汉英对照:
Chinese-English Translation:
Windows BitLocker驱动器加密通过加密Windows操作系统卷上存储的所有数据可以更好地保护计算机中的数据。帮助保护Windows操作系统和用户数据,并帮助确保计算机即使在无人参与、丢失或被盗的情况下也不会被篡改。
Windows BitLocker drive encryption can better protect data in your computer by encrypting all data stored on Windows operating system volumes. Helps protect windows operating system and user data, and helps ensure that computers are not tampered with even when they are unattended, lost, or stolen.
Windows BitLocker 驱动器加密通过加密 Windows 操作系统卷上存储的所有数据可以更好地保护计算机中的数据。BitLocker 使用 TPM(受信任的平台模块)帮助保护 Windows 操作系统和用户数据,并帮助确保计算机即使在无人参与、丢失或被盗的情况下也不会被篡改。 BitLocker 还可以在没有 TPM 的情况下使用。若要在计算机上使用 BitLocker 而不使用 TPM,则必须通过使用组策略更改 BitLocker 安装向导的默认行为,或通过使用脚本配置 BitLocker。使用 BitLocker 而不使用 TPM 时,所需加密密钥存储在 USB 闪存驱动器中,必须提供该驱动器才能解锁存储在卷上的数据。
Windows BitLocker drive encryption can better protect data in your computer by encrypting all data stored on Windows operating system volumes. BitLocker uses TPM (trusted platform module) to help protect windows operating system and user data, and to help ensure that computers are not tampered with even when they are unattended, lost, or stolen. BitLocker can also be used without a TPM. To use BitLocker on your computer instead of the TPM, you must change the default behavior of the BitLocker installation wizard by using group policy, or configure BitLocker by using scripts. When using BitLocker instead of TPM, the required encryption key is stored in the USB flash drive, which must be provided to unlock the data stored on the volume.
功能介绍
Function introduction
BitLocker 驱动器加密它是在 Windows Vista 中新增的一种数据保护功能,主要用于解决一个人们越来越关心的问题:由计算机设备的物理丢失导致的数据失窃或恶意泄漏。在新一代操作系统 Windows 8.1 中也能使用此加密驱动。随同 Windows Server 2008 一同发布的有 BitLocker 实用程序,该程序能够通过加密逻辑驱动器来保护重要数据,还提供了系统启动完整性检查功能。
BitLocker drive encryption is a new data protection function in Windows Vista. It is mainly used to solve a problem that people are more and more concerned about: data theft or malicious leakage caused by physical loss of computer equipment. This encryption driver can also be used in the new generation of operating system Windows 8.1. Along with Windows Server 2008, BitLocker utility is released, which can protect important data by encrypting logical drive, and also provides system start integrity check function.
BitLocker 使用 TPM 帮助保护 Windows 操作系统和用户数据,并帮助确保计算机即使在无人参与、丢失或被盗的情况下也不会被篡改。
BitLocker uses TPM to help protect windows operating system and user data, and to help ensure that computers are not tampered with even when they are unattended, lost, or stolen.
受信任的平台模块(TPM)是一个内置在计算机中的微芯片。它用于存储加密信息,如加密密钥。存储在 TPM 上的信息会更安全,避免受到外部软件攻击和物理盗窃。BitLocker 可加密存储于 Windows 操作系统卷上的所有数据,默认情况下,使用 TPM 以确保早期启动组件的完整性(组件用于启动进程的更早时期),以及“锁定”任何 BitLocker 保护卷,使之在即便计算机受到篡改也得到保护。
The trusted platform module (TPM) is a microchip built into a computer. It is used to store encrypted information, such as encryption keys. Information stored on the TPM is more secure from external software attacks and physical theft. BitLocker encrypts all data stored on Windows operating system volumes, uses TPM by default to ensure the integrity of early boot components (components used to start earlier in the process), and “locks” any BitLocker protected volumes so that they are protected even if the computer is tampered with.
但是 BitLocker 有一项不足,打开加密盘后,再次进入就不需要密码了,那么如何才能使每次访问加密盘都要密码呢?这恐怕是微软后续改进的问题了,但是目前,我们可以在开始任务栏里输入“cmd”,然后以管理员身份运行,输入 manage-bde(空格)-lock(空格)X:,x 为加密磁盘盘符。这样就可以再次锁住加密盘了。
But BitLocker has a disadvantage. After you open the encrypted disk, you don’t need a password to enter it again. So how can you make every time you access the encrypted disk, you need a password? I’m afraid it’s a problem of Microsoft’s subsequent improvement. But at present, we can enter “CMD” in the start task bar, and then run as an administrator. Enter manage BDE (space) – lock (space) x:, X is the encrypted disk letter. This will lock the encryption disk again.
原理
principle
通过加密整个 Windows 操作系统卷保护数据。
Protect data by encrypting the entire windows operating system volume.
如果计算机安装了兼容 TPM,BitLocker 将使用 TPM 锁定保护数据的加密密钥。因此,在 TPM 已验证计算机的状态之后,才能访问这些密钥。加密整个卷可以保护所有数据,包括操作系统本身、Windows 注册表、临时文件以及休眠文件。因为解密数据所需的密钥保持由 TPM 锁定,因此攻击者无法通过只是取出硬盘并将其安装在另一台计算机上来读取数据。
If your computer has a compatible TPM installed, BitLocker will use the TPM to lock the encryption key that protects the data. Therefore, these keys cannot be accessed until the TPM has verified the state of the computer. Encrypting the entire volume protects all data, including the operating system itself, the windows registry, temporary files, and dormant files. Because the key required to decrypt the data remains locked by the TPM, an attacker cannot read the data by simply removing the hard disk and installing it on another computer.
在启动过程中,TPM 将释放密钥,该密钥仅在将重要操作系统配置值的一个哈希值与一个先前所拍摄的快照进行比较之后解锁加密分区。这将验证 Windows 启动过程的完整性。如果 TPM 检测到 Windows 安装已被篡改,则不会释放密钥。默认情况下,BitLocker 安装向导配置为与 TPM 无缝使用。管理员可以使用组策略或脚本启用其他功能和选项。
During startup, the TPM releases the key, which unlocks the encrypted partition only after comparing a hash value of an important operating system configuration value with a previously taken snapshot. This will verify the integrity of the Windows startup process. If the TPM detects that the windows installation has been tampered with, the key is not released. By default, the BitLocker setup wizard is configured to work seamlessly with the TPM. Administrators can use group policy or scripts to enable additional features and options.
为了增强安全性,可以将 TPM 与用户输入的 PIN 或存储在 USB 闪存驱动器上的启动密钥组合使用。
To enhance security, the TPM can be used in combination with a pin entered by the user or a startup key stored on a USB flash drive.
在不带有兼容 TPM 的计算机上,BitLocker 可以提供加密,而不提供使用 TPM 锁定密钥的其他安全。在这种情况下,用户需要创建一个存储在 USB 闪存驱动器上的启动密钥。
On computers without a compatible TPM, BitLocker can provide encryption without providing additional security using the TPM lock key. In this case, the user needs to create a startup key stored on the USB flash drive.
