What is the Difference Between EFS and Bitlocker? - Part 1
Hard Disk (Very) Basics
In order to understand the differences between the EFS and the BitLocker, we have to understand some basics about our harddsisks.
First of all, we have to understand logical volumes. When you double click on the My Computer icon, you will see A:, C: and D:, given that you have a floppy drive (A:), a hard disk drive (C:) and an optical drive –CD or DVD- (D:) physically present inside your computer. Now, suppose that during the installation, you have chosen to divide your hard disk into two, let’s say you have a 250 Gigabyte capacity hard disk and you made one for 100 Gigabytes and one for 150 Gigabytes. After you complete the installation and again double click on the My Computer icon, you will see A:, C:, D: and E: drives. A is your floppy disk drive, and C: is splitted into two as C: (100 Gigabytes) and D: (150 Gigabytes), remaining E: as the optical drive. Considering that you have one physical drive, you actually created two logical volumes of 100 and 150 Gigabytes.
Then, we have filesystems and file tables. The Master File Table (MFT) is basically a database, or a list if you prefer, that keeps track of all your files on your computer. So if you move a file from one folder to another, nothing changes in your computer except the entry about the file in the MFT is changed. That is, if you move picture.jpg from My Documents to Desktop, the file actually does not move. The entry in the MFT shows Desktop instead of My Documents. What formatting the hard drive does basically is to delete the MFT and for this reason it is very possible to recover data from a formatted hard disk.
Finally we have encryption, meaning that protecting access to data except by the authenticated users.
Encrypting File System
Encrypting File System is a filesystem-level encryption, which means that the files and folders are encrypted with a password. I will not go into the details of the encryption with the EFS Keys and public/private key exchanges, because it is an immense issue that can not be explained in an article. Anyway, the contents of the files and folders that are encrypted can not be seen. There is also a risk associated with this. If an attacker can gain physical access to the system, then s/he can see the files and folders but can not access the contents. The risk here is seeing the files and folders and depends on your perceived security level: if looking at the names are not important for you, then you can safely assume no risk. However, you have to note that everything you encrypted depends on your password. If you have assigned 123456 as your password, then be sure that the attacker can try a brute force attack (which is trying to guess the password by trial and error with a software assistance) and most likely to succeed in an hour. On the other hand, if you use a strong password and forget it, then you will say good-bye to your files. Proceed with caution.
BitLocker encryption, which came with the Windows Vista’s Business and Ultimate versions, uses a different approach than EFS. BitLocker uses a hardware-level encryption on the hard disk but on the other hand, it is the same with EFS with filesystem level encryption. So, you can encrypt entire logical volumes with BitLocker. It has three implementations:
1. User authentication mode: Before booting the computer, the user has to authenticate him/herself to the system with a password and/or a USB key. Otherwise s/he will not be able to boot the operating system.
2. Transparent operations mode: The mode uses the hardware level control with the Trusted Platform Module (TPM) and the BIOS. TPM is actually a chip that has some cryptography embedded. When the system is booted, TPM speaks with the BIOS and allows the operating system to start only if the boot files are unmodified. However, an attacker who has a physical access to the system can gain access to the system with a hard reboot attack (hard reboot attack is simply done by resetting the computer, to say without going to proper shutdown procedure.)
3. USB Key mode: The computer can only be booted by inserting a USB key which has the necessary codes/keys to allow the computer to start. However, this system can not be used in computers that do not allow booting from USB in the BIOS.
To use the BitLocker systems either in user authentication mode or transparent operations mode, there must be a TPM chip present in your computer. Otherwise your only option will be to use the USB Key mode (see How to Use BitLocker Drive Encryption Without a TPM Chip for more information).
In this article we have seen the hard disk basics and the EFS and BitLocker encryption systems. We can not say that “this one is the best” because every choice has its own pros and cons and “the best” depends on what security level you have in mind. “User authentication mode” can be the most aggressive, but if you lose the USB key or if the files inside get corrupt, you will not be able to access anything on your computer.
More about BitLocker
Be sure to check out our other articles about Bitlocker including BitLocker Recovery Password Viewer Helps You Not to Lose Data, How To Avoid the Bitlocker Blues, Protecting Your Data with BitLocker Drive Encryption, How to Use BitLocker Drive Encryption Without a TPM Chip and EFS vs Bitlocker: What’s the Difference?