Can Linux do BitLocker better than Windows 7?
[NOTE FROM THE M.E. For over two decades, I've made a living in one way or another from being "the Windows guy." And in recent months, what you've been seeing from us at Betanews has been Windows 7, Windows 7, Windows 7 -- at one point, ten times in a row. Last month, I concluded our ongoing series about my picks for Top 10 Features in Windows 7. And I received a number of letters from folks who claimed that Linux did this first, or already did that several years ago, or does this better.
Really, now? Well, perhaps so. To find out for sure, I've commissioned a new Betanews series that seeks out whether, for features that Microsoft touts as supreme or new or of special value, similar functionality exists in some form or fashion for users of Linux client operating systems. To make sure I get a fair answer on this -- one that isn't biased in favor of Windows -- I've asked our Angela Gunn, who has more experience with Linux than I, to start digging. And to make sure she's digging in the right place, we've asked Jeremy Garcia, founder of LinuxQuestions.org, one of the Web's leading Linux user communities, to lend his voice to our evaluation. You and I are about to find out, once and for all, the answer to the musical question...]
Our subject today is full-disk encryption, that useful security tool that keeps data on your hard drive safe even if the drive itself is in peril. It's the feature that Microsoft would have you spend an extra $120 for when upgrading to Windows 7 Ultimate. We'll compare the Windows approach to the problem with that of a leading Linux contender. (Mac folk, your turn may come. And then again maybe it won't.) And to make dead sure that we're balancing out the Windows fans on staff (looking at you, Mr. Fulton), we've asked Jeremy Garcia, Founder of LinuxQuestions.org, to provide insight into the comparison.
With data and computing devices ever smaller and easier to lose (or abscond with), companies in data-sensitive industries as well as the federal government have gotten serious in recent years about protecting the data on a drive even when the drive itself has been compromised.
Enter full-drive encryption, which protects data at rest (DAR) -- that is, even when no one's actively trying to access the data, it's safe. (Arguments that data is only at risk when not at rest will be entertained in other articles; that's not what we're doing here. Also, though Seagate popularized the term "full disk encryption," it has passed sufficiently into common usage to be an effective category descriptor.) FDE also provides some protection from PEBKAC security vulnerabilities, encrypting temporary and swap files and relieving the user from the hideous burden of protecting individual files or folders.
Many would argue that BitLocker has no place in a conversation about full-disk encryption, because it doesn't encrypt the full disk; the boot volume is still separate, so really it's just a variety of volume encryption. Still, BitLocker is the go-to utility in the Windows realm for Vista machines and (soon) Windows 7 and Windows Server 2008 R2 machines -- not the only FDE option, or even necessarily the most robust, of course, but the one that's most easily available on modern versions of the operating system, since Microsoft bakes it right in. It's included in Vista Enterprise, Vista Ultimate, and Windows Server 2008. It utilizes Trusted Platform Module (TPM), the secure encryption processor present on some motherboards.
Redmond was, frankly, late to this particular party, releasing BitLocker in 2006. As for Linux, excellent encryption has been available for years for all levels of encryption -- individual files, whole folders, or entire drives/volumes. TrueCrypt began life in 2004 as a Windows-only product branching out to Linux in late 2005. (Linux Unified Key Setup, or LUKS, is another open source alternative that's included in Linux kernel versions 2.6.x, Garcia reminds us.)
"As you might expect, the Microsoft option is not Open Source...so you really have no idea about the quality of the implementation or the flaws it may contain," Garcia told Betanews.
Now let's take a look at these full disk encryption options feature-by-feature:
Trusted Platform Module support TPM is technology that doesn't sit well with everyone, and there are perfectly good FDE options that don't make use of the "Fritz chip." BitLocker can use TPM if it's there, but can be set up not to use it, especially for non-Intel vPro platform computers. "To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script," states Microsoft's documentation. "When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume."
Algorithms BitLocker uses the AES encryption algorithm in CBC mode with a 128- or 256-bit key, plus an extra "Elephant" diffuser; though AES is a public-domain algorithm, Microsoft's implementation is closed-source. TrueCrypt offers several AES flavors (AES, AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish AES), all with a 256-bit key, along with Serpent, Twofish, and Twofish-Serpent. The mode of operation in all cases is XTS, which is the IEEE 1619 standard for disk encryption.)
Multifactor authentication BitLocker allows additional layers of authentication -- a PIN, a thumb drive with a startup key -- as long as the utility has been enabled on a machine with TPM. BitLocker users can boot from the hard drive as they usually do; that is, with their usual Vista password (transparent mode) or, for added security, with a PIN and/or a USB key (on TPM machines). Also, for machines running a BIOS that can read a USB at the pre-boot stage, one can also boot in "USB Key Mode" -- very handy in case the user's lost the password. On the TrueCrypt side, two-factor authentication is likewise an option.
Next: If BitLocker comes pre-installed, isn't installation a factor in Linux?