2 0 277

Added by Mike Danseglio June 25, 2018

In this video, Security Instructor Mike Danseglio demonstrates how to use BitLocker in Window 10 to secure files on a USB Flash drive that adhere to stricter data protection requirements as found inside Government entities.

BitLocker 2-day instructor-led training is now available at Interface:
BITLOCK: Planning and Deploying BitLocker Drive Encryption Training

Video Transcription:

Hi. I’m Mike Danseglio. I’m an instructor here at Interface Technical Training. I want to talk a little bit about encrypting USB flash drives government edition.

Encrypting flash drives itself is an interesting concept, and fairly important one. Data is often moved from place to place, or computer to computer on USB flash drives. Files, folders, all that kind of stuff. We move it around between home machines and work machines, or between work computers.

We take it to Starbucks. We take data on a business trip with us. Whatever you’ve got. When data is portable, it’s oftentimes important to protect that data, very especially in the government sector where we have all kinds of different regulations that require data encryption whenever data is stored and moved off‑site, or even oftentimes, on‑site.

I’m going to talk a little bit about how to protect that data in Windows 10. I’m going to talk about that in very much a government context, because oftentimes, government requirements are slightly different than the default configuration in Windows 10. Civilian requirements are not quite as stringent in many cases as government requirements.

In particular, the key size for encrypting data in Windows 10, it defaults to 128‑bit encryption. Oftentimes in government agencies, we need to use 256‑bit encryption, 256‑bit AES. Not always, not universally. If this applies to you, you know who you are, but you probably need to know how to change that in Windows 10 so that you’re using that kind of encryption.

That’s what I’m going to show you right now.

First, I’m going to set up the proper type of cryptography for us. Then, I’m going to go ahead and show you how to encrypt the drive itself. It’s really important that we set up the cryptography first, because once the drive is encrypted, whatever key strength it used is going to stay, the key strength that’s in use on that drive.

First step is we come over to Windows 10. I’m going to make a change to the machine’s local policy. I’m going to do that with Local Group Policy Editor. I’m going to fire up gpedit.msc, and that will come up with the Local Group Policy Editor.

I’m going to change the BitLocker configuration that is stored under Administrative Templates, Windows Components, BitLocker Drive Encryption. Let me full screen this so it’s a little bit easier on the eyes.

Then, I’m going to come in here. I’m going to make sure to expand this, because notice we have three different types of choose drive encryption and cipher strength setting. It depends on which version of Windows we’re using. Windows 7, Server 2008 is this one, Windows 8, and other versions of Windows like that. That’s not good either.

We’re using a new version of Windows 10, 1511 or later. This is the one we want to configure. Super‑duper important to make sure that whichever setting you change, matches the version of Windows you’re using.

It’s very easy to make a change to the wrong one and the cryptography doesn’t change for you. I’ve double‑clicked the correct one, 1511 and later.

Now, I’m going to go on and click on Enable so I can actually make the changes in Group Policy. Because this context of this video is using USB flash drive, that’s removable data. This bottom option here, Removable Data Drive Encryption, that’s what we’re going to change.

I’m going to change that to 256‑bit AES. AES‑CBC, AES Cipher Block Chaining is going to be the more standard of them. We could certainly use 256‑bit XTS‑AES. It’s not standardized or it’s not widely accepted as the standard, yet it’s a little more efficient on large drives.

If we want to stick with what’s the most tried and true 256‑bit algorithm that we can use, AES‑CBC 256‑bit is going to be our friend.

We’ll OK that. That setting is applied. Done. Done with the configuration part.

Now all we have to do is fire up BitLocker and encrypt the drive. To do that, I’m going to need two drives. I’m going to need a drive to encrypt and I’m going to need a drive that will store my recovery key.

I’m going to put those in. What I do is I come over here to my lovely set of removable drives. It feels like Eeyore time. Eeyore is going to have to go in. We’re going to encrypt our Eeyore drive. That’s going to be our removable volume with all of our data storage. I’m also going to send this boring, ugly drive to store my recovery key.

Cool. Move evil monkey aside for a moment. Now, we’ve got our two drives set up. I don’t really need to plug in any more stuff. I can come back over here and encrypt all of that stuff, or the drive that I want to encrypt which is the Eeyore drive. I’m going to check to make sure I see Eeyore, which is the Oh Bother drive, makes sense. Oh Bother.

I’m going to create a file here just to make sure I’ve got something on the drive. Got a little text file. It’s got a tiny little bit of data. Do some things so that we know that the drive is populated.

Now, going to come back over here. I’m going to hit the Windows flag and I’m going to start typing the word BitLocker, which is the component of Windows 10 that actually does encrypt drives. We’ve got the Oh Bother drive showing up here.

BitLocker is off, we want to turn that on. I click on Turn On. BitLocker very quickly checks the drive to make sure that Windows 10 can enable BitLocker on the drive.

Then, we’re going to get asked for credentials that are going to be used to unlock the drive whenever it’s inserted. Going to have the choice of smart cards or password.

Most often, even if you have a common access card or a smart card in your organization, most likely it’s not going to be appropriate to use that for BitLocker unless we have a dedicated smart card for that, or unless you get Windows credentials on smart card.

Probably going to be more important or more appropriate to use a password. We’ll click Use a password. I’ll type the password, not a super‑secret password. It’s a good password though for video memo, that I don’t forget it.

Now, one of the more important questions we can answer is, what to do with the recovery key? Recovery key is created so that if we lose the password, we can get back into the drive. We can actually open up that data again.

This is the only way if we lose the password to get access to the data on that drive ever again. Otherwise, we’re going to have to try to crack the crypto, which is not going to work.

Save to a file. Windows is smart enough to know, “Hey, you can’t save this recovery key to the drive you’re encrypting.” That doesn’t make sense. You’re protecting the drive that you need to unprotect with the recovery key.

You can’t save the data to the local fix drive either. You’re going to need another drive, which is why I inserted that boring drive, that boring USB stick. That’s where I’m going to save my recovery key. Boring drive is selected, and save that recovery key.

Now, next will become available to me. I get to choose whether to encrypt only the free space, or all of the space on the drive. The difference here is if there are files and folders on the drive and it’s a new drive, probably, those are the only chunks of the hard drive that contains sensitive data. Those are the only ones we would encrypt if we chose the default.

However, if the drive has been used several times, or used for a while, it may have old remnants of data on there that are unprotected, unencrypted. We wouldn’t want somebody to be able to come around and run like an undeletion utility or a forensic analysis tool and gather all of that data up from the drive itself.

We want to encrypt all of the drive, whether it’s in use currently or it’s not in use currently.

In government applications, oftentimes you’re going to want to encrypt the entire drive. It does warn us right here that take a while. Depending on the speed of the USB drive, might take quite a while. We might have to just let it run. We are talking about a drive called Eeyore.

If there’s one thing we know about Eeyore, not very fast, kind of mozzie around. Now, we can start encrypting the Oh Bother drive and it’s off to go.

Now, the drive will be encrypting. It will take a while. You’ll see periodic refresh or flash on the screen. That means that Windows 10 is trying to refresh the screen to show you whether the drive is still encrypting or it’s finished encryption.

That’s it. This drive is now encrypted and data is protected on it. Unless we have the password, we cannot gain any access to the data again.

That is encrypting data on a USB flash drive government edition.

BitLocker 2-day instructor-led training is now available at Interface:
BITLOCK: Planning and Deploying BitLocker Drive Encryption Training