Advancing key protection in Windows 11 using Virtualization-Based Security (VBS)



 Windows IT Pro Blog:

Today, we are excited to bring you the next step in key protection for Windows. Now in Windows 11 Insider Preview Build 26052 and Windows Server Insider Preview Build 26052, developers can use the Cryptography API: Next Generation (CNG) framework to help secure Windows keys with virtualization-based security (VBS). With this new capability, keys can be protected from admin-level key theft attacks with negligible effect on performance, reliability, or scale.

Now let’s explore how you can create, import, and protect your keys using VBS.

The current state of key protection in Windows​

As attackers advance their techniques to steal keys and credentials, Microsoft continues to evolve capabilities to help protect valuable assets across Windows. This is crucial work as when attackers get hold of important keys, they can impersonate users and access resources without their knowledge and consent. Consider the theft of third-party encryption keys - these types of attacks may have privacy and security consequences and could compromise the availability of applications and services.

The default method of protecting keys in Windows is to store them in the memory of a local system process known as the Local Security Authority (LSA). LSA is a great option for storing keys that do not protect high-value assets or require the best performance available. While LSA helps prevent code injection and non-authorized processes from reading memory, an admin or system-level attacker can still steal keys from this memory space.

For a more secure option, the industry is moving towards hardware-based isolation, where keys are stored directly on a hardware security processor like a managed HSM (Hardware Security Module), Trusted Platform Module (TPM) or a Microsoft Pluton security processor, which help provide stronger security against tampering with and exporting keys. While hardware isolation should be used for keys wherever possible, if there are performance or scale requirements that require usage of the central processing unit (CPU) core, VBS is a robust alternative that helps offer stronger security than currently available software protection.

Introducing key protection with VBS in Windows​

The security capability we’re introducing today addresses the limitations in the current software and hardware key protection mechanisms on Windows. You can now protect your keys with VBS, which uses the virtualization extension capability of the CPU to create an isolated runtime outside of the normal OS. When in use, VBS keys are isolated in a secure process, allowing key operations to occur without ever exposing the private key material outside of this space. At rest, private key material is encrypted by a TPM key which binds VBS keys to the device. Keys protected in this way cannot be dumped from process memory or exported in plain text from a user’s machine, preventing exfiltration attacks by any admin-level attacker.

VBS helps to offer a higher security bar than software isolation, with stronger performance compared to hardware-based solutions, since it is powered by the device's CPU. While hardware keys offer strong levels of protection, VBS is helpful for services with high security, reliability, and performance requirements.

The following section will show you how to use these capabilities by creating and using VBS keys with NCrypt, which is part of the Cryptography API: Next Generation (CNG) framework.

Tutorial: Leverage the NCrypt API to create and use VBS keys​

The core functionality to create and import VBS keys is as simple as passing in an additional flag into the NCrypt API.

NCryptCreatePersistedKey and NCryptImportKey accept two flags to request that VBS should be leveraged to protect the client key's private material:

FlagFunctionality and fallback
NCRYPT_REQUIRE_VBS_FLAGIndicates a key must be protected with VBS.
Operation will fail if VBS is not available.
NCRYPT_PREFER_VBS_FLAGIndicates a key should be protected with VBS.
Operation will generate a software-isolated key if VBS is not available.

When it comes to creating VBS keys, the standard CNG encryption algorithms and key lengths for software keys are supported.

Ephemeral and per-boot keys​

The default behavior of NCryptCreatePersistedKey and NCryptImportKey is that of a cross-boot persisted key stored on disk that persists across reboot cycles.

Calling NCryptCreatePersistedKey with pszKeyName == NULL creates an ephemeral key rather than a persisted key, and its lifetime is managed by the client process. Ephemeral keys are not written to disk and live in secure memory. An additional flag can be passed in along with the above VBS flags to indicate that a per-boot key should be used to help protect the client key rather than default cross-boot key.

FlagFunctionality and fallback
NCRYPT_USE_PER_BOOT_KEY_FLAGInstructs VBS to help protect the client key with a per-boot key that is stored in disk but can't be reused across boot cycles.

Example: Creating a key with virtualization-based security​

The following sample code shows how to create a 2048-bit VBS key with the RSA algorithm:

Code:
void
CreatePersistedKeyGuardKey(
    void
    )
{
    SECURITY_STATUS status;
    NCRYPT_PROV_HANDLE hProv = 0;
    NCRYPT_KEY_HANDLE hKey = 0;
    DWORD dwKeySize = 2048;

    status = NCryptOpenStorageProvider(&hProv, MS_KEY_STORAGE_PROVIDER, 0);
    if (status != ERROR_SUCCESS)
    {
        wprintf(L"NCryptOpenStorageProvider failed with %x\n", status);
        goto clean;
    }

    status = NCryptCreatePersistedKey(hProv, &hKey, NCRYPT_RSA_ALGORITHM, L"MyKeyName", 0, NCRYPT_USE_VIRTUAL_ISOLATION_FLAG);
    if (status != ERROR_SUCCESS)
    {
        wprintf(L"NCryptCreatePersistedKey failed with %x\n", status);
        goto clean;
    }

    status = NCryptSetProperty(hKey, NCRYPT_LENGTH_PROPERTY, (PBYTE)&dwKeySize, sizeof(DWORD), 0);

    status = NCryptFinalizeKey(hKey, 0);
    if (status != ERROR_SUCCESS)
    {
        wprintf(L"NCryptFinalizeKey failed with %x\n", status);
        goto clean;
    }

    wprintf(L"Created a persisted Key Guard key!\n");

clean:

    if (hKey)
    {
        NCryptFreeObject(hKey);
    }

    if (hProv)
    {
        NCryptFreeObject(hProv);
    }
}

Using VBS keys​

Beyond stricter key export policies, a VBS key can be treated like any other Cryptographic Next Generation (CNG) key when it comes to API usage, so developers can refer to the NCrypt API here. This applies to use cases like signing and encryption.

Try protecting your keys with VBS today​

This feature is now in Preview and accessible via the Windows Insider Program for both client (Windows 11 Insider Preview Build 26052) and Server (Windows Server Insider Preview Build 26052) The following requirements must be met:
  • VBS enabled
    • VBS also has several hardware requirements to run, including Hyper-V (Windows hypervisor), 64-bit architecture, and IOMMU support. See the full list of VBS hardware requirements.
  • TPM enabled: For bare-metal environments, TPM 2.0 is required. For VM environments, vTPM (Virtual TPM) is supported.
  • UEFI with Secure Boot enabled

Having trouble?​

Enable event log to investigate errors:
  • Search “Event Viewer” in the start menu
  • On the left panel open Applications and Services Logs > Microsoft > Windows > Crypto-NCrypt
  • Right-click Operational and select Enable Log (it may already be enabled)
  • Right click error events with Event ID 13, 14, or 15 and Task Category “VBS Key Isolation Operation”
We recommend sending any suggestions, questions, or logs through Feedback Hub under Security and Privacy > VBS Key Protection.

You may also reach out to VBSkeyprotection@microsoft.com with questions.

What’s next?​

Stay on the lookout for further announcements to support key protection with VBS, and we’ll continue updating our documentation and support guidelines accordingly. We hope that you’ll be able to leverage this security capability to help protect your keys on Windows.


 Source:

 
I wonder if this will patch the 40 second cracking of bitlocker.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Ryzen 7 5700 X3D
    Motherboard
    MSI MPG B550 GAMING PLUS
    Memory
    64 GB DDR4 3600mhz Gskill Ripjaws V
    Graphics Card(s)
    RTX 4070 Super , 12GB VRAM Asus EVO Overclock
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Hard Drives
    2TB Samsung nvme ssd
    2TB XPG nvme ssd
    PSU
    CORSAIR RMx SHIFT Series™ RM750x 80 PLUS Gold Fully Modular ATX Power Supply
    Case
    CORSAIR 3500X ARGB Mid-Tower ATX PC Case – Black
    Cooling
    ID-COOLING FROSTFLOW X 240 CPU Water Cooler
    Internet Speed
    900mbps DOWN, 100mbps UP
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
I wonder if this will patch the 40 second cracking of bitlocker.
That's only if you have a discrete TPM on your PC. The vast majority of modern CPUs have the TPM built into the CPU itself so this exploit would be ineffective in this case.
 

My Computers

System One System Two

  • OS
    Windows 11 build 10.0.22635.4515 Beta / WSL 2 running Ubuntu
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 14 5430
    CPU
    Intel i7-1355U
    Motherboard
    Dell 0GMW80
    Memory
    16GB
    Graphics Card(s)
    Intel Iris XE
    Sound Card
    Realtek
    Monitor(s) Displays
    Dell 14", LG 32" Curved Wide screen monitor and LG Ultrawide 26"
    Screen Resolution
    1920 x 1200 @ 60Hz, 1920 x 1080 @ 100Hz and 2560 x 1080 @ 60Hz
    Hard Drives
    Samsung 990 Pro 1TB NVME Gen 4 M.2 SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Keyboard
    Dell KM3322W
    Mouse
    Dell Trackpad or Dell KM3322W
    Internet Speed
    900mb down / 400mb up FTTP
    Browser
    Edge 132.0.2957.11
    Antivirus
    Windows Defender
    Other Info
    Windows 365
    1TB OneDrive
    Outlook Classic
    Visual Studio Code running in WSL
    Python 3.13
    Macrium Reflect X
    Samsung Magician
    Garmin Express
    Dell TB16 Thunderbolt dock
    WSL
    WEI Score: 8.3
  • Operating System
    Windows 11
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    Core i5 - 1035G4
    Motherboard
    Microsoft
    Memory
    8GB
    Graphics card(s)
    Intel Iris Plus
    Monitor(s) Displays
    Surface touch
    Screen Resolution
    2736 x 1824
    Hard Drives
    128GB
    PSU
    Microsoft
    Case
    Microsoft Keyboard
    Cooling
    None
    Mouse
    Microsoft Arc Intellimouse
    Keyboard
    Microsoft Surface Keyboard
    Internet Speed
    900mb / 400mb FTTP
    Browser
    Edge
    Antivirus
    Windows Defender
That's only if you have a discrete TPM on your PC. The vast majority of modern CPUs have the TPM built into the CPU itself so this exploit would be ineffective in this case.
Do you know how can you tell that? Like if your machine is the cpu based TPM? Is there an easy way to find that out? I looked under tpm administration and didnt see anything that makes it clear.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Ryzen 7 5700 X3D
    Motherboard
    MSI MPG B550 GAMING PLUS
    Memory
    64 GB DDR4 3600mhz Gskill Ripjaws V
    Graphics Card(s)
    RTX 4070 Super , 12GB VRAM Asus EVO Overclock
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Hard Drives
    2TB Samsung nvme ssd
    2TB XPG nvme ssd
    PSU
    CORSAIR RMx SHIFT Series™ RM750x 80 PLUS Gold Fully Modular ATX Power Supply
    Case
    CORSAIR 3500X ARGB Mid-Tower ATX PC Case – Black
    Cooling
    ID-COOLING FROSTFLOW X 240 CPU Water Cooler
    Internet Speed
    900mbps DOWN, 100mbps UP
  • Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
Do you know how can you tell that? Like if your machine is the cpu based TPM? Is there an easy way to find that out? I looked under tpm administration and didnt see anything that makes it clear.
Virtually all CPUs sold since 2016 have a built in TPM. If your Intel CPU has PTT (Platform Trust Technology) or your AMD has fTPM then it's built in.
 

My Computers

System One System Two

  • OS
    Windows 11 build 10.0.22635.4515 Beta / WSL 2 running Ubuntu
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 14 5430
    CPU
    Intel i7-1355U
    Motherboard
    Dell 0GMW80
    Memory
    16GB
    Graphics Card(s)
    Intel Iris XE
    Sound Card
    Realtek
    Monitor(s) Displays
    Dell 14", LG 32" Curved Wide screen monitor and LG Ultrawide 26"
    Screen Resolution
    1920 x 1200 @ 60Hz, 1920 x 1080 @ 100Hz and 2560 x 1080 @ 60Hz
    Hard Drives
    Samsung 990 Pro 1TB NVME Gen 4 M.2 SSD
    PSU
    Dell
    Case
    Dell
    Cooling
    Dell
    Keyboard
    Dell KM3322W
    Mouse
    Dell Trackpad or Dell KM3322W
    Internet Speed
    900mb down / 400mb up FTTP
    Browser
    Edge 132.0.2957.11
    Antivirus
    Windows Defender
    Other Info
    Windows 365
    1TB OneDrive
    Outlook Classic
    Visual Studio Code running in WSL
    Python 3.13
    Macrium Reflect X
    Samsung Magician
    Garmin Express
    Dell TB16 Thunderbolt dock
    WSL
    WEI Score: 8.3
  • Operating System
    Windows 11
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    Core i5 - 1035G4
    Motherboard
    Microsoft
    Memory
    8GB
    Graphics card(s)
    Intel Iris Plus
    Monitor(s) Displays
    Surface touch
    Screen Resolution
    2736 x 1824
    Hard Drives
    128GB
    PSU
    Microsoft
    Case
    Microsoft Keyboard
    Cooling
    None
    Mouse
    Microsoft Arc Intellimouse
    Keyboard
    Microsoft Surface Keyboard
    Internet Speed
    900mb / 400mb FTTP
    Browser
    Edge
    Antivirus
    Windows Defender
Back
Top Bottom