Addressing BitLocker and PCI-DSS 3.1 Usage

Inquiry: Earlier this month we received an email from Matthew Todd of Financial Engines, Inc. that said, “Back in 2011, Phil Cox (SystemExperts) wrote some guidance on using Windows BitLocker to meet PCI-DSS requirements. PCI-DSS has been updated since then, and I’m curious if SE has updated guidance.”

Response: Section 3.4.1 of PCI-DSS version 3.1, dated April 2015, states, “If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.”

BitLocker has a number of configuration options, so the answer is not entirely simple or obvious.

One of the most common BitLocker modes is often referred to as transparent decryption. The transparent mode requires minimal user interaction. It uses the capabilities of the trusted platform module 1.2 or higher to store encryption keys, thus enabling a transparent system boot, and that the system boots normally to the user. The keys needed to access the data are pulled from the TPM.

In SystemExperts opinion, BitLocker transparent mode should not be used when attempting to be compliant with section 3.4.1 of PCI-DSS.

BitLocker can also be configured to require authentication. By enabling authentication a pin can be set for the machine, and a USB storage device (a memory stick, not a smart card) can be used as a token. When enabling BitLocker authentication there is no link between the user’s Windows credentials and the BitLocker credentials.

Unfortunately, the PIN will apply to the machine, not the user, so if more than one person uses a machine, the PIN would have to be shared with everyone that uses the machine. Sharing the PIN with multiple users would conflict with other PCI-DSS controls.

In our opinion, BitLocker in authenticated mode, on machines that are shared amongst multiple users, should not be used when attempting to be compliant with PCI-DSS version 3.0.

When using a PIN, the PIN has no expiration lifetime and there is no option to force a change of the PIN. This can be interpreted as being non-compliant with the requirements to change passwords or passphrases at least every 90 days. In Windows 8, it is possible to allow non-administrators to change the PIN, in prior versions Administrator or special privileges are needed.

We also believe, if BitLocker is used in authentication mode, and the PIN is not shared amongst multiple users, and the PIN is changed at least every 90 days, then its use may be deemed compliant with PCI-DSS 3.4.1.

Other PCI assessors might disagree with that opinion because BitLocker is included as part of the operating system distribution. However, since the PIN is not part of the local user account databases, nor does it rely on AD credentials, its use may be deemed acceptable with the caveats mentioned.

The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. When using BitLocker in authenticated mode, a PIN greater than 7 characters, plus using TPM is recommended.