One of the reasons I run Windows 7 Ultimate edition on my netbook is to take advantage of features like BitLocker. For those who are not aware of this technology, BitLocker has offered whole drive encryption for fixed hard disks since Windows Vista but Windows 7 also includes encryption capabilities for removable devices (BitLocker To Go).
Even though I don’t keep much data on my netbook, it’s exactly the sort of device that’s likely to be lost or stolen and it seems like a perfect candidate for data encryption – although my main concern was that I might encrypt the device and then lock myself out (and I’m not the only one who’s had those concerns). Luckily there are options for key recovery – ranging from storing a copy of the key in a file or in Active Directory (not applicable for me as my netbook is not domain-joined) to the most basic printing the key on a piece of paper and keeping it in a safe place (i.e. not the carry case for my computer!).
So, armed with the knowledge that I had backed up all my critical data, just in case something went wrong, last weekend I “BitLockered” my netbook and I’m pleased to say it was really straightforward (especially as Windows 7 creates the necessary drive partition at install-time). It would have been even easier if my computer had a trusted platform module (TPM) chip but, even so, Windows can be configured to allow encryption without a TPM – I just need to supply a startup key when I turn the computer on – in this case I used a small capacity USB thumb drive to store the key, then remove it from the computer after the drive has been unlocked. In effect, I can only start (or resume) the computer with that USB “key” – or enter the recovery key to disable the encryption entirely.
There are two common ways to allow Windows to use BitLocker without a TPM: one involves editing the Local Security Policy and the other uses a few registry tweaks, which is the one I chose:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
“UseAdvancedStartup”=dword:00000001
“EnableBDEWithNoTPM”=dword:00000001
“UseTPM”=dword:00000002
“UseTPMPIN”=dword:00000002
“UseTPMKey”=dword:00000002
“UseTPMKeyPIN”=dword:00000002
To revert to the default settings, use a .reg file with the following contents:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
“UseAdvancedStartup”=-
“EnableBDEWithNoTPM”=-
“UseTPM”=-
“UseTPMPIN”=-
“UseTPMKey”=-
“UseTPMKeyPIN”=-
Then, using Windows Explorer, right click the drive you want to encrypt and select the option to turn on BitLocker, and follow the wizard. Make sure you store a copy of the recovery key, as this will be required to recover the data on a BitLocker protected drive.
It took a while for my drive to encrypt and, despite almost every reference for this that I’ve seen saying that a dialogue box will be presented showing encryption progress, I didn’t see this – all I saw was that the drive was almost full and lots of hard drive activity, then I got my free space back and the icon for the drive had a padlock and a key on it. Now, if I right click the drive there are options to manage BitLocker, including duplicating the startup key and saving/printing a new copy of the recovery key.
All in all, it was pretty painless and I haven’t noticed any performance degradation but if someone does take a fancy to my netbook, they won’t be able to access the data on it.
For more information, see the Windows BitLocker Drive Encryption Step-by-Step Guide on the Microsoft TechNet website and the BitLocker drive encryption team blog (although that hasn’t been updated in a while). Michael Pietroforte has also compared BitLocker with TrueCrypt, concluding that TruCrypt lets you choose your own recovery passphrase; however BitLocker can be managed with Group Policy and the keys can be stored in Active Directory Domain Services. There’s more information on storing BitLocker keys in Active Directory on the TechNet website (domain controllers must be running Windows Server 2003 SP1 or higher and schema extensions are required).