编辑“︁BitLocker”︁

{{noteTA
|G1=IT
|G2=Windows
|1=zh-hans:通过; zh-hant:透過;
|2=zh-hans:卷; zh-hant:磁碟區;
|3=zh-hans:访问; zh-hant:存取;
|4=zh-hans:固态驱动器; zh-hant:固態硬碟;
}}
{{Infobox software
| name             = BitLocker
| logo             = BitLocker icon.png
| logo_size        = x64px
| screenshot       = Windows Bitlocker.png
| screenshot_size  = 300px
| caption          = 磁盘驱动器创建BitLocker的选项
| developer        = [[微软]]
| released         = {{Start date and age|2006|11|30}}
| other_names      = 设备加密
| operating system = [[Microsoft Windows]]
| genre            = {{le|磁盘加密软件|Disk encryption software}}
}}
'''BitLocker'''是内置于[[Windows Vista]]及之后操作系统的[[磁盘加密]]功能，通过加密整个[[磁盘分区]]来保护用户数据。它默认在[[分组密码工作模式#密码块链接（CBC）|密码块链接]]（CBC）或{{le|磁盘加密理论|Disk encryption theory|XTS}}模式下使用128位或256位[[密钥]]的[[高级加密标准|AES]]加密算法<ref name=":0">{{cite web|url=https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511|title=What's new in Windows 10, versions 1507 and 1511|accessdate=2016-12-15|date=2016-11-29|publisher=[[微软|Microsoft]]|last1=Hakala|first1=Trudy|website=[[TechNet]]|archive-date=2016-11-12|archive-url=https://web.archive.org/web/20161112012152/https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511|dead-url=no}}</ref><ref>{{cite web|url = https://technet.microsoft.com/en-us/library/cc766200(v=WS.10).aspx#BKMK_Form|title = Windows BitLocker Drive Encryption Frequently Asked Questions|work = TechNet Library|publisher = Microsoft|date = 2012-03-22|accessdate = 2007-09-05|archive-date = 2010-09-26|archive-url = https://web.archive.org/web/20100926185402/http://technet.microsoft.com/en-us/library/cc766200(v=WS.10).aspx#BKMK_Form|dead-url = no}}</ref><ref>{{cite paper|url = http://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6-0a0be4bbb36e/BitLockerCipher200608.pdf|title = AES-CBC + Elephant Diffuser: A Disk Encryption Algorithm for Windows Vista|last = Ferguson|first = Niels|publisher = Microsoft|format = PDF|date = August 2006|accessdate = 2008-02-22|journal = |archive-date = 2016-03-03|archive-url = https://web.archive.org/web/20160303202955/http://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6-0a0be4bbb36e/BitLockerCipher200608.pdf|dead-url = yes}}</ref>。其中CBC用于每个单独的[[磁盘扇区]]，不在整个磁盘上使用<ref>{{Cite web|url=https://css.csail.mit.edu/6.858/2012/readings/bitlocker.pdf|title=AES-CBC + Elephant diffuser: A Disk Encryption Algorithm for Windows Vista|last=Ferguson|first=Niels|date=August 2006|website=|publisher=|access-date=2016-10-07|archive-date=2017-02-13|archive-url=https://web.archive.org/web/20170213185952/http://css.csail.mit.edu/6.858/2012/readings/bitlocker.pdf|dead-url=yes}}</ref>。

== 历史 ==
BitLocker起源于微软2004年的[[下一代安全计算基础]]架构，其临时代号为“基石”（Cornerstone）<ref name="PdWinHEC20042">{{cite web|url = http://download.microsoft.com/download/1/8/f/18f8cee2-0b64-41f2-893d-a6f2295b40c8/TW04008_WINHEC2004.ppt|title = Next-Generation Secure Computing Base|last = Biddle|first = Peter|date = 2004|archiveurl = https://web.archive.org/web/20060827073150/http://download.microsoft.com/download/1/8/f/18f8cee2-0b64-41f2-893d-a6f2295b40c8/TW04008_WINHEC2004.ppt|archivedate = 2006-08-27|format = PPT|accessdate = 2015-01-30|publisher = [[微软|Microsoft]]|dead-url = yes}}</ref><ref name="PDC-Exclusive2">{{cite web|url = http://windowsitpro.com/article/windows-server-20082/pre-pdc-exclusive-windows-vista-product-editions-revealed-47665|title = Pre-PDC Exclusive: Windows Vista Product Editions|last = Thurrott|first = Paul|date = 2005-09-09|publisher = Penton|work = Supersite for Windows|accessdate = 2015-03-14|archive-url = https://web.archive.org/web/20150402154123/http://windowsitpro.com/article/windows-server-20082/pre-pdc-exclusive-windows-vista-product-editions-revealed-47665|archive-date = 2015-04-02|dead-url = yes}}</ref>，功能为保护设备上的信息，尤其是在设备丢失或被盗的情况下。另一个特性为“代码完整性根检测”（Code Integrity Rooting），旨在验证Microsoft Windows引导与系统文件的完整性<ref name="PdWinHEC20042" />。

当与兼容的[[可信平台模块]]（[[可信平台模块|TPM]]）结合使用时，BitLocker可以在解密受保护的[[卷 (计算)|卷]]之前验证引导和系统文件的完整性，如果验证失败，会禁止用户访问受保护的系统。<ref name="TechnicalOverview2">{{cite web|url = http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/secure-start_tech.doc|title = Secure Startup – Full Volume Encryption: Technical Overview|author = [[微软|Microsoft]]|date = 2005-04-22|format = DOC|accessdate = 2015-03-14|archive-date = 2017-07-01|archive-url = https://web.archive.org/web/20170701093600/http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/secure-start_tech.doc|dead-url = yes}}</ref><ref name="ExecutiveOverview2">{{cite web|url = http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/secure-start_exec.doc|title = Secure Startup – Full Volume Encryption: Executive Overview|author = [[微软|Microsoft]]|date = 2005-04-21|format = DOC|accessdate = 2015-06-09|archive-date = 2016-03-04|archive-url = https://web.archive.org/web/20160304083404/http://download.microsoft.com/download/5/D/6/5D6EAF2B-7DDF-476B-93DC-7CF0072878E6/secure-start_exec.doc|dead-url = yes}}</ref>在Windows Vista发售之前，BitLocker简称安全启动（Secure Startup）<ref name="TechnicalOverview2" />。

== 可用系统 ==
BitLocker内置于以下系统：
* [[Windows Vista]]与[[Windows 7]]旗舰版与企业版
* [[Windows 8]]与[[Windows 8.1|8.1]]专业版与企业版<ref name=Win8Server2012>{{cite web|url = https://technet.microsoft.com/en-us/library/hh831412.aspx|title = What's New in BitLocker for Windows 8 and Windows Server 2012|work = TechNet Library|publisher = [[微软|Microsoft]]|date = 2012-02-15|accessdate = 2012-03-02|archive-date = 2012-03-04|archive-url = https://web.archive.org/web/20120304021453/http://technet.microsoft.com/en-us/library/hh831412.aspx|dead-url = no}}</ref><ref name=:1>{{cite web|url = https://technet.microsoft.com/en-us/library/cc766200(v=WS.10).aspx#BKMK_Vista|title = Windows BitLocker Drive Encryption Frequently Asked Questions|work = TechNet Library|publisher = Microsoft|date = 2012-03-22|accessdate = 2007-09-05|archive-date = 2010-09-26|archive-url = https://web.archive.org/web/20100926185402/http://technet.microsoft.com/en-us/library/cc766200(v=WS.10).aspx#BKMK_Vista|dead-url = no}}</ref>
* [[Windows 10]]與[[Windows 11]]专业版、企业版与教育版<ref name="Win10editions">{{cite web|title=Compare Windows 10 Editions|url=https://www.microsoft.com/en-ca/WindowsForBusiness/Compare|archive-url=https://web.archive.org/web/20161117002223/https://www.microsoft.com/en-ca/WindowsForBusiness/Compare|archive-date=2016-11-17|website=Windows for Business|publisher=Microsoft|accessdate=2017-07-02|dead-url=no}}</ref>
* [[Windows Server 2008]]<ref name="Server2008">{{cite web|url=https://technet.microsoft.com/en-us/library/cc725719(v=ws.10).aspx|title=BitLocker Drive Encryption in Windows Vista|last=|first=|date=|website=TechNet|publisher=Microsoft|archive-url=https://web.archive.org/web/20161117004047/https://technet.microsoft.com/en-us/library/cc725719%28v%3Dws.10%29.aspx|archive-date=2016-11-17|deadurl=yes|accessdate=2017-07-02}}</ref>及其之后系统<ref name="Server2008R2">{{cite web|title=BitLocker Drive Encryption Overview|url=https://technet.microsoft.com/library/cc732774.aspx|archive-url=https://web.archive.org/web/20161117004346/https://technet.microsoft.com/library/cc732774.aspx|archive-date=2016-11-17|website=TechNet|publisher=Microsoft|accessdate=2017-07-02|dead-url=no}}</ref><ref name="Win8Server2012" />

最初，Windows Vista中的BitLocker图形界面只能加密[[操作系统]]卷。从Windows Vista Service Pack 1和Windows Server 2008开始，图形工具可以加密操作系统卷以外的卷。然而，BitLocker的某些功能（例如打开或关闭自动锁定）必须通过名为<code>manage-bde.wsf</code>的命令行工具进行管理<ref>{{cite journal|title=Advances in BitLocker Drive Encryption|url=https://technet.microsoft.com/en-us/magazine/cc510321.aspx|last=Hynes|first=Byron|date=June 2008|publisher=Microsoft|accessdate=2008-07-18|work=TechNet Magazine|journal=|archive-date=2008-08-29|archive-url=https://web.archive.org/web/20080829204922/http://technet.microsoft.com/en-us/magazine/cc510321.aspx|dead-url=no}}</ref>。

新版BitLocker首次包含在Windows 7和Windows Server 2008 R2中，增加了加密可移动驱动器的功能。在[[Windows XP]]或Windows Vista上，BitLocker To Go Reader程序可以实现对使用[[FAT|FAT16]]、[[FAT32]]或[[exFAT]]文件系统驱动器的只读访问<ref>{{cite web|url=https://support.microsoft.com/en-us/help/970401/|title=Description of BitLocker To Go Reader|accessdate=2013-09-07|publisher=Microsoft|archive-date=2019-09-24|archive-url=https://web.archive.org/web/20190924171026/https://support.microsoft.com/en-us/help/970401/|dead-url=no}}</ref>。另外，新的命令行工具<code>manage-bde</code>替换了旧的<code>manage-bde.wsf</code><ref>{{cite web|url=https://technet.microsoft.com/en-us/library/dd894351(v=ws.10).aspx|title=Enabling BitLocker by Using the Command Line|date=2009-11-02|publisher=[[微软|Microsoft]]|website=[[TechNet]]|accessdate=2017-07-02|archive-date=2016-12-20|archive-url=https://web.archive.org/web/20161220112116/https://technet.microsoft.com/en-us/library/dd894351(v=ws.10).aspx|dead-url=no}}</ref>。

从Windows Server 2012和Windows 8开始，微软通过硬盘加密规范完善了BitLocker，该规范允许将BitLocker的加密操作下放到存储设备的硬件中完成<ref>{{Cite web|url=https://technet.microsoft.com/en-us/library/hh831627.aspx|title=Encrypted Hard Drive|date=2012-08-23|last=|first=|publisher=[[微软|Microsoft]]|website=[[TechNet]]|access-date=|archive-date=2017-07-05|archive-url=https://web.archive.org/web/20170705131501/https://technet.microsoft.com/en-us/library/hh831627.aspx|dead-url=no}}</ref><ref>{{Cite web|url=https://msdn.microsoft.com/en-us/library/windows/hardware/Dn653989.aspx|title=Encrypted Hard Drive Device Guide|date=2011-09-13|last=|first=|publisher=[[微软|Microsoft]]|website=[[微软开发者网络|MSDN]]|access-date=|archive-date=2016-12-20|archive-url=https://web.archive.org/web/20161220112605/https://msdn.microsoft.com/en-us/library/windows/hardware/Dn653989.aspx|dead-url=no}}</ref>。此外，BitLocker现在可以通过[[Windows PowerShell]]进行管理<ref>{{cite web|url=https://technet.microsoft.com/en-us/library/jj649829(v=wps.620).aspx|title=BitLocker Cmdlets in Windows PowerShell|accessdate=2016-12-12|publisher=[[微软|Microsoft]]|website=[[TechNet]]|archive-date=2016-12-20|archive-url=https://web.archive.org/web/20161220111237/https://technet.microsoft.com/en-us/library/jj649829(v=wps.620).aspx|dead-url=no}}</ref>。最后，Windows 8企业版引入了[[Windows To Go]]，可受BitLocker保护<ref>{{Cite web|url=https://technet.microsoft.com/en-us/library/jj592680.aspx#wtg_faq_bitlocker|title=Windows To Go: Frequently Asked Questions|publisher=[[微软|Microsoft]]|website=[[TechNet]]|access-date=2016-10-07|archive-date=2016-10-07|archive-url=https://web.archive.org/web/20161007083136/https://technet.microsoft.com/en-us/library/jj592680.aspx#wtg_faq_bitlocker|dead-url=no}}</ref>。

=== 设备加密 ===
[[Windows Mobile 6.5]]、[[Windows RT]]和Windows 8.1标准版包含设备加密（Device encryption）——BitLocker的功能限制版本——用于加密整个系统<ref name="ars-deviceencryption2">{{cite web|title = Device Encryption|url = http://msdn.microsoft.com/en-us/library/bb964600.aspx|website = Windows Mobile 6.5 Dev Center|publisher = [[微软|Microsoft]]|accessdate = 2014-07-06|date = 2010-04-08|archive-date = 2014-12-18|archive-url = https://web.archive.org/web/20141218025619/http://msdn.microsoft.com/en-us/library/bb964600.aspx|dead-url = no}}</ref><ref>{{cite web|last1 = Cunningham|first1 = Andrew|title = Windows 8.1 includes seamless, automatic disk encryption—if your PC supports it|url = https://arstechnica.com/information-technology/2013/10/windows-8-1-includes-seamless-automatic-disk-encryption-if-your-pc-supports-it/|website = [[Ars Technica]]|publisher = [[康泰纳仕|Condé Nast]]|accessdate = 2014-07-06|date = 2013-10-17|archive-date = 2014-07-05|archive-url = https://web.archive.org/web/20140705171318/http://arstechnica.com/information-technology/2013/10/windows-8-1-includes-seamless-automatic-disk-encryption-if-your-pc-supports-it/|dead-url = no}}</ref><ref name="HelpPortal2">{{cite web|title = Help protect your files with device encryption|url = http://windows.microsoft.com/en-us/windows-8/using-device-encryption|website = Windows Help portal|publisher = [[微软|Microsoft]]|archive-url = https://web.archive.org/web/20160502203117/http://windows.microsoft.com/en-us/windows-8/using-device-encryption|archive-date = 2016-05-02|accessdate = 2017-07-02|dead-url = no}}</ref>。使用具有管理权限的[[微软帐户]]登录将自动启动加密过程。恢复密钥存储到微软帐户或[[活动目录]]中，允许任何计算机检索。虽然Win 8.1全版本提供了设备加密功能，但与BitLocker不同，设备加密要求设备符合{{le|InstantGo}}（前称Connected Standby，译为联网待机）规范<ref name="HelpPortal2" />，需要[[固态驱动器]]，不可拆卸RAM（防止冷启动攻击）和一个[[可信平台模块|TPM]] 2.0芯片<ref name="ars-deviceencryption2" /><ref>{{cite web|url=http://winsupersite.com/windows-8/blue-device-encryption|title=In Blue: Device Encryption|accessdate=2013-06-10|date=2013-06-04|last=Thurrott|first=Paul|work=Paul Thurrott's SuperSite for Windows|publisher=Penton Media|archive-url=https://web.archive.org/web/20130609041130/http://winsupersite.com/windows-8/blue-device-encryption|archive-date=2013-06-09|dead-url=yes}}</ref>。

== 加密模式 ==
有三种认证机制可以用来构建BitLocker加密<ref>{{cite web|url=http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/analysis/4e6ce820-fcac-495a-9f23-73d65d846638.mspx|title=BitLocker Drive Encryption|accessdate=2007-09-05|date=2007-04-04|work=Data Encryption Toolkit for Mobile PCs: Security Analysis|publisher=Microsoft|archive-url=https://web.archive.org/web/20071023233150/http://www.microsoft.com/technet/security/guidance/clientsecurity/dataencryption/analysis/4e6ce820-fcac-495a-9f23-73d65d846638.mspx|archive-date=2007-10-23|dead-url=yes}}</ref>：
* 透明运行模式：此模式使用[[可信平台模块|TPM]] 1.2硬件的功能来透明运行。此模式下，用户在无感知的情况下正常启动并登录到Windows。用于[[磁盘加密]]的密钥由[[可信平台模块|TPM]]芯片密封（加密），且在未检测到有对早期启动组件的修改的情况下被释放到操作系统加载代码中。因为其允许攻击者[[啟動程式|启动]]已关闭电源的机器，所以这种模式很容易受到[[冷启动攻击]]。
* 用户认证模式：此模式要求用户以预引导[[PIN]]或密码的形式向预引导环境提供认证。
* USB密钥模式：用户必须将包含启动密钥的USB设备插入计算机才能启动受保护的操作系统。此模式要求受保护机器上的BIOS支持在操作系统预加载阶段读取USB设备。密钥还可以通过使用{{le|CCID (协议)|CCID (protocol)|CCID}}（芯片卡接口设备）读取加密[[智能卡]]获得。使用CCID比单纯将密钥文件存储在外部[[U盘]]更安全，因为CCID协议使用嵌入在智能卡中的加密处理器隐藏私钥，防止密钥因智能卡内容泄露而被简单获取。

上述认证机制支持以下组合，全部具有可选的{{le|密钥托管|Key escrow|托管}}恢复密钥：
* 仅[[可信平台模块|TPM]]<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376470(VS.85).aspx|title = ProtectKeyWithTPM method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-01|archive-url = https://web.archive.org/web/20081201120230/http://msdn.microsoft.com/en-us/library/aa376470(VS.85).aspx|dead-url = no}}</ref>
* [[可信平台模块|TPM]] + PIN<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376468(VS.85).aspx|title = ProtectKeyWithTPMAndPIN method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-01|archive-url = https://web.archive.org/web/20081201142018/http://msdn.microsoft.com/en-us/library/aa376468(VS.85).aspx|dead-url = no}}</ref>
* [[可信平台模块|TPM]] + PIN + USB密钥<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/bb931362(VS.85).aspx|title = ProtectKeyWithTPMAndPINAndStartupKey method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-02|archive-url = https://web.archive.org/web/20081202134805/http://msdn.microsoft.com/en-us/library/bb931362(VS.85).aspx|dead-url = no}}</ref>
* [[可信平台模块|TPM]] + USB密钥<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376469(VS.85).aspx|title = ProtectKeyWithTPMAndStartupKey method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-09-24|archive-url = https://web.archive.org/web/20080924145428/http://msdn.microsoft.com/en-us/library/aa376469(VS.85).aspx|dead-url = no}}</ref>
* USB密钥<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376466(VS.85).aspx|title = ProtectKeyWithExternalKey method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-26|archive-url = https://web.archive.org/web/20081226230958/http://msdn.microsoft.com/en-us/library/aa376466(VS.85).aspx|dead-url = no}}</ref>
* 仅口令<ref>{{cite web|url = http://msdn.microsoft.com/en-us/library/aa376467(VS.85).aspx|title = ProtectKeyWithNumericalPassword method of the Win32_EncryptableVolume class|work = MSDN Library|publisher = Microsoft|date = 2008-02-19|accessdate = 2008-07-18|archive-date = 2008-12-01|archive-url = https://web.archive.org/web/20081201144924/http://msdn.microsoft.com/en-us/library/aa376467(VS.85).aspx|dead-url = no}}</ref>

==  运行 ==
BitLocker是[[卷 (计算)|逻辑卷]]加密系统。一个卷的范围可以是[[硬盘驱动器]]的一部分、整个驱动器或多个驱动器。启用后，[[可信平台模块|TPM]]和BitLocker可以确保可信引导路径（如BIOS和引导扇区）的完整性，阻止大多数离线物理攻击和引导扇区恶意软件<ref name=":2">{{cite web|url=https://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx|title=BitLocker Drive Encryption in Windows 7: Frequently Asked Questions|date=2012-03-22|last=|first=|work=[[TechNet]]|publisher=Microsoft|accessdate=2017-07-02|archive-date=2017-09-21|archive-url=https://web.archive.org/web/20170921181314/https://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx|dead-url=no}}</ref>。

为使BitLocker加密保存操作系统卷，至少需要两个[[NTFS]]格式的卷：一个用于操作系统（通常为C盘），另一个大小至少为100 MB，用于操作系统[[啟動程式|引导]]<ref name=":2" />。BitLocker需要后者保持未加密状态<ref>{{cite web|url=https://technet.microsoft.com/en-us/library/cc766295%28WS.10%29.aspx#BKMK_S1|title=Windows BitLocker Drive Encryption Step-by-Step Guide|accessdate=2017-07-02|archive-date=2017-07-03|archive-url=https://web.archive.org/web/20170703054047/https://technet.microsoft.com/en-us/library/cc766295(WS.10).aspx#BKMK_S1|dead-url=no}}</ref>——在Windows Vista上，此卷必须分配一个驱动器号，而在Windows 7上则不需要<ref name=":2" />。与以前的Windows版本不同，Vista的“diskpart”命令行工具可以缩小NTFS卷的大小，以便从已分配的空间创建此卷。微软还有一个名为BitLocker驱动器准备工具的软件，可将Windows Vista上的现有卷缩小，为新的引导卷腾出空间，并将必要的引导文件传输到卷中<ref>{{cite web|url=http://support.microsoft.com/kb/930063|title=Description of the BitLocker Drive Preparation Tool|date=2007-09-07|last=|first=|publisher=Microsoft|archiveurl=https://web.archive.org/web/20080219172251/http://support.microsoft.com/kb/930063|archivedate=2008-02-19|website=|dead-url=no|accessdate=2017-07-02}}</ref>。

创建备用启动分区后需要初始化[[可信平台模块|TPM]]模块（假设正在使用此功能），之后配置所需的磁盘加密密钥保护机制，如[[可信平台模块|TPM]]、PIN或USB密钥<ref name=":3">{{Cite book|url=https://www.worldcat.org/oclc/851209981|title=Exam Ref 70-687: Configuring Windows 8|last=Andrew|first=Bettany|date=|publisher=Microsoft Press|year=2013|isbn=978-0-7356-7392-2|location=|pages=307|oclc=851209981|quote=|via=|access-date=2017-07-02|archive-date=2019-09-24|archive-url=https://web.archive.org/web/20190924171027/https://www.worldcat.org/title/exam-ref-70-687-configuring-windows-8/oclc/851209981|dead-url=no}}</ref>。对卷的加密会在后台完成，这在大型磁盘上可能需要大量时间，因为每个逻辑扇区都要被读取、加密并重写回磁盘<ref name=":3" />。这些密钥只有在整个卷被加密后才会被保护，这时此卷被认为是安全的<ref>{{Cite book|url=https://www.worldcat.org/oclc/819519777|title=Introducing Windows 8: An overview for IT professionals|last=Jerry|first=Honeycutt|date=|publisher=Microsoft|year=2012|isbn=978-0-7356-7050-1|location=|pages=121|oclc=819519777|quote=|via=|access-date=2017-07-02|archive-date=2019-09-24|archive-url=https://web.archive.org/web/20190924171110/https://www.worldcat.org/title/introducing-windows-8-an-overview-for-it-professionals/oclc/819519777|dead-url=no}}</ref>。 BitLocker使用低级设备驱动程序对所有文件操作进行加密和解密，这对于在平台上与加密卷进行交互操作的应用程序是透明的<ref name=":3" />。

[[加密文件系统]]（EFS）可以与BitLocker结合使用，在操作系统运行时提供保护。要控制操作系统中的进程和用户对文件的访问，使用者只能使用运行于Windows层面的加密软件（如EFS）。因此，BitLocker和EFS提供了针对不同类别攻击的保护。<ref>{{cite web|url=http://www.techrepublic.com/article/prevent-data-theft-with-windows-vistas-encrypted-file-system-efs-and-bitlocker|title=Prevent data theft with Windows Vista's Encrypted File System (EFS) and BitLocker|date=2007-06-08|last=Ou|first=George|work=[[TechRepublic]]|publisher=[[CBS互動|CBS Interactive]]|accessdate=2017-07-02|archive-date=2017-07-06|archive-url=https://web.archive.org/web/20170706084656/http://www.techrepublic.com/article/prevent-data-theft-with-windows-vistas-encrypted-file-system-efs-and-bitlocker/|dead-url=no}}</ref>

在活动目录环境中，BitLocker支持可选密钥托管到活动目录。如果活动目录服务托管在Windows Server 2008之前的Windows版本上，则可能需要先进行架构更新<ref>{{Cite web|url=https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx|title=Backing Up BitLocker and TPM Recovery Information to AD DS|accessdate=2016-07-01|author=|date=|publisher=Microsoft|archive-date=2016-08-09|archive-url=https://web.archive.org/web/20160809095124/https://technet.microsoft.com/en-us/library/dd875529(v=ws.10).aspx|dead-url=no}}</ref>。

BitLocker和其他全磁盘加密系统可能被[[Rootkit|恶意启动管理器]]攻击。一旦恶意引导程序获取解密用信息，它就可以解密卷主密钥（Volume Master Key，VMK），然后解密或修改加密硬盘上的任何信息。通过配置[[可信平台模块|TPM]]来保护受信任的启动路径，包括[[BIOS]]和[[引导扇区]]，BitLocker可以减轻此威胁。 （注意，引导路径的一些非恶意更改可能会导致[[可信平台模块|平台配置寄存器]]检查失败，从而生成错误的警告。）<ref name=":2" />

== 安全问题 ==
据微软透露<ref>{{cite web|url=http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx|title=Back-door nonsense|accessdate=|date=2006-03-02|last=|first=|work=System Integrity Team Blog|publisher=Microsoft|archive-url=https://web.archive.org/web/20100209023432/http://blogs.msdn.com/si_team/archive/2006/03/02/542590.aspx|archive-date=2010-02-09|deadurl=yes}}</ref>，BitLocker没有刻意设置[[軟體後門|后门]]。没有后门，执法机构就无法从安全通道获取微软提供的用户驱动器上的数据。2006年，[[英國內政部|英国内政部]]担心缺乏后门<ref>{{cite news|url=http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm|title=UK holds Microsoft security talks|last=Stone-Lee|first=Ollie|date=2006-02-16|publisher=[[英国广播公司|BBC]]|accessdate=2009-06-12|archive-date=2009-03-18|archive-url=https://web.archive.org/web/20090318144355/http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm|dead-url=no}}</ref>，试图与微软谈判，微软开发人员{{le|尼尔斯·弗格森|Niels Ferguson}}和其他微软的发言人表示他们不会增加后门<ref>{{cite web|url=http://news.cnet.com/Microsoft-Vista-wont-get-a-backdoor/2100-1016_3-6046016.html|title=Microsoft: Vista won't get a backdoor|accessdate=2008-05-01|date=2006-03-03|last=Evers|first=Joris|work=CNET|publisher=CBS Interactive|archive-date=2011-06-16|archive-url=https://web.archive.org/web/20110616161547/http://news.cnet.com/Microsoft-Vista-wont-get-a-backdoor/2100-1016_3-6046016.html|dead-url=no}}</ref>。微软工程师曾表示，虽然没有正式的书面请求，[[联邦调查局]]特工也在许多会议上向他们施加压力，要求增加后门。微软的工程师最终向FBI建议，特工应该寻找BitLocker程序建议其用户创建的密钥{{le|硬拷贝|Hard copy}}<ref>{{Cite web|url=http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor/|title=Did the FBI Lean On Microsoft for Access to Its Encryption Software?|last=Franceschi-Bicchierai|first=Lorenzo|website=Mashable|access-date=2016-10-07|archive-date=2016-10-07|archive-url=https://web.archive.org/web/20161007083233/http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor/|dead-url=no}}</ref>。虽然BitLocker使用的AES加密算法属[[公有领域]]，但它在BitLocker以及软件的其他组件中的实现都是[[专有软件|专有的]]。该代码可供微软合作伙伴和企业审查，但须遵守[[保密协议]]。<ref>{{Cite news|url=https://www.petri.com/no-back-doors-microsoft-opens-windows-source-code-to-eu-governments|title=No Back Doors: Microsoft Opens Windows Source Code to EU Governments – Petri|last=Thurrott|first=Paul|date=2015-06-10|work=|newspaper=Petri|language=|access-date=2016-10-07|via=|archive-date=2017-02-22|archive-url=https://web.archive.org/web/20170222104448/https://www.petri.com/no-back-doors-microsoft-opens-windows-source-code-to-eu-governments|dead-url=yes}}</ref><ref>{{Cite web|url=https://www.microsoft.com/en-us/sharedsource/|title=Shared Source Initiative|last=Microsoft|first=|date=|website=www.microsoft.com|publisher=|access-date=2016-10-07|archive-date=2018-09-28|archive-url=https://web.archive.org/web/20180928191411/https://www.microsoft.com/en-us/sharedsource/|dead-url=no}}</ref>

BitLocker的“透明运行模式”和“用户认证模式”使用[[可信平台模块|TPM]]硬件检测[[BIOS]]和[[主引导记录|MBR]]预加载环境是否有未经授权的改变。如果检测到任何未经授权的更改，BitLocker将在USB设备上请求一个恢复密钥。该加密密钥用于解密卷主密钥，并允许继续运行[[啟動程式|引导]]过程<ref name="TPM-operation2">{{cite journal|title=Keys to Protecting Data with BitLocker Drive Encryption|url=http://www.microsoft.com/technet/technetmag/issues/2007/06/BitLocker|last=Byron|first=Hynes|publisher=Microsoft|accessdate=2007-08-21|work=TechNet Magazine|journal=|archive-date=2007-09-03|archive-url=https://web.archive.org/web/20070903150307/http://www.microsoft.com/technet/technetmag/issues/2007/06/BitLocker/|dead-url=no}}</ref>。

2008年2月，一个安全研究小组发布了所谓“[[冷启动攻击]]”的详细信息，其通过将机器从可移动介质（如USB驱动器）引导到另一个操作系统，然后[[核心转储|转储]]预引导内存中的内容来损害诸如BitLocker的全磁盘加密系统<ref name="ColdBoot2">{{cite thesis|url=http://citp.princeton.edu/pub/coldboot.pdf|title=Lest We Remember: Cold Boot Attacks on Encryption Keys|last1=Halderman|first1=J. Alex|last2=Schoen|first2=Seth D.|last3=Heninger|first3=Nadia|last4=Clarkson|first4=William|last5=Paul|first5=William|last6=Calandrino|first6=Joseph A.|last7=Feldman|first7=Ariel J.|last8=Appelbaum|first8=Jacob|last9=Felten|first9=Edward W|publisher=[[普林斯顿大学|Princeton University]]|format=PDF|date=2008-02-21|journal=|year=|volume=|pages=|via=|archive-url=https://web.archive.org/web/20110904213748/http://citp.princeton.edu/pub/coldboot.pdf|archive-date=2011-09-04|access-date=2017-07-02|dead-url=yes}}</ref>。攻击依赖于这样一个事实：电源关闭后，[[DRAM]]会{{le|数据残留|Data remanence|保留}}长达数分钟的信息（冷却后的保留时间更长）。美国专利9,514,789号描述的Bress/ Menz装置可以完成这种攻击<ref>{{cite web|url=http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=bress.INNM.&s2=menz.INNM.&OS=IN/bress+AND+IN/menz&RS=IN/bress+AND+IN/menz|title=Systems and methods for safely moving short term memory devices while preserving, protecting and examining their digital data|website=USPTO.gov|access-date=2017-04-01|archive-date=2018-09-19|archive-url=https://web.archive.org/web/20180919025131/http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&co1=AND&d=PTXT&s1=bress.INNM.&s2=menz.INNM.&OS=IN%2Fbress+AND+IN%2Fmenz&RS=IN%2Fbress+AND+IN%2Fmenz|dead-url=no}}</ref>。单独使用[[可信平台模块|TPM]]不会提供任何保护，因为Windows运行时密钥保存在内存中。其他供应商和操作系统（包括[[Linux]]和[[Mac OS X]]）的类似全磁盘加密机制也容易遭受同样的攻击。[[普林斯顿大学]]教授的一篇论文推荐在未取得拥有者物理控制的情况下应将计算机关闭而不是处于[[睡眠模式]]，并且把加密软件配置为需要密码才能启动机器<ref name="ColdBoot2" />。

一旦受BitLocker保护的机器开始运行，其密钥就会存储在内存中，可能易受能够访问物理内存的进程的攻击，例如通过[[IEEE 1394|1394]]或[[Thunderbolt]] [[直接記憶體存取|DMA]]通道攻击<ref>{{cite web|url=http://support.microsoft.com/kb/2516445|title=Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker|accessdate=2011-03-15|date=2011-03-04|publisher=Microsoft|archive-date=2012-08-13|archive-url=https://www.webcitation.org/69sS3DtU7?url=http://support.microsoft.com/kb/2516445|dead-url=no}}</ref>。从Windows 10版本1803开始，微软向BitLocker添加名为“内核DMA保护”的新功能，可防止通过[[Thunderbolt 3]]端口进行的DMA攻击<ref>{{cite web |url=https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt |title=Kernel DMA Protection for Thunderbolt™ 3 |publisher=Microsoft |date=2019-03-26 |access-date=2020-03-16 |archive-date=2020-04-22 |archive-url=https://web.archive.org/web/20200422022727/https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt |dead-url=no }}</ref>。

最初，Windows Vista使用AES的密码块链接（CBC）+大象扩散器（Elephant Diffuser）模式进行磁盘加密<ref>[http://www.ecice06.com/CN/article/downloadArticleFile.do?attachType=PDF&id=21245 梁敏, 常朝稳, 樊雪竹. 加密存储算法和模式研究] {{Wayback|url=http://www.ecice06.com/CN/article/downloadArticleFile.do?attachType=PDF&id=21245 |date=20200503153546 }} Research of Encryption Storage Algorithms and Modes[J]. 计算机工程, 2011, 037(013):101-103.</ref>。自Windows 8和Windows Server 2012开始，微软在没有声明原因的情况下从BitLocker方案中移除了大象扩散器（Elephant Diffuser），仅使用CBC模式进行磁盘加密<ref>{{Cite web|url=https://technet.microsoft.com/en-us/library/hh831713.aspx|title=BitLocker Overview|website=technet.microsoft.com|access-date=2016-10-07|archive-date=2017-02-13|archive-url=https://web.archive.org/web/20170213185949/https://technet.microsoft.com/en-us/library/hh831713.aspx|dead-url=no}}</ref>。软件工程师丹·罗森多夫（Dan Rosendorf）的研究表明，移除大象扩散器对BitLocker加密的安全性有“不可否认的负面影响”<ref>{{Cite web|url=http://spi.unob.cz/presentations/23-May/07-Rosendorf%20The%C2%A0BitLocker%C2%A0Schema.pdf|title=Bitlocker: A little about the internals and what changed in Windows 8|date=2013-05-23|last=Rosendorf|first=Dan|publisher=|archiveurl=https://web.archive.org/web/20160522145507/http://spi.unob.cz/presentations/23-May/07-Rosendorf%20The%C2%A0BitLocker%C2%A0Schema.pdf|archivedate=2016-05-22|website=|access-date=2016-10-07|deadurl=yes}}</ref>。微软随后说明扩散器移除的原因是性能问题以及不遵守[[联邦信息处理标准]]（FIPS）<ref>{{Cite web|url=https://theintercept.com/2015/06/04/microsoft-disk-encryption/|title=Microsoft Gives Details About Its Controversial Disk Encryption|date=2015-06-04|last=Lee|first=Micah|publisher=|website=The Intercept|access-date=2016-10-07|archive-date=2018-10-03|archive-url=https://web.archive.org/web/20181003050637/https://theintercept.com/2015/06/04/microsoft-disk-encryption/|dead-url=yes}}</ref>。从Windows 10版本1511开始，微软向BitLocker添加了新的符合FIPS标准的{{le|磁盘加密理论|Disk encryption theory|XTS-AES}}加密算法<ref name=":0" />。

2015年11月10日，微软发布了一项安全更新，修补BitLocker中的安全漏洞。漏洞使攻击者可以绕过目标计算机上的[[Kerberos]]身份验证，只有在计算机已加入域，目标系统已启用BitLocker且没有[[PIN]]或USB密钥的情况下，才能利用该绕过漏洞<ref>{{cite web|url=https://technet.microsoft.com/library/security/MS15-122|title=Microsoft Security Bulletin MS15-122 – Important|accessdate=2015-11-12|date=2015-11-10|work=Security TechCenter|publisher=[[微软|Microsoft]]|archive-date=2016-02-24|archive-url=https://web.archive.org/web/20160224173106/https://technet.microsoft.com/library/security/MS15-122|dead-url=no}}</ref>。

==manage-bde工具==
Windows 7中加入了<code>manage-bde</code>命令行工具以管理BitLocker加密分区。其主要功能参数为：
{| class="wikitable"
|+
!选项
!功能
|-
| -status
|分区的加密/解密及其正在进展中的状态显示
|-
| -on
|开始加密
|-
| -off
|开始解密
|-
| -pause
|暂停加密或解密
|-
| -resume
|恢复加密或解密
|-
| -lock
|阻止对加密数据的访问
|-
| -unlock
|允许对加密数据的访问
|-
| -autounlock
|管理自动解锁数据分卷
|-
| -protectors
|管理加密密钥的保护方式
|-
| -tpm
|配置计算机的可信平台模块
|-
| -SetIdentifier、-si
|配置分卷的identification field
|-
| -ForceRecovery、-fr
|强制被BitLocker保护的操作系统在重启时恢复 
|-
| -changepassword
|修改数据分卷的口令
|-
| -changepin
|修改分卷的PIN 
|-
| -changekey
|修改分卷的启动密钥
|-
| -upgrade
|升级BitLocker版本
|-
| -ComputerName、-cn
|在另一台计算机上运行，如“ComputerX”，“127.0.0.1”
|-
| -?、/? 
|显示帮助。如“-ParameterSet -?”
|-
| -Help、-h
|显示完整帮助，如“-ParameterSet -h”
|}

== 参见 ==
* [[Windows Vista新功能]]
* [[Windows组件列表]]
* [[下一代安全计算基础]]
* [[FileVault]]

== 参考资料 ==
{{Reflist|30em}}

== 外部链接 ==
*[https://technet.microsoft.com/library/cc732774.aspx BitLocker 驱动器加密概述]{{Wayback|url=https://technet.microsoft.com/library/cc732774.aspx |date=20161117004346 }}
*[https://www.microsoft.com/download/details.aspx?id=7806 下载BitLocker 驱动器准备工具]{{Wayback|url=https://www.microsoft.com/download/details.aspx?id=7806 |date=20190924171028 }}
*[http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx Windows硬件开发者中心BitLocker页面]{{Wayback|url=http://www.microsoft.com/whdc/system/platform/hwsecurity/default.mspx |date=20100926011715 }}
*[https://web.archive.org/web/20100505054504/http://blogs.msdn.com/si_team/default.aspx 系统完整性团队博客]
*[http://testlab.sit.fraunhofer.de/downloads/Publications/Attacking_the_BitLocker_Boot_Process_Trust2009.pdf 攻击BitLocker引导过程]{{Wayback|url=http://testlab.sit.fraunhofer.de/downloads/Publications/Attacking_the_BitLocker_Boot_Process_Trust2009.pdf |date=20170705102910 }}
*[https://www.ytyzx.org/index.php?title=%E5%A6%82%E4%BD%95%E4%BF%AE%E5%A4%8DBitLocker%E6%97%A0%E6%B3%95%E4%BF%AE%E6%94%B9%E5%AF%86%E7%A0%81%E9%94%99%E8%AF%AF&variant=zh-cn 修复BitLocker无法修改密码错误]{{Wayback|url=https://www.ytyzx.org/index.php?title=%E5%A6%82%E4%BD%95%E4%BF%AE%E5%A4%8DBitLocker%E6%97%A0%E6%B3%95%E4%BF%AE%E6%94%B9%E5%AF%86%E7%A0%81%E9%94%99%E8%AF%AF&variant=zh-cn |date=20171211213700 }}
{{Windows Components}}
{{Windows commands}}

[[Category:Windows Server 2008]]
[[Category:Windows 7]]
[[Category:Windows Vista]]
[[Category:加密软件]]
[[Category:Microsoft Windows安全技术]]
[[Category:磁盘加密]]
{{Good article}}