Windows Advisor

Safer Laptops with BitLocker

Vista introduces a new security feature that makes roaming users and their data safer. Here's a look.

• By Zubair Alexander
• 03/14/2007

Windows Vista is loaded with system enhancements and cool new features, especially when it comes to security. Encrypting File System (EFS) never really caught on due to its shortcomings. Among other things, EFS is a file encryption method which is useful under certain circumstances, but it's not an ideal solution when it comes to mobile devices, such as laptops. With the new BitLocker Drive Encryption (BitLocker) feature in Vista, we finally have a drive encryption mechanism that offers data security to laptop users running Microsoft's operating system.

Although there are numerous third-party drive encryption tools available today and businesses and government agencies around the world have been utilizing them for years, BitLocker is a built-in feature of Windows Vista, and it's free.

Hardware Requirements
Just like any other drive encryption solution, BitLocker has its pros and cons. One of the advantages of BitLocker is that it supports Trusted Platform Module (TPM). TPM is a microchip that supports several advanced security features, such as storing encryption keys, digital certificates and passwords. TPM doesn't rely on the operating system, so it's not as susceptible to software vulnerabilities and attacks as other methods. It requires RSA SHA-1 and HMAC cryptographic algorithms. BitLocker supports TPM version 1.2 or higher.

TPM is supported in newer computers, but what if your computer hardware doesn't support TPM? Luckily, Microsoft's BitLocker also supports removable USB devices for storing BitLocker keys. For example, you can use any USB Flash drive to store the keys. During my tests, I noticed that the two files stored on my USB Flash drive only used 8KB of disk space.

BitLocker requires that your BIOS be compatible with TPM and that it support USB devices. BitLocker also requires that you have at least two partitions. Typically, you'll have the drive C where Vista is installed. This will be the partition that BitLocker will encrypt. You'll need at least one other active, unencrypted partition which is used to start the computer. As one will expect, the hard drive must be formatted with NTFS. Because the Windows partition will be encrypted with BitLocker, if you want to protect your data on other partitions, you can use Windows built-in EFS.

Note that TPM is not a replacement for a USB token or smart card -- they perform different functions. A USB token/smart card is a portable token used to authenticate users, while a TPM is a fixed token used to authenticate a computer.

The Encryption Process
Unlike EFS, BitLocker encrypts the entire Windows volume, including the system files, pagefile, hibernation file, data files, etc. The encryption key is removed from the hard drive and stored on the TPM. When you boot your computer, the operating system integrity is checked to ensure that you are not booting off a different partition or trying to tamper with the system. Once the integrity is verified, the key for the encrypted partition is released from the TPM and you can access your operating system. If the TPM is missing or modified, BitLocker will enter what is known as a recovery mode. In a recovery mode you will be required to provide a recovery password before you can unlock the drive and proceed.

I mentioned earlier that you can also use a USB device to store encryption keys. However, this method is less secure in the sense that your keys are not secured on a TPM. Each time you boot with a USB device, you will be prompted for a start-up key that you can create on a USB device, such as a USB flash drive. The key can be backed up to a different drive. For example, you can copy your encryption key from the original drive to another USB flash drive and boot off of that. The text file that stores your key and password looks something like this:

569358-693679-053452-218323-404985-359884-256975-369697

Recovery password for the disk volume VISTA DATA 11/26/2006.

The recovery password ID is {FE3695FD-6F9E-4D3F-83F9-065923654012}.

Note that, if someone else finds your USB flash drive, they can boot to your encrypted drive because they will have your key and password. If you feel you can't adequately protect your USB device, it's best to rely on the TPM to secure your drive. With proper BitLocker protection, your lost or stolen laptop can stay secure; with BitLocker protection enabled, people can't boot to another partition or reinstall Windows and access your confidential files on your laptop.

Enabling BitLocker
Enabling BitLocker requires only a few steps. Use the following procedure to turn on BitLocker.

1. Go to Start, Control Panel, BitLocker Drive Encryption. Click Turn on BitLocker. If your TPM is not initialized, you will see the Initialize TPM Security Hardware wizard. Follow the instructions on the screen and reboot your computer when you are finished.
2. After you have initialized TPM, click Turn On BitLocker on the system volume once again.
3. In the Save the recovery password dialog box, you will have the options to save the password on a USB drive, a folder, or to print the password.

Whatever option you choose, just make sure that you've made a copy of this password and stored it in a safe place away from this computer. You will require this password if you ever decide to move your drive to another computer, or if BitLocker enters a locked state, because the key is tied to this particular system.

Disabling BitLocker
When it comes to decryption, you have a couple of options. You can temporarily turn BitLocker off by disabling it, or permanently disable it by decrypting the partition. If you want to turn off BitLocker temporarily, make sure you disable it using the first option. Disabling and enabling only takes seconds. However, if you were to decrypt the volume using the second option, it will take considerably longer, depending on the size of your volume.

To disable a BitLocker volume, follow the procedure described below.

1. Go to Start, Control Panel, Security and select BitLocker Drive Encryption.
2. On the volume that you want to disable BitLocker, click Turn Off BitLocker Drive Encryption.
3. Depending on the level of decryption you desire, you can either Disable the BitLocker Drive Encryption or Decrypt the volume. Get Encrypting.

With Windows Vista, we finally have an easy method to encrypt an entire volume and protect our mobile computers in case they are stolen or lost. BitLocker is useful not only to meet legal requirements; it also offers cost savings when you have to decommission computers.

BitLocker is a refreshing improvement over EFS in Windows XP. EFS only allowed users to encrypt files or folders, didn't offer a mechanism to encrypt a drive, and there was a definite training factor for users that needed to be addressed. BitLocker takes the next step to securing your data by offering a transparent solution that secures the entire drive and doesn't require end user training.

For additional information on BitLocker, go here.