Microsoft BitLocker Drive Encryption

[Сергей Ильин 1538]

Хотелось бы обсудить плюсы и минусы Microsoft BitLocker Drive Encryption, возможности шифрования жесткого диска целиком, которая встроена в Windows Vista Enterprise и Ultimate, а также в Windows 7 Enterprise и Ultimate.

Если говорить кратко, то это новое развитие Encrypting File System (EFS), которая уже давно встроена в Windows.

По умолчанию для шифрования используется алгоритм AES с 128-битным ключом. Сам ключ может храниться в TPM (Trusted Platform Module, важная особенность технологии) или в USB-устройстве. В случае с TPM при загрузке компьютера ключ может быть получен из него сразу, либо только после аутентификации с помощью USB-ключа или ввода PIN-кода пользователем. Таким образом, возможны следующие комбинации для доступа:

TPM

TPM + PIN

TPM + PIN + USB-ключ

TPM + USB-ключ

USB-ключ

Краткие технические характеристики можно посмотреть здесь

http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption

Описание от Microsoft:

Unlike Encrypting File System (EFS), which enables you to encrypt individual files, BitLocker encrypts the entire drive. If you encrypt the operating system drive, the Windows system files necessary for startup and logon are also encrypted. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by removing it from your computer and installing it in a different computer.

If you share files with other users, such as through a network, these files are encrypted while stored on the encrypted drive, but they can be accessed normally by authorized users.

If you encrypt the operating system drive, BitLocker checks the computer during startup for any conditions that could represent a security risk (for example, disk errors, a change to the BIOS , or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and require a special BitLocker recovery key to unlock it. Make sure that you create this recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. If your computer has the Trusted Platform Module (TPM) chip, BitLocker uses it to store the keys that are used to unlock the encrypted operating system drive. When you log on to your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.

If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a passphrase or a smart card, or set the drive to automatically unlock when you log on to the computer.

****************

Какие мнение есть по поводу этой технологии? Плюсы и минусы?