With its release of Vista, Microsoft is taking a step forward in exploiting the controversial Trusted Computing technology. For the first time outside of a research setting, the "sealed storage" feature of Trusted Computing will be used in a way that can potentially restrict user access to data. Trusted Computing relies on the TPM chip to take a "fingerprint" of the system configuration as it boots. During the PC boot process, which consists of several stages, each stage hashes the next one, storing the results into the TPM. At the end of this process the TPM's Platform Configuration Registers (PCRs) contain hashes of the data that was involved in booting. Sealed storage is data encrypted to a TPM key, and locked to the values in one or more PCRs. The TPM will only decrypt the data if the current PCR values match what was specified when the data was encrypted. This insures that sealed data can only be decrypted if the system is booted into a specified configuration. Changes to the boot configuration, either by altering the BIOS, changing the Master Boot Record, booting to an external device like a floppy, CDROM or external disk, and similar alterations, will result in different PCR values and prevent the TPM from unsealing data. Vista's new disk encryption software, called BitLocker, optionally uses this feature of the TPM to strengthen its encryption. For example, consider various attack models for disk encryption. A laptop is stolen and the attacker now seeks to decrypt the disk and recover the data. The first step often applied in this situation is to take an image of the disk and run the attacks on that image, from a computer controlled by the attacker. This prevents the laptop OS from performing self-destruct operations or otherwise keeping the attacker from being able to reset the disk to a pristine state. But with BitLocker, the disk decryption key is sealed to a TPM key (a 2048 bit RSA key). No amount of brute force password guessing will work to recover a key from a disk image; the TPM chip itself has to be involved. An alternative for an attacker, then, might be to use the laptop itself but to boot into another OS, such as via a Linux "Live CD" or external device. It can then mount the partitions with the encrypted data and apply similar attacks. This will give access to the TPM hardware while still preventing the BitLocker software from having control. Again, the BitLocker design will thwart this attack, because the sealed storage locks the encrypted disk key to the boot configuration. Changing that configuration by booting into another OS will change PCR values and prevent the TPM from unlocking the key, even if the correct password is used. The attacker is then forced to build a robot that can type on the keyboard, or a special electronic circuit that can tap into the cable connecting the keyboard to the computer and can mimic key presses. Even then, TPM chips have features to limit the feasibility of password guessing, and will shut down or slow down when too many wrong guesses are entered. Overall, the BitLocker design appears to be a good application for TPM based sealed storage, exploiting this technology to greatly improve resistance to typical attacks against disk encryption. However there is a side effect of this design which may have implications for Microsoft's competitive strategy in the future. Because BitLocker locks the disk key to the boot sequence, any dual-boot system that uses this capability will not be able to decrypt the encrypted data when the alternate OS is booted. Users who want to share their PC data between Vista and Linux will not be able to use this advanced BitLocker capability. For years, compatibility between Windows and Linux has been limited, ever since Microsoft migrated to the undocumented NTFS file system. Gradually this situation has improved as Linux developers have reverse engineered NTFS, and now many Linux distributions ship with at least read-only support for NTFS file systems. This is a benefit for Linux and improves its usability and compatibility. BitLocker changes this game once again and throws up an enormous roadblock against allowing Linux and Vista operating systems to coexist and cooperate on the same computer. Looking forward, we could imagine a time when BitLocker encryption via the TPM is the default for new systems shipped with Vista installed. This would provide the kind of "security by default" often demanded by independent experts and would indeed arguably be a boon for typical users. The problem would be that any such user who wanted to experiment with Linux would find that his Vista data was off limits unless he decrypts his disk. BitLocker, especially if it becomes more widely fielded and used, could play a significant part in slowing the deployment of Linux and similar alternative operating systems. It is a small step towards the widely discussed Trusted Computing tradeoff of users accepting limitations on how their data can be accessed, in exchange for improved security and protection of that data. Given the magnitude and importance of these issues, it will be especially interesting to see how this element of Vista technology is received as the new OS is rolled out.