Device Encryption in Windows 8.1 and BitLocker Drive Encryption

Q: What exactly is the Device Encryption feature that Microsoft supports in Windows 8.1 and how is it linked to BitLocker Drive Encryption (BDE)?

A: Device Encryption is a new consumer-oriented security feature of Windows 8.1 that automatically encrypts the Operating System (OS) drive and all fixed data drives. Rather than requiring the user or administrator to enable and configure the encryption, the platform’s drives are encrypted out-of-the-box. The encryption is invisible during normal use: users can log in and use the system just as they would use an unencrypted system. If someone stole the system however he wouldn’t be able to get at any of the data without knowing the user account’s password. This is because the device encryption key is protected by a secret derived from the user account’s password. You can check the Device Encryption status of your Windows 8.1 system at the bottom of the “PC Info” section in the device settings.

Device Encryption is available in every Windows 8.1 edition - not just the enterprise editions, but also the consumer ones – and can be used on both x86 and x-64 platforms. To support Device Encryption, your Windows 8.1 platform must have a version 2.0 (v2.0) Trusted Platform Module - as specified in the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems (see https://msdn.microsoft.com/en-us/library/windows/hardware/hh833788.aspx for more information on this). Your system must also support connected standby - a new power state that with very low power consumption that also maintains Internet connectivity.

Under the hood Device Encryption uses BitLocker and 128-bit AES symmetric encryption. It also supports a recovery mechanism whereby the recovery key can be stored either online on a Microsoft server or in an organization’s Active Directory (AD). In the first case the recovery key is protected by the user’s Microsoft Account, in the latter case it is protected by the user’s AD account. See the following Microsoft Technet article for more details on how to configure the Device Encryption recovery options: https://technet.microsoft.com/en-us/library/dn306081.aspx#BKMK_Encryption.

Jan De Clercq is a member of HP’s Technology Consulting IT Assurance Portfolio team. He focuses on cloud security, identity and access management, architecture for Microsoft-rooted IT infrastructures, and the security of Microsoft products. He's the author of Windows Server 2003 Security Infrastructures (Digital Press) and coauthor of Microsoft Windows Security Fundamentals (Digital Press) and Cloud Computing Protected: Security Assessment Handbook (Recursive Press). You can reach him at [email protected]