rvlsoft - Fotolia

How does Microsoft BitLocker secure local, cloud resources?

The BitLocker encryption technology continues to evolve from its roots as a Windows Vista feature to protect resources both in the local data center and in the Azure cloud platform.

Few technologies have been as important in IT and enterprise security as encryption, using a mathematical algorithm to scramble the contents of a file -- or even an entire disk.

Without the unique key used to encrypt the data, nobody else can -- at least, easily -- decrypt and discover the hidden contents. In the event of a breach or some other inappropriate event, the data remains private and inaccessible.

What is Microsoft BitLocker technology?

Microsoft BitLocker encryption is a longtime Windows feature that debuted with Windows Vista in 2007. Microsoft continues to develop BitLocker as a full-volume drive encryption platform. BitLocker employs the AES encryption algorithm -- in cipher block chaining or XTS mode -- with either a 128-bit or 256-bit key. The platform is commonly available in Windows 10 and Windows Server.

How does BitLocker work in Azure?

More recently, Microsoft added BitLocker technology as a service for Azure Windows virtual machines called Azure Disk Encryption (ADE). The ADE -- essentially a BitLocker -- encryption key is stored and protected by the Azure Key Vault service, and only authorized key users can read or run the protected Azure VM. ADE protects the VM host disks, local cache and any data in transit between an Azure VM and Azure Storage.

To use ADE, the administrator creates a key store for ADE and assigns user permissions. After a resource -- such as a VM -- is created, the administrator can attach a key vault and select a key to encrypt the resource.

How does Microsoft BitLocker work on networks?

But this is not the only evolutionary use of Microsoft BitLocker, which is also used as a secure means of booting on-premises servers on wired or wireless networks. The technology is called BitLocker Network Unlock. BitLocker Network Unlock adds a physical factor of authentication (the actual physical server), building security for vital systems without the need for user interaction.

Consider an example: A sensitive enterprise database server is off and locked down with BitLocker. The underlying physical server uses a Trusted Platform Module (TPM) and is configured to use network unlock. When the database server is powered on, it obtains a key from the TPM and then sends the key and a request to a separate Windows Deployment Server (WDS) on the local network. If the WDS recognizes the TPM key and request by determining the service exists on the local network, the WDS sends all of the credentials the database server needs to unlock the protected server, decrypting the disk and allowing the system to boot normally.

Dig Deeper on Windows Server OS and management