- BitLocker yana ɓoye dukkan faifai kuma yana ƙarfafa amincin taya tare da TPM da Secure Boot.
- Bukatun: Pro/Kasuwanci/Baguwar Ilimi, TPM 1.2+, ɓangarorin da suka dace, da firmware UEFI/BIOS masu jituwa.
- Bambance-bambance tare da boye-boye na na'ura: kunnawa ta atomatik, HSTI/Buƙatun jiran aiki na zamani, da kwafin maɓalli zuwa ID na Entra/AD.
- Gudanarwa da farfadowa a sikelin tare da AD, GPO, MDM, da haɗin kai tare da ɗakunan tsaro na kasuwanci.
Idan kuna aiki tare da mahimman bayanai akan kwamfutar tafi-da-gidanka ko tebur, ɓoyewa ba na zaɓi ba ne: larura ce. BitLocker shine mafita na asali na Microsoft don ɓoye fayafai da kare bayanai. da asara, sata, ko cire kayan aiki. Fiye da kulle kawai, yana haɗawa da boot ɗin tsarin da hardware don hana shiga mara izini, koda lokacin da wani yayi ƙoƙarin karanta faifai akan wata kwamfuta.
A cikin 'yan shekarun nan, aikin wayar tarho, motsi, da kuma amfani da na'urorin waje sun karu. Wannan yana ƙara haɗarin fallasa bayanai idan tasha ta ɓace ko aka sace.BitLocker yana amsawa ta hanyar ɓoye cikakkun bayanai tare da AES da haɗawa tare da guntu TPM, manufofin kamfanoni, Active Directory, da sabis na girgije na Microsoft don kiyaye maɓallan dawo da kuma aiwatar da sarrafawa a tsakiya.
Menene BitLocker kuma wadanne matsaloli ne yake magance?
BitLocker fasaha ce ta Cikakken ɓoyayyen faifai (FDE) an gina shi cikin Windows wanda ke kare bayanai a hutawa. Lokacin da aka kunna, ana adana dukkan abubuwan da ke cikin tuƙi (tsari ko bayanai) rufaffiyar; ba tare da maɓalli ko ingantacciyar kariyar ba, fayiloli sun kasance ba za su iya karantawa ba. An tsara shi don rage barazanar kamar satar kayan aiki, cirewar faifai, ko harin layi cewa kokarin karanta ajiya kai tsaye.
Yana aiki tare da algorithms 128-bit ko 256-bit AES da kuma hanyoyin aiki na zamani kamar XTS-AES (Microsoft ya ba da shawarar a cikin abubuwan da aka fitar na yanzu) da kuma, don dacewa, AES-CBC a wasu al'amuran gado. Ana kiyaye maɓallin babban maɓalli (VMK) tare da "masu kariya" kamar TPM, PIN, kalmomin shiga ko maɓallan farawa akan USB kuma ana fitar dasu ne kawai idan mahallin taya ya wuce bayanan gaskiya.
Don cimma iyakar kariya, BitLocker ya dogara da TPM Amintaccen Platform ModuleWannan guntu yana tabbatar da cewa sarkar taya (UEFI/BIOS, manaja, manyan fayiloli) ba a canza ba. Idan wani abu ya canza (misali, firmware da aka gyara), kwamfutar na iya buƙatar saƙon maɓallin dawowa kafin barin boot. Hakanan za'a iya ɓoye ɓoyewa ba tare da TPM ba, amma ana yin hadaya da tabbatar da amincin riga-kafi boot key a kan USB ko kalmar sirri (ba a ba da shawarar na ƙarshe ba saboda yana da rauni ga ƙarfi idan babu kullewa).
Yana da mahimmanci a rarrabe BitLocker daga aikin boye-boye na na'ura samuwa a cikin wasu saitunan hardware. Yayin da daidaitaccen BitLocker yana ba da ci gaba da sarrafawa da zaɓuɓɓuka, ɓoye na'urar yana nema kunna kariya ta atomatik a kan kwamfutoci masu jituwa (HSTI/Aikin Zamani, ba tare da samun damar tashar jiragen ruwa na DMA na waje ba), sun ta'allaka kan tsarin tsarin da gyarawa, ba tare da sarrafa kebul na waje ba.
A aikace, tare da daidaitawar BitLocker da kyau, Kwamfutar tafi-da-gidanka da aka sace ta zama harsashi marar amfani: Barawo zai iya tsara shi, amma ba karanta bayanan ku ba. Wannan ci gaban tsaro shine mabuɗin don bin ƙa'idodi (GDPR, HIPAA, da dai sauransu) da guje wa ɗigo, tara, da asarar amana.
Bukatu, bugu, da bambance-bambance tare da "ɓoye na'ura"
Don BitLocker ya yi a mafi kyawun sa, duka hardware da firmware al'amura. TPM 1.2 ko sama (mafi kyau TPM 2.0) shine wurin farawaA kan kwamfutoci masu TPM 2.0, yanayin gado (CSM) ba shi da tallafi; dole ne a kunna shi a cikin UEFI, kuma ya kamata a kunna Secure Boot don ƙarfafa sarkar amana.
UEFI/BIOS firmware dole ne ya kasance hadu da Amintattun Ƙididdigar Ƙididdigar Ƙididdigar (TCG). kuma ku sami damar karanta faifan USB a cikin preboot (ajijin ma'ajiyar taro) don maɓalli na maɓallin taya. Har ila yau, drive ɗin ya kasance yana da a raba tsarin bangare Girman OS: ba a ɓoye ba, ~ 350 MB shawarar (FAT32 a cikin UEFI, NTFS a cikin BIOS), barin sarari kyauta bayan kunna BitLocker. Tsarin OS zai zama NTFS.
Dangane da bugu, Ana tallafawa BitLocker akan Windows Pro, Enterprise, Pro Education/SE, da Ilimi (Windows 10/11); Hakanan a cikin Windows 7 Enterprise/Ultimate da in Windows Server (2016/2019/2022, da sauransu). Samuwar da haƙƙoƙin sun dogara da lasisi: Windows Pro/Pro Education/SE, Enterprise E3/E5 da Education A3/A5 ba da izini daidai.
Game da boye-boye na na'ura: yana nan akan na'urorin da suka wuce HSTI/Modern Standby ingantattun kuma baya fallasa tashoshin DMA na waje. An fara shi bayan OOBE tare da a share maɓalli a cikin jihar da aka dakatar har sai an ƙirƙiri mai kariyar TPM kuma an adana maɓallin dawo da baya. Idan an haɗa kwamfutar zuwa Microsoft Shiga ID (tsohon Azure AD) ko zuwa yankin AD DS, ana yin ajiyar ta atomatik sannan kuma an cire maɓalli mai haske. A kan kwamfutoci na sirri, shiga tare da a Asusun Microsoft tare da gata mai gudanarwa yana jawo ajiyar maɓalli a cikin asusun da kunna mai kariyar TPM. Na'urori masu asusun gida kawai Ana iya ɓoye su ta hanyar fasaha amma ba tare da isasshen kariya da gudanarwa ba.
Shin kayan aikin ku sun dace da ɓoyayyen na'urar? msinfo 32.exe (Bayanin Tsari) yana nuna wannan tare da filin "Taimakon Rufe Na'urar". Idan ba a fara cancanta ba, canje-canje kamar kunnawa Amintaccen farawa zai iya kunna shi kuma ya sa BitLocker ya kunna ta atomatik.
A cikin mahallin da ɓoyayyen na'urar atomatik ba damuwa ba, ana iya hana shi tare da Rijista:
| Hanya | sunan | Tipo | mazakuta |
|---|---|---|---|
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker |
PreventDeviceEncryption |
REG_DWORD | 0x1 |
Wannan maɓalli yana hana kunnawa ba tare da sa baki ba don samar da hanya don turawa mai sarrafa IT.
Kuma da m tafiyarwaWindows ya haɗa da BitLocker To Go, wanda ke ɓoye kebul na USB da fayafai na waje. Daidaitawar gudanarwa na iya bambanta ta hanyar wasan bidiyo (misali, wasu hanyoyin tsaro na iya ƙuntatawa ko a'a sarrafa wannan yanayin), amma a matakin Windows fasalin yana wanzu kuma ana amfani dashi sosai a cikin ƙungiyoyi.
Kunnawa, gudanarwa, farfadowa da tsaro mai amfani
Kunna asali kai tsaye daga Windows: Ƙungiyar Sarrafa> Tsari da Tsaro> BitLocker Drive Encryption ko ta hanyar neman "Sarrafa BitLocker" a Fara. A kan kwamfutocin da ke goyan bayan "ɓoye na'urar" (ciki har da fitowar Gida), za ku ga sashe iri ɗaya a cikin Saituna. Shiga tare da asusun gudanarwa kuma bi mayen don zaɓar masu tsaro kuma ajiye maɓallin dawo da.
Matakan gama gari lokacin kunna BitLocker akan tuƙi na tsarin: zaɓi mai tsaro (TPM kawai, An bada shawarar TPM+PIN, kalmar sirri ko maɓallin farawa), yanke shawarar iyakar ɓoyewa (kawai amfani sarari don sababbin kayan aiki ko cikakken naúrar idan ya riga ya ƙunshi bayanai), kuma zaɓi yanayin ɓoyayyen (sabon don kafaffen faifai ko masu jituwa idan kuna matsar da drive tsakanin kwamfutoci). Yayin ɓoyewa, zaku iya aiki tare da ƙungiyar; tsarin yana gudana a bango.
Idan kun fi son layin umarni, ana sarrafa BitLocker da sarrafa-bde (fahimtar umarnin umarni):
manage-bde -on C: -rp -rk E:\ yana haifar da adana maɓallin dawo da E:. Kuna iya ƙara kalmar sirri/PIN tare da manage-bde -protectors -add C: -pw o -TPMAndPIN, da kuma duba matsayi da manage-bde -status. Don musaki da ɓarna: manage-bde -off C:. Ka tuna kiyaye maɓallan ku a wurare masu aminci. kuma ba a ɓoye ba.
Yanayin kamfani yana buƙatar tsarin tafiyar da rayuwa: GPO don neman masu kariya da ɓoyewa, Active Directory/Shigar da ID don kiyaye maɓalli, har ma MDM (kamar Microsoft Intune) don aiwatar da manufofi zuwa kwamfyutocin da ke wajen hanyar sadarwa. Kwafi maɓallai zuwa AD/ID yana sauƙaƙa maidowa da duba matsayin ɓoyayyen kowace na'ura.
Wasu rukunin tsaro suna ƙara tsarin gudanarwa a saman BitLocker. Misali, tare da wasu hanyoyin magance kasuwanci, Ana iya aika maɓallan maɓalli zuwa na'ura mai kwakwalwa domin murmurewa. Koyaya, idan mai amfani a baya ya ɓoye mashin ɗin da kansa, wannan maɓalli bazai kasance akan dandalin gudanarwa ba. A wannan yanayin, shawarwarin yawanci shine don yankewa da sake ɓoyewa ta amfani da manufar na'ura wasan bidiyo., da kuma kashe kwafin manufofin BitLocker a cikin GPOs don guje wa rikice-rikice yayin ɓoyewa.
Tambaya ta gama gari: “Yau ƙungiyar tawa ta nemi maɓallin dawowa "Nan da nan, an yi min sulhu?" A al'ada, a'a. Sabunta firmware/UEFI, Canje-canjen Boot mai aminci, gyare-gyaren hardware, ko wasu direbobi Za su iya canza ma'aunin TPM kuma su tilasta ƙalubalen. Shigar da maɓallin, shiga, kuma idan taron ya yi daidai da canjin kwanan nan, babu alamar kutse. Idan baku tuna inda kuka ajiye shi ba, duba asusun Microsoft/ID/AD DS ko duk fayilolin bugu/.txt/.bek da ƙila ku ƙirƙira.
Dangane da tsaro, BitLocker yana da ƙarfi idan an daidaita shi da kyau. Muhimman ayyuka masu kyau:
- Amfani TPM + PIN a farkon taurara abubuwan mallaka (TPM) tare da ilimi (PIN).
- Sanya Kati mai tsabta don hana ƙeta bootloaders.
- Kare da tantancewa tsare maɓallan dawowa (AD/Shigar da ID da ƙuntataccen damar shiga).
- Sanya makullin zaman da amintaccen hibernation don rage girman tagogin dama.
Babu wani tsarin da ba ya kuskure, kuma yana da mahimmanci a san ka'idar / mai amfani: harin taya a cikin mahalli ba tare da Amintaccen Boot ba, sanyi takalmin (cire / karanta RAM nan da nan bayan rufewa), ko kuma matsalar "lalacewa mai ma'ana" ta al'ada tare da maɓallin dawo da. Tare da horo na aiki da sarrafa firmware, waɗannan haɗarin an rage su.
BitLocker kuma yana da abubuwan amfani: Ba duk bugu na Windows sun haɗa da shi ba (misali, 10 Gida yana buƙatar madadin ko ɓoyayyen na'ura idan ana goyan baya), kuma akan kwamfutoci ba tare da TPM dole ne ka dogara da su ba. Kebul na bootable ko kalmomin shiga (mafi rauni). Mahimman canje-canje na hardware ko wasu haɓakawa na iya buƙatar ƙarin matakan buɗewa. Aiki, duk da haka, an inganta shi kuma tasirin yana yawanci ƙasa akan kayan aikin zamani.
Don abubuwan cirewa, BitLocker Don Go Yana ba da kariya ga kebul na USB da abubuwan tafiyarwa na waje, manufa don bayanai akan tafiya. Dangane da kayan aikin ɓangare na uku da aka tura cikin ƙungiyar ku, gudanarwar waɗannan kafofin watsa labarai na iya iyakancewa; duba manufofin IT kafin daidaita amfani da shi.
Bai kamata a yi watsi da buƙatun rarrabawa da tsarawa a cikin abubuwan da aka bari ba. Tushen tsarin (boot) dole ne ya kasance ba a ɓoye ba da kuma ware daga OS drive. A cikin shigarwar Windows na zamani ana ƙirƙira wannan shimfidar wuri ta atomatik, amma a cikin yanayin gado, zaku iya amfani da "Kayan Shirye-shiryen BitLocker Drive" ko raga don sake girman da ƙirƙirar ɓangaren da ya dace. Sai kawai lokacin da ƙarar ke da cikakken rufaffen asiri kuma yana da masu kare aiki ana ɗaukar shi lafiya.
Game da dacewa da tsarin aiki: Windows 11/10 Pro, Kasuwanci da Ilimi goyon bayan BitLocker; Windows 8.1 Pro/Enterprise kuma, da kuma a ciki Windows 7 Za ku same shi a cikin Enterprise/Ultimate. A cikin duniyar uwar garken, yana nan daga Windows Server 2008 da na baya. Idan kuna duban ɓoye-ɓoye na dandamali (Linux/Windows) ko ingantaccen software na kyauta, madadin kamar su. VeraCrypt zai iya zama mafi dacewa a wasu lokuta.
Idan kuna sarrafa jiragen ruwa, cikakkiyar dabara ta haɗa da:
- GPO Don tilasta ɓoyayye kan haɗin yanki, zaɓi algorithm (misali, XTS-AES 256) kuma buƙata TPM+PIN.
- AD DS/ID Shiga azaman mabuɗin maɓalli na dawo da kuma don bayar da rahoton yarda.
- MDM (misali, Intune) don kwamfutoci waɗanda ba kasafai suke haɗawa da VPN na kamfani ba.
- Haɗin kai tare da kayan aikin tsaro wanda ke ba ka damar kulle, ƙira da amsa asara/sata, haɗa BitLocker (yana kare bayanai) tare da wuri ko ayyukan kulle nesa (kare na'urar).
Bayani mai amfani: BitLocker baya aiwatar da Sa hannu guda ɗaya Preboot. Bayan wucewa da pre-authentication (TPM/PIN/key), mai amfani yana shiga Windows kullum. Wannan ya yi daidai da manufar kare muhalli kafin loda tsarin.
Tambayoyi masu mahimmanci, kurakurai na yau da kullun da shari'o'in rayuwa na gaske
Yaushe ya kamata ku yi amfani da BitLocker? A duk lokacin da kwamfutar ke adana bayanan da ba kwa son fallasa: daga bayanan sirri (ID, lissafin biyan kuɗi, bayanan kuɗi) zuwa takaddun abokin ciniki, tsare-tsaren, kwangila, ko dukiyar ilimi. Ga ƙwararrun ƙwararrun waɗanda ke tafiya ko aiki a wuraren shaye-shaye, wuraren haɗin gwiwa, da filayen jirgin sama, yana ceton rai idan aka yi sata.
Shin yana da rikitarwa ga masu amfani da ƙarshe? Ba musamman baMaɓallin keɓancewa yana jagorantar ku ta zaɓin masu karewa da madadin maɓalli. Muhimmin batu shine kiyaye mabuɗin dawowaIdan an haɗa na'urar ku zuwa ID ko yanki, tabbas an riga an yi mata tallafi. Idan kwamfuta ce ta sirri, ajiye ta zuwa asusun Microsoft kuma, idan kuna so, buga kwafi. A guji adana ta a kan kwamfutar da aka rufaffen kanta.
Me yasa wani lokaci yana neman kalmar sirri bayan kunna shi? Wannan yawanci ya zo daidai da Canje-canje na firmware/boot, kunna Secure Boot, sabunta TPM, ko maye gurbin hardwareBitLocker yana gano karkacewa kuma ya shiga yanayin dawowa. Shigar da maɓallin, kuma idan komai yana cikin tsari, ba zai sake nemansa ba sai dai idan an sami sababbin canje-canje.
Shin BitLocker yana shafar aiki? A kan kwamfutoci na yanzu, tasirin shine abun ciki sosai, musamman idan kayan aikin suna goyan bayan haɓakawar AES (takamaiman umarnin sarrafawa). Zabi AES 128 na iya ba da haɓaka aikin aiki; AES 256 yana ba da ƙarin gefen crypto a cikin wuraren da aka tsara.
Me zai faru ba tare da TPM ba? Kuna iya saitawa kalmar sirri ko boot key akan USB, amma za ku rasa amincin amincin riga-boot. Hakanan, kalmar sirri ba tare da manufar kullewa ba ta fi rauni hare-haren da karfi da yaji. Idan zai yiwu, yi fare TPM 2.0 + UEFI + Amintaccen Boot.
Me zai faru idan ina so in ɓoye kebul na USB don jigilar bayanai? Amfani BitLocker Don GoTuna don daidaitawa tare da IT idan kamfanin ku yana amfani da dandamali na tsaro waɗanda ke aiwatar da takamaiman manufofi akan kafofin watsa labarai masu cirewa (misali, buƙatar kalmar sirri ta wani rikitaccen abu ko ƙin amfani da faifan da ba a yarda da su ba).
Bayanin doka da yarda: tare da rufaffiyar na'urori, Sata na iya zama lamarin hardware kuma ba warwarewar bayanan da za a iya ba da rahoto ba, dangane da tsarin tsari da nazarin haɗari. Wato boye-boye ma'auni ne na raguwa mai mahimmanci don GDPR da sauran ƙa'idodi, kodayake baya maye gurbin madogarawa, ikon samun dama, shiga taron, ko sarrafa rauni.
A ƙarshe, idan kun haɗa BitLocker tare da mafita na ƙarshen kamfani, kaucewa manufofin da suka yi karo da juna (GPO vs. Console Tsaro) wanda zai iya haifar da kurakuran ɓoyewa. Idan an rufaffen kwamfuta a cikin gida kuma dandalin ba shi da maɓalli, sai ta sake ɓoyewa kuma ta sake ɓoyewa ta amfani da manufar hukuma. Haɗin kai na siyasa yana sauƙaƙe tallafi da farfadowa.
Karɓi BitLocker cikin hikima—TPM + PIN, Secure Boot, maɓalli masu kyau, da madaidaitan manufofi— Yana haifar da bambanci tsakanin rasa ƙungiya da kuma rasa bayanai.. A cikin rayuwar yau da kullun ba za ku lura da kasancewar sa ba, amma idan wani abu ya ɓace, kuna godiya da ɓoye bayanan ku, makullin ku suna ƙarƙashin iko, da tabbacin cewa ko da hardware ya ɓace. takardunku sun kasance naku kaɗai.