Data Encryption Toolkit for Mobile PCs

Published: April 4, 2007   |   Updated: May 29, 2007

 

Download this Solution Accelerator

Click here to get the Data Encryption Toolkit for Mobile PCs from the Microsoft Download Center.

About This Solution Accelerator

The Data Encryption Toolkit for Mobile PCs provides tested guidance and powerful tools to help you protect your organization’s most vulnerable data. The strategies outlined in this Toolkit are easy to understand, and the guidance shows you how to optimize two key encryption technologies already available to you in Windows® XP or Windows Vista®: the Encrypting File System (EFS) and Microsoft® BitLocker™ Drive Encryption (BitLocker).

  • EFS allows you to protect sensitive files so they can only be accessed by authorized users. EFS is included with Windows XP Professional and with most editions of Windows Vista.
  • BitLocker encrypts all data on a system volume to prevent unauthorized users from successfully booting the PC with a different operating system or swapping the drive to a different computer to read the data. BitLocker is included with the Enterprise and Ultimate editions of Windows Vista.

The Data Encryption Toolkit for Mobile PCs shows you how to effectively use both EFS and BitLocker across your organization. The Toolkit also provides you with software tools and scripts to help you centrally configure, deploy, and manage encryption settings on all your mobile PCs.

Included in the Download

The Data Encryption Toolkit for Mobile PCs consists of the following four components:

  • Executive Overview. This document provides a broad survey from a business and regulatory perspective of how mobile data is at risk and how the Data Encryption Toolkit for Mobile PCs can help. It also provides information about how you can use the guidance and tools in this Solution Accelerator as well as tools you may already have licensed to mitigate these risks.
  • Security Analysis. This guide provides an in-depth review of how EFS and BitLocker can help you address the unique risks associated with data on mobile PCs.
  • Planning and Implementation Guide. This guide describes how to plan for, configure, deploy, and operate EFS and BitLocker in your organization.
  • The Microsoft Encrypting File System Assistant. The EFS Assistant is a software tool you can use to centrally control EFS settings on all your PCs (the EFS Assistant also works with desktop PCs). The EFS Assistant can help you encrypt the sensitive files on your users' laptops, regardless of where those files are located. In addition, the EFS Assistant operates transparently to end users, eliminating training issues or other impacts.

In More Detail

The Microsoft Data Encryption Toolkit for Mobile PCs describes two effective and low-cost solutions for data encryption. The Toolkit is a valuable resource for any security professional who needs to resolve data security issues on mobile computers. Effective implementation of the guidance provided in the Toolkit can help organizations meet certain regulatory requirements. In addition, these technologies provide especially attractive solutions because they are already licensed with the Windows XP Professional and Windows Vista operating systems.

The Toolkit is based on the Encrypting File System (EFS) and BitLocker Drive Encryption, both of which provide robust encryption mechanisms but serve slightly different purposes. The Toolkit provides detailed information about how these security technologies work. It also describes scenarios for which each technology is appropriate, provides deployment best practices, and considers operational issues such as key and data recovery.

The Toolkit benefits and features include the following:

  • Low acquisition costs. EFS and BitLocker are already included in certain versions of the Microsoft Windows operating system. No additional expenditures are needed to acquire them.
  • Low operations costs. EFS and BitLocker are robust but simple and require little or no operational maintenance.
  • Ease of deployment. The Toolkit deploys easily in environments that use software distribution technologies such as Active Directory® Domain Services and Microsoft Systems Management Server.
  • Robust security. EFS and BitLocker are based on industry standards and certified encryption algorithms.
  • Minimal user impact. When effectively configured, the Toolkit is almost completely transparent to users. Minimal technical training will be required (although good data handling and storage training will always be necessary).
  • Central management and extended control. Implementation of the Toolkit can help IT organizations extend control to all mobile PCs from a central management infrastructure, which can help ensure uniform compliance.
  • Uniform solution. The Toolkit is applicable to desktop computers and mobile computers.

BitLocker Drive Encryption

BitLocker Drive Encryption, a new feature in Windows Vista, provides a seamless way to encrypt all data on an entire hard disk volume. When BitLocker is configured, it works transparently in the background and does not affect typical use of the PC or its applications. BitLocker encrypts the entire volume, so it can prevent many attacks that try to circumvent the security protections in Windows that cannot be enforced before Windows has started.

BitLocker also offers enhanced security for encrypted data by using a security hardware module called a Trusted Platform Module (TPM). TPMs provide offline storage of root encryption keys and an optional personal identification number (PIN) that would be necessary to unlock the disk encryption. TPMs currently ship on laptops from almost all major vendors, including Compaq, Dell, Lenovo, and Toshiba.

Encrypting File System (EFS)

EFS provides seamless data encryption for user-selected folders and individual files. After encryption is enabled, the user experience is transparent. EFS can also help protect against intruders who use certain known attacks to gain unauthorized access to the computer.

Microsoft Encrypting File System Assistant

The Microsoft Encrypting File System Assistant (EFS Assistant) tool complements EFS—it provides an automated, probabilistic way to detect which files should be encrypted. Like EFS, it is essentially transparent to users. It can be configured to regularly scan the hard disk for new data files that are likely candidates for encryption. This functionality mitigates the risk of new user data files being created but left unencrypted and thus exposed.

Related Resources

See the following resources on the Microsoft Web site for more information about this and other Solution Accelerators:

Community and Feedback

  • Want to know what’s coming up next? Check out our Security Guidance Blog.
  • E-mail your feedback to the following address: SecWish@microsoft.com
  • If you’ve used a Solution Accelerator within your organization, please share your experience with us by completing this short survey (less than ten minutes long).

About Solution Accelerators

Solution Accelerators are authoritative resources that help IT pros plan, deliver, operate, and manage IT systems that address real-world scenarios. Solution Accelerators provide free, prescriptive guidance and automation to accelerate cross-product integration, core infrastructure development, and other enhancements.

Register to receive the Solution Accelerator Notifications newsletter so that you can stay informed about new Solution Accelerator releases and updates. The newsletter covers such areas of interest as

  • Communication & Collaboration
  • Security, Data Protection, & Recovery
  • Deployment
  • Operations & Management

Download this Solution Accelerator

Click here to get the Data Encryption Toolkit for Mobile PCs from the Microsoft Download Center.