bitlocker
As a remote worker at Microsoft I have to deal with a few little things that the average worker in Redmond doesn't.
作为Microsoft的远程工作者,我必须处理Redmond普通工作者所不具备的一些小问题。
For example, none of my machines are wired to "CorpNet." They're all remote so for the last two years I've had to RAS (Remote Access Service) into the corporate network. For a while you could use your password, but then you needed to use your Smart Card (or your immortal soul, as I call it) and a complex pin. So you've got multi-factor authentication, you need your actual network password (and of could your domain\username), your physical smart card and your smart card's pin. That's a lot. Someone evil could have two of those three things and you'd still be OK.
例如,我的机器都没有连接到“ CorpNet”。 它们都是远程的,因此在过去的两年中,我不得不将RAS(远程访问服务)接入公司网络。 有一会儿您可以使用密码,但是随后您需要使用智能卡(或我所说的不朽灵魂)和复杂的密码。 因此,您已获得多因素身份验证,您需要实际的网络密码(以及域\用户名),物理智能卡和智能卡的密码。 好多啊。 邪恶的人可能拥有这三件事中的两件事,但您仍然可以。
Since two of my three machines are laptops, there's always risk that I could lose it or have it stolen. If I kept secret stuff on my laptop (I don't) that could be a problem. Laptops run Windows 7 now and are required to be BitLocker'ed (FAQ). This means the whole hard drive is encrypted, there's an (optional) PIN to even turn it on, and it can take advantage of newer machines that have a TPM (Trusted Platform Module). Basically a TPM is a hardware cryptoprocessor that can store keys for securing information. BitLocker uses this chip to project the keys and makes sure the BIOs and boot sector haven't been tampered with. Fortunately it's all automatic so I don't have to think about it.
由于我的三台机器中有两台是笔记本电脑,因此总是有丢失或被盗的风险。 如果我将秘密物品保存在笔记本电脑上(我没有),那可能是个问题。 笔记本电脑现在运行Windows 7,并且需要使用BitLocker ( FAQ )。 这意味着整个硬盘驱动器都是加密的,有一个(可选)PIN甚至可以将其打开,并且可以利用具有TPM(受信任的平台模块)的较新机器。 TPM基本上是一种硬件密码处理器,可以存储用于保护信息的密钥。 BitLocker使用此芯片来投影密钥,并确保BIO和引导扇区未被篡改。 幸运的是,这都是自动的,因此我不必考虑。
This is what I see when I'm booted off my Bitlocker'ed C: drive. That D: drive is my other spindle.
这是我从Bitlocker'ed C:驱动器启动时看到的。 D:驱动器是我的另一个主轴。
I recently Bitlocker'ed both my laptops, but I Boot to VHD for many demos and it's not possible to boot off a VHD that lives on a Bitlocker'ed volume. That's the one bad thing about Bitlocker from my point of view. I'm sure it's a chicken and the egg problem. How do you boot off a file on an encrypted volume without booting off the encrypted volume?
我最近对两台笔记本电脑都使用了Bitlocker,但是我启动了许多示例的VHD ,因此无法从Bitlocker的卷上启动VHD 。 从我的角度来看,这是关于Bitlocker的一件坏事。 我敢肯定这是鸡和鸡蛋的问题。 如何在不启动加密卷的情况下启动加密卷上的文件?
Turns out though that you can still Boot to VHD in a few other ways. You can partition your drive with a Bitlocker'ed C: and an unencrypted D:, or you can get a second spindle. That means, you can get another hard drive and put it in the slot when your DVD/CD usually goes. That's what I decided to do.
事实证明,您仍然可以通过其他方式引导到VHD。 您可以使用Bitlocker'ed C:和未加密的D:对驱动器进行分区,或者获得第二个主轴。 这就是说,您通常可以在DVD / CD正常运行时获得另一个硬盘驱动器并将其放入插槽。 那就是我决定要做的。
I bitlockered my 256 gig OCZ Vertex SSD, and I have a D: drive that is my 160 gig random no-name SATA drive. On that drive I only put demo VHDs.
我对256 gig OCZ Vertex SSD进行了锁定,并且有一个D:驱动器,它是我的160 gig随机无名称SATA驱动器。 在该驱动器上,我仅放置了演示VHD。
I had to go into the BIOS of my Lenovo W500 and add the drive to the "boot order" in order to make it spin up on boot and be available to Windows. Then, since I can't really be sure of it's drive letter that early, I changed the syntax of my BCDEdit settings a bit. Figured I'd let Windows figure it out, so instead of [D:] I used [LOCATE]. Like this:
我必须进入Lenovo W500的BIOS并将驱动器添加到“启动顺序”中,以使其在启动时启动并可以用于Windows。 然后,由于我真的不能很早就确定它是驱动器号,因此我稍微更改了BCDEdit设置的语法。 想通了,我会让Windows弄清楚,所以我使用了[LOCATE]而不是[D:]。 像这样:
C:\>bcdedit /copy {current} /d "My New VHD Option"
C:\>bcdedit /set {guid} device vhd=[LOCATE]\
C:\>bcdedit /set {guid} osdevice vhd=[LOCATE]\
C:\>bcdedit /set {guid} detecthal on
Now, when I'm booted into my VHD, I see this:
现在,当我启动到VHD时,会看到以下内容:
What are we seeing?
我们看到了什么?
But, how can I get access to my secure C: drive when I'm booted into this insecure world? Of course, we don't want the bad guys to get in there, which makes sense.
但是,当我进入这个不安全的世界时,如何访问我的安全C:驱动器? 当然,我们不希望坏人进入那里,这是有道理的。
If I double click, I see this:
如果我双击,则会看到以下内容:
These options are all settable with Group Policy I think, but my choices are to add a really complex Password to get access to this drive or use my Smart Card. I can also use the recovery key that I saved in a secure location when I originally locked the drive.
我认为这些选项都可以通过组策略设置,但是我的选择是添加一个非常复杂的密码来访问该驱动器或使用我的智能卡。 我还可以使用最初锁定驱动器时保存在安全位置的恢复密钥。
I unlock it, and I see this:
我将其解锁,然后看到以下内容:
Now, just for the duration of this single boot, this disk is available to me. Very cool.
现在,仅在单次引导期间,该磁盘可供我使用。 很酷。
I was a little afraid when I Bitlocker'ed my machine just before a trip, but I'm feeling pretty good about it so far. I haven't noticed any perceptible slowdown but the FAQ says "single digit." I've heard numbers like 3%, but I haven't noticed it in the sense that my machine isn't suddenly "sluggish."
出差之前,当我Bitlocker整理我的机器时,我有点害怕,但是到目前为止,我对此感觉还不错。 我没有注意到任何明显的放缓,但是常见问题解答说“个位数”。 我听说过3%的数字,但从某种意义上说我的机器并不是突然“呆滞”,我还没有注意到它。
I'm VERY suspicious when corporate IT wants to reach out from Redmond and do something to my computer but this turned out great.
当公司IT部门希望从Redmond伸出援手并对我的计算机执行某项操作时,我感到非常怀疑,但这真是太好了。
Here's the email I sent internally to my team today about Bitlocker:
这是我今天内部发送给我的团队有关Bitlocker的电子邮件:
As you know, MSIT is starting to put BitLocker on mobile machines. I recommend you upgrade any Vista machine to Windows 7 before running Bitlocker. As always, backup your data first.
如您所知,MSIT开始将BitLocker放在移动计算机上。 我建议您在运行Bitlocker之前将任何Vista机器升级到Windows 7。 与往常一样,请先备份您的数据。
I figured I should be the guinea pig for you guys, so I Bitlockered BOTH my Lenovo T60p and Lenovo W500 yesterday. These are my two corporate machines.
我想我应该是你们的豚鼠,所以昨天我对我的联想T60p和联想W500进行了锁定。 这是我的两台公司机器。
1a. On my W500 I was automatically prompted to reboot and enable the TPM (trusted platform module) in my BIOs. This enable step was automatic and only required me to press F10 once.
1a。 在W500上,系统会自动提示我重新启动并在BIO中启用TPM(受信任的平台模块)。 此启用步骤是自动的,只需要按一次F10即可。
1b. On my T60p, I was told to enter the BIOs manually and enable it. There is no “TPM” section in the T60p. Instead, you go into Security, the Security Chip and turn on all the options under Security Reporting. Save your BIOS settings and reboot.
1b。 在我的T60p上,有人告诉我手动输入BIO并将其启用。 T60p中没有“ TPM”部分。 取而代之的是,进入“安全”,“安全芯片”,然后打开“安全报告”下的所有选项。 保存BIOS设置并重新启动。
2. When prompted for a “PIN” I declined. This >=5 digit number would be a system-level password for when you start-up your machine. It's recommended, but ultimately up to you.
2.当提示输入“ PIN”时,我拒绝了。 当您启动计算机时,此> = 5位数字将是系统级密码。 建议使用,但最终由您决定。
3. The process ran OVERNIGHT. It took at least 5 hours on each machine from what I can tell.
3.该进程运行OVERNIGHT。 据我了解,每台机器至少花了5个小时。
4. Next, go to the Start Menu and type “manage bitlocker.” You’ll want to save and print your recovery key. The Importance of this step cannot be overstated. Save this key and treat it like it is your immortal soul.
4。 接下来,转到“开始”菜单,然后输入“ manage bitlocker”。 您将要保存并打印恢复密钥。 此步骤的重要性不可夸大。 保存此密钥并将其视为您不朽的灵魂。
c. If Bitlocker smells any funny business you’ll get prompted for these keys. Murphy’s Law says this will happen 10 minutes before a major conference speech. No excuses for not having these. Without them, your computer is a brick. (That's kind of the wonderful point of BitLocker. ;) )
C。 如果Bitlocker闻到任何有趣的事情,您将被提示输入这些密钥。 墨菲定律说,这将在大型会议演讲前10分钟发生。 没有任何借口没有这些。 没有它们,您的计算机就是一块砖头。 (这是BitLocker的妙处。))
That scary part said, it works exactly as it should. It was easy and painless.
那个可怕的部分说,它完全可以正常工作。 这很容易而且很轻松。
So far, we are not forced to lockup second drives/spindles. This means that you can STILL boot to VHD off of a second drive if that drive is NOT connected via USB (SATA, IDE, etc are still Ok). I’ve moved my BootToVHDs off into D:\ for this purpose. Regular VMs run just fine on the BitLocker'ed drive.
到目前为止,我们还没有被迫锁定第二个驱动器/主轴。 这意味着,如果该驱动器未通过USB连接(SATA,IDE等仍然可以),则可以从另一个驱动器引导启动VHD。 为此,我已将BootToVHD移至D:\。 常规VM可以在BitLocker驱动器上正常运行。
All in all, it works exactly as it should. I have no idea it’s there and my machine seems just as fast.
总而言之,它完全可以正常工作。 我不知道它在那里,我的机器似乎也一样快。
Let me know it you have any questions.
让我知道您有任何问题。
All in all, an interesting experience. I'm glad it went so well. You can even BitLocker USB drives as well with BitLocker To Go.
总而言之,一次有趣的经历。 我很高兴一切顺利。 您甚至还可以通过BitLocker To Go使用BitLocker USB驱动器。
Related Links
相关链接
Less Virtual, More Machine - Windows 7 and the magic of Boot to VHD
虚拟机更少,机器更多-Windows 7和启动VHD的魔力
Step-By-Step: Turning a Windows 7 DVD or ISO into a Bootable VHD Virtual Machine
循序渐进:将Windows 7 DVD或ISO转换为可引导的VHD虚拟机
Windows 7 Screencast – BitLocker To Go
Windows 7屏幕录像– BitLocker即将发布
BitLocker area on technet.microsoft.com
technet.microsoft.com上的BitLocker区域
BitLocker Technical Overview – the must read
BitLocker技术概述–必须阅读
BitLocker Interview and demos on edge.technet.com – a really good overview created by Adam Bomb.
edge.technet.com上的BitLocker访谈和演示–由Adam Bomb创建的非常好的概述。
KB Article on the BitLocker Drive Prep Tool
有关BitLocker驱动器准备工具的KB文章
Windows 7 Dual Boot with Bitlocker
Windows 7双启动,带Bitlocker
翻译自: https://www.hanselman.com/blog/windows-7-with-bitlocker-and-still-booting-to-vhd
bitlocker
京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有