RSSCan Linux do BitLocker better than Windows 7?
By Angela Gunn | Published July 3, 2009, 5:43 PM
[NOTE FROM THE M.E. For over two decades, I've made a living in one way or another from being "the Windows guy." And in recent months, what you've been seeing from us at Betanews has been Windows 7, Windows 7, Windows 7 -- at one point, ten times in a row. Last month, I concluded our ongoing series about my picks for Top 10 Features in Windows 7. And I received a number of letters from folks who claimed that Linux did this first, or already did that several years ago, or does this better.
Really, now? Well, perhaps so. To find out for sure, I've commissioned a new Betanews series that seeks out whether, for features that Microsoft touts as supreme or new or of special value, similar functionality exists in some form or fashion for users of Linux client operating systems. To make sure I get a fair answer on this -- one that isn't biased in favor of Windows -- I've asked our Angela Gunn, who has more experience with Linux than I, to start digging. And to make sure she's digging in the right place, we've asked Jeremy Garcia, founder of LinuxQuestions.org, one of the Web's leading Linux user communities, to lend his voice to our evaluation. You and I are about to find out, once and for all, the answer to the musical question...]
Our subject today is full-disk encryption, that useful security tool that keeps data on your hard drive safe even if the drive itself is in peril. It's the feature that Microsoft would have you spend an extra $120 for when upgrading to Windows 7 Ultimate. We'll compare the Windows approach to the problem with that of a leading Linux contender. (Mac folk, your turn may come. And then again maybe it won't.) And to make dead sure that we're balancing out the Windows fans on staff (looking at you, Mr. Fulton), we've asked Jeremy Garcia, Founder of LinuxQuestions.org, to provide insight into the comparison.
With data and computing devices ever smaller and easier to lose (or abscond with), companies in data-sensitive industries as well as the federal government have gotten serious in recent years about protecting the data on a drive even when the drive itself has been compromised.
Enter full-drive encryption, which protects data at rest (DAR) -- that is, even when no one's actively trying to access the data, it's safe. (Arguments that data is only at risk when not at rest will be entertained in other articles; that's not what we're doing here. Also, though Seagate popularized the term "full disk encryption," it has passed sufficiently into common usage to be an effective category descriptor.) FDE also provides some protection from PEBKAC security vulnerabilities, encrypting temporary and swap files and relieving the user from the hideous burden of protecting individual files or folders.
Many would argue that BitLocker has no place in a conversation about full-disk encryption, because it doesn't encrypt the full disk; the boot volume is still separate, so really it's just a variety of volume encryption. Still, BitLocker is the go-to utility in the Windows realm for Vista machines and (soon) Windows 7 and Windows Server 2008 R2 machines -- not the only FDE option, or even necessarily the most robust, of course, but the one that's most easily available on modern versions of the operating system, since Microsoft bakes it right in. It's included in Vista Enterprise, Vista Ultimate, and Windows Server 2008. It utilizes Trusted Platform Module (TPM), the secure encryption processor present on some motherboards.
Redmond was, frankly, late to this particular party, releasing BitLocker in 2006. As for Linux, excellent encryption has been available for years for all levels of encryption -- individual files, whole folders, or entire drives/volumes. TrueCrypt began life in 2004 as a Windows-only product branching out to Linux in late 2005. (Linux Unified Key Setup, or LUKS, is another open source alternative that's included in Linux kernel versions 2.6.x, Garcia reminds us.)
"As you might expect, the Microsoft option is not Open Source...so you really have no idea about the quality of the implementation or the flaws it may contain," Garcia told Betanews.
Now let's take a look at these full disk encryption options feature-by-feature:
Trusted Platform Module support TPM is technology that doesn't sit well with everyone, and there are perfectly good FDE options that don't make use of the "Fritz chip." BitLocker can use TPM if it's there, but can be set up not to use it, especially for non-Intel vPro platform computers. "To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script," states Microsoft's documentation. "When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume."
Algorithms BitLocker uses the AES encryption algorithm in CBC mode with a 128- or 256-bit key, plus an extra "Elephant" diffuser; though AES is a public-domain algorithm, Microsoft's implementation is closed-source. TrueCrypt offers several AES flavors (AES, AES-Twofish, AES-Twofish-Serpent, Serpent-AES, Serpent-Twofish AES), all with a 256-bit key, along with Serpent, Twofish, and Twofish-Serpent. The mode of operation in all cases is XTS, which is the IEEE 1619 standard for disk encryption.)
Multifactor authentication BitLocker allows additional layers of authentication -- a PIN, a thumb drive with a startup key -- as long as the utility has been enabled on a machine with TPM. BitLocker users can boot from the hard drive as they usually do; that is, with their usual Vista password (transparent mode) or, for added security, with a PIN and/or a USB key (on TPM machines). Also, for machines running a BIOS that can read a USB at the pre-boot stage, one can also boot in "USB Key Mode" -- very handy in case the user's lost the password. On the TrueCrypt side, two-factor authentication is likewise an option.
Next: If BitLocker comes pre-installed, isn't installation a factor in Linux?
so what if linux created something and microsoft utilized the same concept but different technology to implement it "and" vice versa.
though it is true, that credit is due to those who deserve it, technology is fluid and fleeting.
because when it all comes down to the finish line, the question is "who or what" made "it" better, stronger or easier to use.
as in the article's conclusion and because of my first hand experience, i am not impressed with microsoft's bit locker as well.
rhetorically, we might ask what is the "real" reason for microsoft to include bit locker in their recent o.s.'s?
what we can be assured is that if drive encryption was a serious issue for microsoft, they would provide the download for "all" of their windows customers.
drive encryption does has its strong benefits as it has the propencity to protect personal and financial information from thieves and spies.
for now, microsoft is only providing the service to their highest paying customers.
Score: 0
|MacOS' filevault works quite well, as long as you dont shutdown the system. Theres a silly bug where it doesnt load your customised file launch actions for different file types (ie if you want to use VLC to play avi files instead of Quicktime). No word on when this will be fixed, there are workarounds but still it is very annoying!
But the only good news is that because it only encrypts your home folder the rest of the system runs very fast. So on a notebook you dont have to waste battery life decrypting static system files for the sake of security.
Score: 0
|Volume and Disk level encryption have been around for a long long time.
It is available in almost all OSes either with inherent support, 3rd party $$, or OSS...
Why is this an issue again?
Bitlocker is NOT designed for the average user market, nor is it designed to compete with specific types of encryption technologies. It is designed to be easy, hand off administator control, and be implemented in large corporate environments with lots of computers and laptops in the field. The only thing necessarily 'better' about bitlocker is the ease of implementation from an IT administrator standpoint, as you can literally flip a few policies and have it be seamless for new computer installation brought into the environment.
If you are looking for good volume level encryption, there are tons of solutions out there, this is not the point.
Linux 'being able to do' something is also not the point.
If you want to look at something Linux can't do in comparison to Windows, pick a real subject like GPU scheduling, or other WDDM fetures.
Heck you could even do several articles on the object model of the NT kernel in comparison to Linux - especially the Linux's UNIX generic I/O textual model compared to the Object Orieinted I/O model.
Next even look at API abstraction, and the 'subsystem' technology of the NT kernel that makes it a client/server kernel. This is how you can run Win32 or Win64 side by side with a full implementation of BSD all on the NT kernel and sharing the IPC and NT Object Manager. This is something Linux cannot do as well.
In terms of arcitecture Windows often gets a bad repuatation from the psuedo geeks, but when OS engineers and theorists look at the NT Kernel and what it is doing and can do, there are many levels of technology that it is doing and can do that Linux, OpenBSD, and Darwin/OSX do not have the architectural plumbing to pull off.
Take the NVidia hybrid GPU technologies... Vista is the only consumer OS that can flip the GPU and GPU drivers on the fly without a hiccup or even the user noticing, where on Linux, XWindows has to be restarted and OS X the user has to log off to restart the Mac GUI as well.
There are 100s of things like his that as technology demands, shows some of the real strengths of the NT kernel design that you could do a debate on between Linux and Windows, rather than something as obscure as BitLocker.
(Heck even an article on Superfetch technologies and using idle RAM for intelligent user based data prefetching.)
So why BitLocker?
Unless you are the FBI or corporate America's top 500 Inc. that are using this feature that has need for it, why do you care?
Most people need and use file level encryption, and that is inherent in NTFS and has been for years.
If you are a home user, and you NEED to use Bitlocker, then you probably are storing data you shouldn't be on your home computer. Or you don't realize you can already use NTFS encyrption on a file/folder level and not have to encrypt the entire volume and pretend your entire HD has nuclear secrets on it.
Score: 1
|i think that regular users can benefit by the encryption service.
it has the propensity to protect private and financial information from people in the event the computer is accessed without the knowledge or consent of the owner "and" from thieves who may take the machine away from you.
i think we can all agree that user level passwords only keep the honest people out of systems.
Score: 0
|Just to be clear..
NTFS Encyrption is enough, volume level BitLocker encryption is just over the top for average users 99.9% of the time.
If anyone has stuff they want to protect, encrypt it or put it in a folder that is encrypted. You don't need to encrypt the entire hard drive and it isn't worth the overhead.
(* Yes there are legit reasons to use a Bitlocker type technology, but for most average consumers, no...)
Score: 1
|You can safely hibernate Linux systems with full disk encryption - complete with properly encrypted hibernation and swap partitions - as long as it's all correctly set up. Not sure which Linux installers actually get this right, though. Debian appears to be able to, Ubuntu doesn't, and I have no idea what TrueCrypt supports. (TrueCrypt is mainly aimed at Windows users; the Linux support is very much second-class. Linux FDE is usually done with LUKS, which works better.)
Score: 0
|First of all I agree with bousozoku, who would even question this, Linux has had integrated encryption for as long as I can remember, even if it meant enabling a non default package, it was always just a click away. Second, I know it is not encryption in itself but SE Linux, endorsed by the NSA, the code people. I personally use Fedora 11 set up with FDE, all you have to do is check a box during install. There is also a built in encryption key manager which can find people's public PGP keys from MIT's database, once you have the key it just takes a simple right click --> encrypt. Of course all of this is integrated with the default mail client so it will automatically (after authentication) decrypt any messages sent to your public key. [I know this is different than file encryption for storage, just demonstrating the encryption integration and attention to security found in Linux]
Score: 0
|Linux? Windows? Mac?... I use all of them... TrueCrypt is the best option.
Score: 0
|a bit more info on this topic http://theinvisiblething...icrosoft-bitlocker.html
Score: 0
|now that's a stupid question...
take a look at fedora's install setup
disk encryption is optional
Score: -1
|Was there any doubt that it could be done in a Linux distribution? I'd also think that OpenBSD, the security conscious version of *BSD would do this by default. Mac OS X on the other hand, only has inbuilt encryption for the user area and after all the various but early problems, I'd be afraid to use it.
Score: 1
|How about more basic protection such as user surfing the internet and the computer IS NOT infected?
Score: -1
|Angela, the other picture of you with the pink sweater favors you much more.
Score: -1
|I don't recall a pink sweater (I'm not a sweater
see-er) (or artistic) but the pic is showing the
jpeg artifacts of to much compression.
And I haven't read the article yet--I crashed
into Medical Examiner (M.E.) and, uhm, like.
Happy Holidays and pretty explosions to those
who like them and really good earplugs to those
who don't.
Score: -1
|If I ever start even remotely resembling the photo above, my next of kin have been instructed to remove the feeding tube. Seriously, that photo looks almost nothing like me; it's a still image from a project I did a while back, and if it had a thought bubble above it it would say "$*()@!#@ this %(@)!_! outfit and double-%()@)! the %)(@)($_@ electrician's tape holding down the collar in back." But go ahead, ask any columnist if they even notice their photo after the first week or two...
(The pink-sweater photo is a lot closer to recognizable, except for the hair -- can't figure why it looks so short!)
Score: 0
|"Drives are encrypted in BitLocker must as any other drive would be"
I'm thinking that should be "much"
Aside from that, an interesting read.
Score: 0
|