Introducing Personal Data Encryption for developers on Windows devices


  • Staff

 Windows IT Pro Blog:

Personal Data Encryption (PDE) along with BitLocker constitutes Windows data protection on Windows devices. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. However, there are some cases in which BitLocker protection alone might not be sufficient. For example, Trusted Platform Module (TPM) bus sniffing, targeting devices that do not have BitLocker TPM + PIN options set, or trying to get encryption keys by sniffing the unsecured bus between the CPU and TPM can all put BitLocker protected personal data at risk. Direct Memory Access (DMA) based drive-by attacks target devices with unsecured DMA ports and work by bypassing the sign in and getting directly to the end user's data. Applications and browsers that utilize AI to power recommendation engines capture sensitive user data and also need to be protected.

PDE provides an extra layer of security, in addition to that provided by BitLocker, for when the device is locked and powered on, protecting it from sophisticated physical attacks. PDE uses Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. It's important to note that PDE and BitLocker are not dependent on each other. PDE can be used with or without any other full disk encryption solutions, although it is highly recommended to use both.

PDE API offers a comprehensive and extensible set of low-level APIs for the protection of end-user content. These APIs enable the encryption of end-user data, and the keys used for encryption are protected by the user's Windows Hello credentials. It is important to note that PDE is exclusively available in Windows Enterprise and Education editions.

Content-generating applications can use the PDE API to protect content for two levels of security:
  • L1 (AfterFirstUnlock) level of protection: Data protected to this level is accessible only after the first device unlock, and it will continue to be available thereafter.
  • L2 (WhileUnlocked) level protection: Data protected to this level is only available when the device is unlocked and provides additional protection.
Now let's look at how an application that generates content can use PDE API to protect files, folders, and buffers.


 Read more:

techcommunity.microsoft.com

Introducing Personal Data Encryption for developers

Learn how to utilize this extra layer of security to protect devices from sophisticated physical attacks.
techcommunity.microsoft.com
 
Last edited:
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article
New Windows 11 features strengthen security to address evolving cyberthreat landscape
Replies
1
Views
615
Steve C
Steve C
  • Article
What is new in Windows 11 for June 2024
Replies
0
Views
337
Brink
Brink
  • Article
Microsoft shares update on Recall preview feature for Windows 11 Copilot+ PCs
Replies
12
Views
1K
fg2001gf11F
F
  • Article
Copilot for Microsoft 365 data security and privacy commitments
Replies
0
Views
465
Brink
Brink
  • Article
Microsoft Surface UEFI: Evolution in boot, security and device management
Replies
0
Views
286
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom