee Endpoint Encryption. I've been using wikipedia wiki Comparison_of_disk_encryption_software (sorry can't post a link apparently) as a starting place, but I need solid sources instead of believing everyhting on Wikipedia.

I found most by myself, but 2 things are not clear for me:

1. Multiple keys: Whether an encrypted volume can have more than one active key. I can't find if that's the case or not, the reference on Wikipedia doesn't seem to work anymore. This doesn't mean multiple factor authentication (i.e. TPM + PIN), but can there be 2 PIN's that can decrypt 1 volume.

2. Modes of operation: On Wikipedia there is a reference to a document that dates back to 2006, is this still the case today or did something changed in Bitlocker? If so, that answers 2 of the modes, but can someone shine some light for the last three: CBC with random per sector keys, LRW and XTS.

Help will be very appreciated.

Kind regards,

- Jimmy

• Edited by JimmyB1991 Tuesday, March 25, 2014 8:49 AM Little more info

Hi,

For question one:

BitLocker supports four different authentication modes, depending on the computer's hardware capabilities and the desired level of security:

BitLocker with a TPM

BitLocker with a TPM and a PIN

BitLocker with a TPM and a USB startup key

BitLocker without a TPM (USB startup key required)

If you mean recovery methods, there are three methods for recovery:

BitLocker recovery methods

http://technet.microsoft.com/en-us/library/ee706519(v=ws.10).aspx

For question two:

The basic technology still works for BitLocker, but you can get the new features in Windows 8.1:

What's New in BitLocker for Windows 8 and Windows Server 2012

http://technet.microsoft.com/en-us/library/hh831412.aspx

About BitLocker architecture, refer to this article:

BitLocker Architecture

http://technet.microsoft.com/en-us/library/cc732774(v=ws.10).aspx#BKMK_SystemDesign

Regarding the algorithm, BitLocker uses  AES-CBC + diffuser algorithm to encrypt, you can get more information in this document:

AES-CBC + Elephant diffuser

http://www.microsoft.com/en-in/download/details.aspx?id=13866

Thanks for the quick reply, question 2 is answered. But question 1 is not, I mean is it possible to have for example 2 different PIN's to decrypt the same volume. So 2 active PIN's for 1 volume.

About the second question, I read somewhere that the Elephant Diffuser is not present anymore within Bitlocker for Windows 8 and Windows Server 2012, is this true?

Thanks! :)

• Edited by JimmyB1991 Tuesday, March 25, 2014 10:44 AM Extra

Hi,

Yes, in windows 8 and Windows server 2012, the Diffuser option is no longer available to be added to the Advanced Encryption Standard (AES) encryption algorithm.

The "Configure TPM validation profile" Group Policy setting is deprecated in Windows 8 and Windows Server 2012. It has been replaced with system specific policies for BIOS-based and UEFI-based computers.

The tpm option is no longer supported by manage-bde.

But I dont hear the 2 different PINs to decrypt the same encrypted

Well I try to explain:

We now have Endpoint Encryption en there are safenet users in a database that synchronizes with all the clients (laptops). All laptop hard disks are encrypted with this software.

User A with his Laptop A can enter his password and then it will decrypt the laptop and boot it. If User B enters his password on Laptop A he can still decrypt the hard drive and let it boot, because that user is in the database.

So is it possible with bitlocker to decrypt Laptop A with User A AND User B's PIN? Hope it's clear now :)

Thanks!

Hi,

There is no such feature in BitLocker.

Thanks for clearing that up Alex. Apparently the Wikipedia comparison isn't correct on that. So it's not possible to share one laptop with multiple users unless they all know the same PIN for decrypting the volume/disk?

I'm only not sure about the modes of operation of Bitlocker. In the document 'AES-CBC + Elephant diffuser' I found out that LRW is not used because of multiple reasons. XTS is not mentioned, so I assume it's also not used.

About CBC I'm not entirely sure what Bitlocker uses exactly. I'm comparing these three:

• CBC with predictable IV
• CBC with secret IV
• CBC with random per-sector keys

In the document it looks like it's using CBC with a secret IV, but it also looks like Bitlocker uses random per-sector keys. Can you maybe explain to me what's used within Bitlocker? After that I won't bother you again haha.

Again thank you for answering my other questions already, I really appreciate it. :)

- Jimmy

Hi,

Sorry, I have no additional document about this information, but the different with previous versions is located in group policy:

Computer Configuration-> Administrative Templates-> Windows Components-> BitLocker Drive Encryption

There should be two kind of policies of Choose drive encryption method and cipher strength, the Windows 8 and 8.1 have two choices: AES 128-bit and AES 256-bit.