|
There’s a lot of new security features in Vista but I in my opinion the single most important one is Bitlocker drive encryption. For the first time Windows has built-in whole disk encryption with strong tamper resistance thanks to integration with the Trusted Platform Module (TPM) chip that most business laptops today are equipped.
What’s the difference between XP’s Encrypting File System (EFS) and Bitlocker? (Vista still has support for EFS by the way.) EFS is encryption on a file by file basis which creates many different situations where confidential information can leak out through copying the file to unencrypted folders, through temporary files and even through the paging file itself. More over EFS is more vulnerable to low level tampering than Bitlocker is when combined with TPM.
Bitlocker encrypts the entire volume where the OS and user files are stored which solves all kinds of problems. Furthermore the encryption key is stored in a tamper resistant TPM. Before allowing Windows to boot from this volume, the TPM makes sure a new, tiny bootstrap volume hasn’t been tampered with. This new bootstrap volume contains a few key files that get the boot process going. These files can’t be encrypted but there’s nothing secret in them. It’s just important to make sure they haven’t been modified by an attacker before allowing them to load Vista from the encrypted volume that occupies the rest of the drive.
|
