Tonight I stumbled on a rant that quoted a Microsoft web site around various Vista features including Full Volume Encryption (FVE). The stunning thing for me was the following quote (emphasis mine):
“Windows Vista supports full-volume encryption to prevent disk access to files by other operating systems. It also stores encryption keys in a Trusted Platform Model (TPM) v1.2 chip. The entire system partition is encrypted-both the hibernation file and the user data. It also stores encryption keys in a Trusted Platform Model (TPM) v1.2 chip, if one is available on the PC.”
Did I read that right? Does this mean that FVE can actually encrypt the entire system partition whether there’s a TPM 1.2 chip on the system or not? Presumably if this is true, the key to encrypt the volume is stored in the 50 MB partition that is required to store the pre-boot partition that supports FVE. That is, the key is stored in software.
So how does this improve upon what’s available in Windows XP? Frankly I don’t know right now, but I can take a couple of educated guesses. Presumably the Secure Startup sequence requires a user-supplied password before it can decrypt the Vista system partition, so this means there’s yet another password for an attacker to have to brute-force.
However, I gotta wonder whether a software-based Secure Startup boot password is any different from a SYSKEY boot password – no complexity requirements, never needs to be changed, and impossible to manage [pretty much by design] over a large population – how do you archive and recover such a boot password? If so, then this is a just as dangerous/difficult to manage a security control as SYSKEY is.
OK, so I got excited there for a sec, but on further reflection, maybe this isn’t any better than we had before. In fact, it’s even scarier: what if I forgot my Secure Startup boot password, and its encryption key was stored in software? What do I do then? Presumably ALL my data is encrypted with that key (now irretrievable); whereas with SYSKEY I lost the OS but presumably could recover my data, now I’ve lost both the OS and my data. Ugh, sounds pretty gross to me.
I think I read about some capability to archive the encryption key used by Full Volume Encryption, but I’ll have to dig around to confirm (a) if it’s true, and (b) how it works. Until then, consider this entire sub-rant one man’s opinion, no more.