While main office servers are usually placed in secure server rooms or data centers, servers in branch offices are often locked in a closet or simply placed under a desk. In these circumstances it is not hard to imagine that an intruder could tamper with a server or steal a hard drive – or an entire server – overnight. When a malicious person can get access to a server in this way they can execute any number of "physical access" attacks to get at the data, including connecting the hard drive to another machine or booting the server into a different operating system from a CD or thumb drive and accessing files that would normally be protected by the server's operating system.

This "branch office security" problem has also been addressed by Microsoft in Server 2008 with the inclusion of read-only domain controllers (RODCs) that can help ensure fast logons for users at branch offices without the possibility of an intruder making changes to the Active Directory Domain Services database on a running domain controller.

BitLocker helps protect against physical access attacks by encrypting an entire disk volume or volumes, including the operating system, applications, and data. This is a one-time process during which the server can continue to run normally. Once completed, BitLocker is completely transparent to the operating system (and applications) while the server is running, but if the server is stolen or the disk is removed and reinstalled in another machine the data contained on it is unreadable.

At its most basic level, BitLocker requires nothing more than a USB startup key to be inserted into the server when it is booted so that it can start up normally. After that a filter driver in the Windows Server 2008 file system stack encrypts and decrypts disk sectors transparently as data is written to and read from the protected volume. Typically this involves a minimal negative impact on performance of no more than 3 to 5 percent. For the BitLocker protection to be effective it is clearly important that the startup key is removed and kept separate from the server after it has been booted – something that could prove inconvenient if a server at a branch office needs to be rebooted remotely by an administrator at head office.

There are also three other levels of protection, but for these to work it is necessary to have a server with a compatible Trusted Platform Module (TPM) chip and BIOS. A compatible TPM is defined as a version 1.2 TPM, while a compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group.

On servers with a TPM, BitLocker performs a check to verify the integrity of early boot components and boot configuration data. BitLocker only makes the encrypted volume accessible if those components have not been tampered with -- for example, with the introduction of a rootkit or boot sector virus, or an unauthorized modification to the BIOS -- and the encrypted drive is located in the original computer. If any changes are detected the system is locked and can only be unlocked by an administrator.

For the most convenient operation, the key needed to make a BitLocker-protected server accessible is actually stored in the TPM, so no additional USB startup key is needed. In this configuration a server is protected from tampering as described above, and the hard disk is also protected by encryption in case it is removed from the server. Since no startup key is needed, administrators can easily reboot the server remotely, but if the whole server is stolen then some or all the data may be accessible to thieves if they can start the server.

For additional protection BitLocker can also work with some form of two-factor authentication – either a USB startup key or a PIN that must be entered locally by a user, as well as the TPM. When this is enabled an intruder would be unable to start the server or access the data on it even if the entire server is physically removed.

At this point it is worth taking a closer look at the encryption involved. A BitLocker volume is actually encrypted using a 256-bit AES key called a Full Volume Encryption Key. This key is encrypted using another 256-bit AES key called the Volume Master Key. It is this Volume Master key that is protected by a USB startup key or a PIN, or by the TPM. The advantage of having the Volume Master Key as an intermediate key between the Full Volume Encryption key on one side and a startup key or PIN on the other is that if the startup key or PIN are lost or compromised the system can be re-keyed with a new Volume Master Key – without the need to decrypt and re-encrypt the entire volume with a new Full Volume Encryption key.

Disk encryption is intended to protect data from intruders, but what happens if it becomes inaccessible? This can happen in the following circumstances:

It's important to be clear that BitLocker is no panacea for security worries – it does nothing to protect running servers from hackers breaking in over the network, for example. But thanks to some heavy-duty encryption it can protect your data if an intruder gains access to your server, and in a branch office environment this is a situation that is very difficult to rule out.