Tuesday, February 9, 2016

Email encryption on iOS 8+: iPGMail

I use GnuPG and PGP, but I want the ability to read encrypted email on mobile without waiting to return to a workstation. I want the ability to reply encrypted as well.

So I found this app called iPGMail that works very well.

It integrates with iCloud and Dropbox in order to transfer data more securely (i.e. not email).

I was able to securely import an existing PGP private key and use it to decrypt emails sent to me.  I was also able to import public keys for recipients and then use the app to send encrypted mail directly to them without using copy/paste or other tricks. The app works well and is integrated well enough that it only takes a couple more taps to open encrypted data. It works the same way for sending encrypted mail.

And it's only $2.

Bitlocker Basics

BitLocker is Microsoft's whole disk encryption software. It comes with Ultimate and Enterprise versions of Windows Vista and 7 and in the Pro and Enterprise versions of Windows 8 (and Server 2008) and later versions like Windows 8.1, 10, Server 2012, etc.

BitLocker is tied in with the TPM (Trusted Platform Module) system, which is a standard that uses hardware as part of the security scheme. TPM is not required for Bitlocker use at this time, but it is in most cases a default choice. But the purpose of this post isn't to get into TPM or any of the complaints or concerns about the system although those concerns are worth considering and reading about.

For anyone who has dealt with other encryption software, BitLocker comes across as very limited in nature. On a computer with the appropriate OS version, BitLocker will show up in a search or on the control panel. The BitLocker Drive Encryption screen is very simple and many of the features are not supported by a GUI. So for a simple user who just wants to encrypt a drive, BitLocker comes across as very basic but fairly simple to use. In other words, it should just work, but it is included with only the professional or high end consumer versions of Windows. That's a shame, but it was probably done to minimize support needs.

BitLocker Control Panel Screen on Windows 10 Enterprise

When enabled, BitLocker will turn on TPM if it is not already on (requiring a reboot in OS before Windows 10), prepare it for encryption, and then encrypt the drive. You can expect the computer to reboot at least once during this process. BitLocker requires another partition on the drive to boot from, so it will make one during the setup process.

Once the drive is ready, it allows you to save the recovery keys to a USB drive, a file, or to hard copy (Print).
BitLocker Recovery Key Screen on Windows 7 Enterprise
After saving the recovery keys, BitLocker will ask you to verify the keys. Of course, this is a smart thing to do, but it will require another reboot and then you'll have to test the recovery keys to make sure you can get in.
BitLocker System Check Screen on Windows 7 Enterprise

If you choose to encrypt without the system check, encryption will begin immediately.


At a base level, the newly encrypted OS drive will boot without entering any credentials. It does this by using TPM. How can you tell? How do you add a pre-boot authentication option? Open an administrator command prompt and type in "manage-bde -status" and then hit enter.



As you can see, the default "Key Protectors" are TPM and Numerical Password (recovery key).

From the command line you can add other protectors.
Password: Not supported on OS drive

TPM and PIN: (requires GPO changes) (PIN is 4-24 characters)

TPM and StartUpKey : (StartUpKey is a specific key on USB drive)
AD DS Account: (Data drives only)

I did research and testing and a smartcard cannot be used at pre-boot even after setting the certificate on the card to be used for BitLocker. The password method is for data drive only. So that leaves two options: PIN, USB key, and recovery key.

To set the Group Policy to allow PIN:
run the group policy manager (gpedit.msc)
Expand Computer Config>Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating System Drives
Enable "Require additional authentication on setup"
Leave the settings on "allow..." or change them to "require..." to require that particular method.

There is a lot of depth in BitLocker, but it is targeted at Enterprises and not individuals. I would say to use it if an individual has the correct OS version and no fear of configuring. But if there is money outlay required, buying some other retail product will offer more features and less advanced configuration. What is troubling to me is that if a non-educated person uses BitLocker in its default TPM boot mode, they will probably assume that their data is secure. Disk encryption is just a small part of security, but the fact that a TPM-only secured drive will unlock without a password, PIN, smart card, or another factor is a problem. So instead of stealing the drive and finding it encrypted, the thief can merely steal the system and the drive will unlock itself based on the TPM. In a consumer setting this is no security at all.

There are methods to handle enterprise centralized key management and compliance reporting. Microsoft SCCM has a module to deploy and report but I have never used it. As well, recovery keys can be stored in Active Directory although I have personally never configured that. I do have colleagues who operate in that manner.

I have installed, tested, and maintained BitLocker managed by Microsoft BitLocker Administration and Monitoring (MBAM) and it works well. In this configuration the management is enforced by group policy using Advanced Group Policy Management (which comes with Microsoft Desktop Optimization Pack (MDOP)). The policy path does not exist by default and so the MDOP ADMX template(s) must be installed. This configuration also requires an MBAM server, a SQL instance with SQL Reporting Services, and the MBAM client installed on the endpoint.

With MDOP AGPM installed, BitLocker policy can be configured under the following path: \computer configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)\

When a group policy is enforced on an endpoint, the MBAM client software will encrypt the drive and store the recovery key on the network. If the policy requires a startup PIN, the client will prompt the user to choose one and begin encryption after that. PINs can be long and complex in the same way a standard password can be and the policy can enforce the PIN settings. The downside to a BitLocker PIN is that there is no synchronization or Single-Sign On of the PIN with Windows and the PIN is not unique to the user. This makes the user experience not much different than a HDD password, and the once the password is entered the user still has to sign-in to Windows.

If "TPM only" falls within the organization's risk profile, it can be a good option as encryption can be enforced without user interaction. The downside is that the disk is unlocked automatically and the attack surface switches from the encrypted disk to Windows itself. The only time the disk encryption comes into play is if the drive is removed or the TPM is locked out.

The centralized key management and report in MBAM is good enough. There are two key management tools: 1. Self-Service, and 2. Helpdesk. These would only be needed if the TPM was locked out or in the event a startup PIN is sued and the user has forgot the password. The group policy allows for a self-service URL to be displayed on the pre-boot recovery screen. That URL would allow the end user to recover and unlock the drive. The helpdesk feature provides similar functionality for a service desk. 
Reporting is done through SQL Reporting Services and is basic. Reports show all machines with their domain, compliance status, last check in, etc. Machines can be drilled into to see the cipher strength, OS version, hardware manufacturer and model, device users, drive letter(s) encrypted, and more.

One last feature that would simplify on-premise BitLocker management is the Network Unlock feature. This uses a certificate hosted on the network and embedded in the client so that when there is a startup screen (startup requiring PIN, key, etc) the encryption can detect that it is at 'home' and bypass the manual startup factor. This feature would treat the trusted network as a second-factor. Despite my best efforts I have been unable to make this function, but I will update this or create a new post if I figure it out.

Compared to other encryption products I find that BitLocker very much has the standard Microsoft take. It lags behind in cutting edge features, but it is very stable. The lack of user specific PIN and SSO with Windows is a real downside because it ignores the common use-case in enterprises where any machine might be used by multiple personnel. Also, hardware drive encryption has been around for some time, but BitLocker is not guaranteed to be able to use it because though OPAL 2 is very common, Microsoft's requirements a little more stringent. That being said, the software encryption is not a big resource hog during initial encryption, and more organizations would encrypt the drive during build before the machine ever reached the end user.

Reading: