Advancing key protection in Windows 11 using Virtualization-Based Security (VBS)


  • Staff

 Windows IT Pro Blog:

Today, we are excited to bring you the next step in key protection for Windows. Now in Windows 11 Insider Preview Build 26052 and Windows Server Insider Preview Build 26052, developers can use the Cryptography API: Next Generation (CNG) framework to help secure Windows keys with virtualization-based security (VBS). With this new capability, keys can be protected from admin-level key theft attacks with negligible effect on performance, reliability, or scale.

Now let’s explore how you can create, import, and protect your keys using VBS.

The current state of key protection in Windows​

As attackers advance their techniques to steal keys and credentials, Microsoft continues to evolve capabilities to help protect valuable assets across Windows. This is crucial work as when attackers get hold of important keys, they can impersonate users and access resources without their knowledge and consent. Consider the theft of third-party encryption keys - these types of attacks may have privacy and security consequences and could compromise the availability of applications and services.

The default method of protecting keys in Windows is to store them in the memory of a local system process known as the Local Security Authority (LSA). LSA is a great option for storing keys that do not protect high-value assets or require the best performance available. While LSA helps prevent code injection and non-authorized processes from reading memory, an admin or system-level attacker can still steal keys from this memory space.

For a more secure option, the industry is moving towards hardware-based isolation, where keys are stored directly on a hardware security processor like a managed HSM (Hardware Security Module), Trusted Platform Module (TPM) or a Microsoft Pluton security processor, which help provide stronger security against tampering with and exporting keys. While hardware isolation should be used for keys wherever possible, if there are performance or scale requirements that require usage of the central processing unit (CPU) core, VBS is a robust alternative that helps offer stronger security than currently available software protection.

Introducing key protection with VBS in Windows​

The security capability we’re introducing today addresses the limitations in the current software and hardware key protection mechanisms on Windows. You can now protect your keys with VBS, which uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key which binds VBS keys to the device. Keys protected in this way cannot be dumped from process memory or exported in plain text from a user’s machine, preventing exfiltration attacks by any admin-level attacker.

VBS helps to offer a higher security bar than software isolation, with stronger performance compared to hardware-based solutions, since it is powered by the device's CPU. While hardware keys offer strong levels of protection, VBS is helpful for services with high security, reliability, and performance requirements.

The following section will show you how to use these capabilities by creating and using VBS keys with NCrypt, which is part of the Cryptography API: Next Generation (CNG) framework.

Tutorial: Leverage the NCrypt API to create and use VBS keys​

The core functionality to create and import VBS keys is as simple as passing in an additional flag into the NCrypt API.

NCryptCreatePersistedKey and NCryptImportKey accept two flags to request that VBS should be leveraged to protect the client key's private material:

FlagFunctionality and fallback
NCRYPT_REQUIRE_VBS_FLAGIndicates a key must be protected with VBS.
Operation will fail if VBS is not available.
NCRYPT_PREFER_VBS_FLAGIndicates a key should be protected with VBS.
Operation will generate a software-isolated key if VBS is not available.

When it comes to creating VBS keys, the standard CNG encryption algorithms and key lengths for software keys are supported.

Ephemeral and per-boot keys​

The default behavior of NCryptCreatePersistedKey and NCryptImportKey is that of a cross-boot persisted key stored on disk that persists across reboot cycles.

Calling NCryptCreatePersistedKey with pszKeyName == NULL creates an ephemeral key rather than a persisted key, and its lifetime is managed by the client process. Ephemeral keys are not written to disk and live in secure memory. An additional flag can be passed in along with the above VBS flags to indicate that a per-boot key should be used to help protect the client key rather than default cross-boot key.

FlagFunctionality and fallback
NCRYPT_USE_PER_BOOT_KEY_FLAGInstructs VBS to help protect the client key with a per-boot key that is stored in disk but can't be reused across boot cycles.

Example: Creating a key with virtualization-based security​

The following sample code shows how to create a 2048-bit VBS key with the RSA algorithm:

Code:
void
CreatePersistedKeyGuardKey(
    void
    )
{
    SECURITY_STATUS status;
    NCRYPT_PROV_HANDLE hProv = 0;
    NCRYPT_KEY_HANDLE hKey = 0;
    DWORD dwKeySize = 2048;

    status = NCryptOpenStorageProvider(&hProv, MS_KEY_STORAGE_PROVIDER, 0);
    if (status != ERROR_SUCCESS)
    {
        wprintf(L"NCryptOpenStorageProvider failed with %x\n", status);
        goto clean;
    }

    status = NCryptCreatePersistedKey(hProv, &hKey, NCRYPT_RSA_ALGORITHM, L"MyKeyName", 0, NCRYPT_USE_VIRTUAL_ISOLATION_FLAG);
    if (status != ERROR_SUCCESS)
    {
        wprintf(L"NCryptCreatePersistedKey failed with %x\n", status);
        goto clean;
    }

    status = NCryptSetProperty(hKey, NCRYPT_LENGTH_PROPERTY, (PBYTE)&dwKeySize, sizeof(DWORD), 0);

    status = NCryptFinalizeKey(hKey, 0);
    if (status != ERROR_SUCCESS)
    {
        wprintf(L"NCryptFinalizeKey failed with %x\n", status);
        goto clean;
    }

    wprintf(L"Created a persisted Key Guard key!\n");

clean:

    if (hKey)
    {
        NCryptFreeObject(hKey);
    }

    if (hProv)
    {
        NCryptFreeObject(hProv);
    }
}

Using VBS keys​

Beyond stricter key export policies, a VBS key can be treated like any other Cryptographic Next Generation (CNG) key when it comes to API usage, so developers can refer to the NCrypt API here. This applies to use cases like signing and encryption.

Try protecting your keys with VBS today​

This feature is now in Preview and accessible via the Windows Insider Program for both client (Windows 11 Insider Preview Build 26052) and Server (Windows Server Insider Preview Build 26052) The following requirements must be met:
  • VBS enabled
    • VBS also has several hardware requirements to run, including Hyper-V (Windows hypervisor), 64-bit architecture, and IOMMU support. See the full list of VBS hardware requirements.
  • TPM enabled: For bare-metal environments, TPM 2.0 is required. For VM environments, vTPM (Virtual TPM) is supported.
  • UEFI with Secure Boot enabled

Having trouble?​

Enable event log to investigate errors:
  • Search “Event Viewer” in the start menu
  • On the left panel open Applications and Services Logs > Microsoft > Windows > Crypto-NCrypt
  • Right-click Operational and select Enable Log (it may already be enabled)
  • Right click error events with Event ID 13, 14, or 15 and Task Category “VBS Key Isolation Operation”
We recommend sending any suggestions, questions, or logs through Feedback Hub under Security and Privacy > VBS Key Protection.

You may also reach out to VBSkeyprotection@microsoft.com with questions.

What’s next?​

Stay on the lookout for further announcements to support key protection with VBS, and we’ll continue updating our documentation and support guidelines accordingly. We hope that you’ll be able to leverage this security capability to help protect your keys on Windows.


 Source:

 

Attachments

  • Windows_Security.png
    Windows_Security.png
    6 KB · Views: 0
I wonder if this will patch the 40 second cracking of bitlocker.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ideapad flex 14API 2 in 1
    CPU
    Ryzen 5 3500u
    Motherboard
    LENOVO LNVNB161216 (FP5)
    Memory
    12GB DDR4
    Graphics Card(s)
    AMD Radeon Vega 8 Graphics
    Hard Drives
    256 GB Samsung ssd nvme
    Internet Speed
    800mbps down, 20 up
    Other Info
    Your awesome for reading this.
I wonder if this will patch the 40 second cracking of bitlocker.
That's only if you have a discrete TPM on your PC. The vast majority of modern CPUs have the TPM built into the CPU itself so this exploit would be ineffective in this case.
 

My Computer

System One

  • OS
    Windows 11 build 10.0.26052.1100
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 14 5430
    CPU
    Intel i7-1355U
    Motherboard
    Dell 0GMW80
    Memory
    16GB
    Graphics Card(s)
    Intel Iris XE
    Sound Card
    Realtek
    Monitor(s) Displays
    Dell 14"
    Screen Resolution
    1920 x 1200
    Hard Drives
    Samsung 990 Pro 1TB NVME Gen 4 M.2 SSD
    PSU
    Dell
    Keyboard
    Dell
    Mouse
    Dell Trackpad
    Internet Speed
    900mb FTTP
    Browser
    Edge
    Antivirus
    Windows Defender
That's only if you have a discrete TPM on your PC. The vast majority of modern CPUs have the TPM built into the CPU itself so this exploit would be ineffective in this case.
Do you know how can you tell that? Like if your machine is the cpu based TPM? Is there an easy way to find that out? I looked under tpm administration and didnt see anything that makes it clear.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ideapad flex 14API 2 in 1
    CPU
    Ryzen 5 3500u
    Motherboard
    LENOVO LNVNB161216 (FP5)
    Memory
    12GB DDR4
    Graphics Card(s)
    AMD Radeon Vega 8 Graphics
    Hard Drives
    256 GB Samsung ssd nvme
    Internet Speed
    800mbps down, 20 up
    Other Info
    Your awesome for reading this.
Do you know how can you tell that? Like if your machine is the cpu based TPM? Is there an easy way to find that out? I looked under tpm administration and didnt see anything that makes it clear.
Virtually all CPUs sold since 2016 have a built in TPM. If your Intel CPU has PTT (Platform Trust Technology) or your AMD has fTPM then it's built in.
 

My Computer

System One

  • OS
    Windows 11 build 10.0.26052.1100
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 14 5430
    CPU
    Intel i7-1355U
    Motherboard
    Dell 0GMW80
    Memory
    16GB
    Graphics Card(s)
    Intel Iris XE
    Sound Card
    Realtek
    Monitor(s) Displays
    Dell 14"
    Screen Resolution
    1920 x 1200
    Hard Drives
    Samsung 990 Pro 1TB NVME Gen 4 M.2 SSD
    PSU
    Dell
    Keyboard
    Dell
    Mouse
    Dell Trackpad
    Internet Speed
    900mb FTTP
    Browser
    Edge
    Antivirus
    Windows Defender

Latest Support Threads

Latest Tutorials

Back
Top Bottom