One of the common vulnerabilities we find when performing internal network penetration testing is sensitive data on open SMB file shares. Now, by...
File Encryption Using VHD and BitLocker
When I was thinking of topics to write about, the idea of protecting the data we work with came to mind. There’s always some sort of data that we want to keep safe such as, personal information, customer data, super-secret-squirrel project files…and the list goes on. For example, when working on various testing engagements, we often have access to various types of sensitive information and it’s critical that we do everything we can to protect that information.
When it comes to data protection, it’s typically good to have more than one security control in place. That way, if one control fails, or is circumvented, then additional controls are still in place. This is generally referred to as layered security, or sometimes defense-in-depth. Done properly, adding multiple layers of security is a great way to enforce good security habits as well as strengthen your overall security posture.
Today we’re going to look at an option in Windows 10 for protecting sensitive data. One way we do this, in addition to using full drive encryption, is by creating a Virtual Hard Disk (VHD) and then encrypting it with BitLocker. A VHD is a file you can create that acts like a physical hard drive, and the encryption process renders the data unreadable to anyone attempting to access it without the proper key. This provides an additional layer of security by allowing you to encrypt and store sensitive files in a virtual partition. Windows 10 also has a newer VHDX file format which has additional features like an increased size limit (up to 64 TB) and helping to protect against data corruption due to power failures.
The creation of a VHD (or VHDX) file is fairly straightforward, and there are several online tutorials for setting it up. As a very brief guide, go to Disk Management to create the file. After the VHD file is created, it will need to be initialized. You should choose the MBR option if it will later get mounted on a Windows 7 system. Next, create your volume partition on the VHD and format it just like you would a regular drive.
Your new VHD file will appear under This PC as if it were another drive on your computer. To encrypt it with BitLocker, you will need Windows 10 Professional or Enterprise. Right-click on the virtual hard disk and click to Turn on BitLocker. This will walk you through a setup wizard where you’ll:
- provide a strong password:
- save your recovery key:
- decide how much of the drive to encrypt:
- and choose the encryption mode to use:
With very little effort, your new virtual hard disk is now encrypted and any files stored here will also be encrypted. Simply provide your password to unlock the drive and access your files. The VHD file itself can be stored on the computer, saved to disk, or copied to an external drive. If you’re planning to access the files on older Windows machines, then be sure that you select the compatible mode during encryption.