Full Drive Encryption, Key management and MBAM

(Microsoft announces end of mainstream support for MBAM as of July 2019)

WinMagic’s CEO, THI NGUYEN-HUU, has blogged in the past about the ideal architecture for Full Drive Encryption, and Key Management (Separating Encryption and Key Management).  By separating key management, which includes authentication, from the actual encryption layer, one is able to use a single key manager for many platforms while allowing the best individual encryption solutions to be selected and used for each use case where storage encryption is needed.

In my opinion, BitLocker is a good choice for the encryption layer on Windows primarily because encryption is a low level function best done by the OS for compatibility (or even better done in the hardware of the drive for transparency and performance well below the OS).  However, as I have written before BitLocker alone is not good enough.  Not good enough operationally, nor good enough from a security or compliance perspective.  A capable key management layer must be paired with BitLocker to have a full solution.

Microsoft BitLocker Administration & Monitoring (MBAM) is one possible choice for the key management layer but if suffers from many deficiencies including:

  1. No user based Pre-Boot Authentication
  2. Being limited to supporting Microsoft platforms (no Apple FV2 support, etc.)
  3. Expensive and cumbersome to set up and operate it.

Now there is another reason to not choose MBAM – Microsoft is ending mainstream support for MBAM as of July 2019.   I am not privy to Microsoft’s thinking as to why they are ending support.  It may be they recognized MBAM deficiencies, but my guess is that they just want to move customers to their Azure cloud, and it is not really about improving compliance and security.  In this ARTICLE Microsoft writes “Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the PowerShell examples to see how to store recovery keys in Azure Active Directory (Azure AD).

Have a look at the PowerShell examples.  This doesn’t look like it was fully thought out by a security company.  Issues 1) and 2) above are not addressed.  Azure AD may well be more operationally efficient than MBAM if you master PowerShell, but is it a good idea to store your recovery keys in a public cloud?   I don’t think so, and many enterprises are not going to be able to entrust the keys for their laptops to a third party for safe keeping.  Cloud-based keys aren’t secure.  Moving to cloud-based key control is not an option for security classified environments, as risks of security control are just too high to outsource to third party cloud vendors.  Have a look at this POST to see what the Microsoft TechNet community’s sentiment is about MBAM’s demise and the ‘alternatives’ Microsoft has for them.

Key Management for FDE is what we at WinMagic do best.   With our SecureDoc BitLocker management solution, organizations can take advantage of Microsoft’s native OS encryption, while tightening security through improved authentication and integration with SecureDoc pre-boot networking and authentication.  Thousands of organizations worldwide use and trust WinMagic’s SecureDoc to manage not only their BitLocker-encrypted devices, but any software-based, native or hardware-based encryption solutions – including Windows, Mac and Linux OS – and across any endpoint, data center, virtualized or cloud environment.  When you’re serious about data security, you need a partner that specializes in encryption.

Previous Post
Self-encrypting deception: Weaknesses in the encryption of solid state drives (SSDs)
Next Post
Linux Servers and Encryption – the Need and the Solution