8

BitLocker can be used as a cryptographic module to fulfill FIPS 140-2 security level 1 compliance.

In a common setup, USB thumb drives can be used to unlock drives encrypted by BitLocker on startup.

What if the encrypted drive is on a virtual machine, is that still FIPS 140-2 compliant?

In a virtual machine setup, BitLocker can be used without a USB drive because one of the drives on the virtual machines' host can act as a virtual USB thumb drive (or partition).

The only problem is that this all sounds really fishy. This kind of BitLocker implementation mostly subverts the protection that BitLocker is providing in the first place.

So is a BitLocker on a virtual machine with a virtual thumb drive FIPS 140-2 compliant?

Mark Rogers
  • 508
  • 3
  • 18

2 Answers2

5

In the Validated module list, you'll find a link to the applicable security policy. In the security policy, §2.3 describes the platforms on which the certification applies: it lists several versions of Windows, with no reference to any particular hardware. Then §6 describes usage requirements that must be met in order for the certificate to apply. One of the FIPS-compliant startup mechanisms listed in §5.2 must be in use, therefore the machine must have a PIN pad, a USB connection or a TPM. The policy does not explicitly describe the connection between the machine running Windows and these peripherals, therefore a virtual machine would be acceptable.

A virtual thumb drive would be a different matter. As there is no actual USB involved, I don't think the language can be construed to cover this case.

How meaningful is Bitlocker then? I'll argue it's still useful. Bitlocker (if it meets its security requirement) still protects secrets against any attacker that's confined in the virtual machine.

But the fact that Bitlocker is FIPS 140-2 Level 1 compliant does not in itself mean that Bitlocker is particularly secure. As you can see by reading the security policy, what you have is a superficial evaluation that Bitlocker implements cryptographic algorithms correctly, takes some slight care not to leak key material, and has a vaguely decent high-level architecture. That's all. You would have to go a higher in the certification hierarchy (FIPS 140-2 Level 2, or Commom Criteria with a decent EAL) to get some security assurance. And even then, what you get is just that: some assurance, not a guarantee of perfect security.

duffbeer703
  • 403
  • 3
  • 8
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • 1
    Just to be clear bitlocker only protects the machine when it is off, after boot bitlocker is no longer effective (like any other volume encryption scheme) – Jim B Jan 19 '12 at 06:41
0

I think that more importantly that is it compliant - the question is would good would it do you? If I copy the VM and hard drive will bitlocker complain? Bitlocker was designed so that data at rest would be protected. Its not going to stop anyone that has access to the running machine. I would suggest EFS be a better solution.

Jim B
  • 189
  • 1
  • 10
  • The point of compliance isn't security, it's regulations (or contractual requirements). Especially for FIPS 140 level 1, which says next to nothing about security. – Gilles 'SO- stop being evil' Jan 20 '12 at 16:20
  • while I understand your point, One of the points you make is that subverting the protection sounds fishy. In the bitlocker fips 140-2 validation doc the boundaries were defined as "physically contiguous enclosure of the computer system upon which Microsoft Windows Server 2008 R2 and BitLocker™ Drive Encryption executes" Unless you have also encrypted the underlying FS that the VM lives on- I'm not sure that fips 140 is still valid. EFS can be FIPS 140 compliant regardless of system enclosure. – Jim B Jan 20 '12 at 18:05