BitLocker installation

[Vipin]

Hi,
Why do we need two partitions for bitlocker a smaller partition and a
bigger partition as per the installation guideline? I see it not used in
anyway. Am I missing something?

Thanks,
Vipin

 

[Jamie Hunter [MS]]

Hi Vipin,

All disk encryption products have either physically a decrypted partition,
or at least a hidden decrypted region on a disk. (In many cases, this aspect
of the architecture is 'hidden', but the requirement is always the same).

For BitLocker specifically, the following needs to happen:

1) Enough code must be loaded to show UI that is or can be localized to any
language. Microsoft considers localization an extremely important
requirement.
2) Code that can obtain a key with user interaction (to see this, try a USB
key with the key not present, or TPM+Pin, or Recovery password).
3) Code to decrypt a disk on the fly.

The code above lives in "BOOTMGR", with data files (e.g. localization fonts
and BCD settings) in the "\BOOT" directory. To store these on an encrypted
disk is a chicken & egg scenario.
-
Jamie Hunter [MS]

 

[Vipin]

Thanks for the explanation, helpful.
One question, I can not open the boot\bcd.log file. It seems to be always
locked up by a process.

Vipin

Hi Vipin,

All disk encryption products have either physically a decrypted partition,
or at least a hidden decrypted region on a disk. (In many cases, this
aspect of the architecture is 'hidden', but the requirement is always the
same).

For BitLocker specifically, the following needs to happen:

1) Enough code must be loaded to show UI that is or can be localized to
any language. Microsoft considers localization an extremely important
requirement.
2) Code that can obtain a key with user interaction (to see this, try a
USB key with the key not present, or TPM+Pin, or Recovery password).
3) Code to decrypt a disk on the fly.

The code above lives in "BOOTMGR", with data files (e.g. localization
fonts and BCD settings) in the "\BOOT" directory. To store these on an
encrypted disk is a chicken & egg scenario.
-
Jamie Hunter [MS]

Hi,
Why do we need two partitions for bitlocker a smaller partition and
a bigger partition as per the installation guideline? I see it not used
in anyway. Am I missing something?

Thanks,
Vipin

 

[Jamie Hunter [MS]]

If you look under registry, you'll find the BCD exposed under
HKEY_LOCAL_MACHINE\BCDxxxxxxxx The correct way of manipulating BCD is via
the WMI interface (programatically) or BCDEDIT (manually). If you're trying
to copy the BCD settings to a new partition (given the questions) - to be
done successfully this requires some non-trivial code. We're working on a
tool to do that for BitLocker.
-
Jamie Hunter [MS]

Thanks for the explanation, helpful.
One question, I can not open the boot\bcd.log file. It seems to be always
locked up by a process.

Vipin

Hi Vipin,

All disk encryption products have either physically a decrypted
partition, or at least a hidden decrypted region on a disk. (In many
cases, this aspect of the architecture is 'hidden', but the requirement
is always the same).

For BitLocker specifically, the following needs to happen:

1) Enough code must be loaded to show UI that is or can be localized to
any language. Microsoft considers localization an extremely important
requirement.
2) Code that can obtain a key with user interaction (to see this, try a
USB key with the key not present, or TPM+Pin, or Recovery password).
3) Code to decrypt a disk on the fly.

The code above lives in "BOOTMGR", with data files (e.g. localization
fonts and BCD settings) in the "\BOOT" directory. To store these on an
encrypted disk is a chicken & egg scenario.
-
Jamie Hunter [MS]

Hi,
Why do we need two partitions for bitlocker a smaller partition and
a bigger partition as per the installation guideline? I see it not used
in anyway. Am I missing something?

Thanks,
Vipin