QR Code Business Card

Using BitLocker Drive Encryption

bitliger_700

This article talks about Microsoft’s BitLocker Drive Encryption tool that comes with the Business or Professional versions of Microsoft Windows and Windows Server, and how to use BitLocker to encrypt your hard drives and portable storage devices.

What is BitLocker Drive Encryption?

BitLocker Drive Encryption is a proprietary Microsoft drive encryption tool  included with Microsoft Windows Vista and Windows 7 Ultimate and Enterprise editions and Windows 8.1 Pro and Enterprise editions, and Windows Server 2008 and later.

BitLocker is strong encryption well suited for business, commerce, the medical industry, law enforcement and anyone else wanting to keep their data from falling into the wrong hands. When you turn on a computer that has BitLocker enabled, before the operating system or any files on the hard drive can be accessed or read, BitLocker  challenges you for a password or a key to unlock the drive. Without this password or key, the hard drive will remain unreadable and the files will remain inaccessible. Even if the hard drive is plugged in to another computer, or someone tries to use another operating system to access the files, the files are safely encrypted and hidden. While is not possible with our current technology to create bullet-proof invincible data protection, it would be extremely difficult  for someone or some entity not in possession of really expensive encryption cracking technology to break BitLocker. Furthermore, BitLocker isn’t just hard drive encryption technology; you can also use BitLocker to encrypt removable drives and flash storage devices.

Two features that makes BitLocker a valuable security tool in business or enterprise environments, is the option to require encryption on any portable flash drive, and the ability to automatically store recovery passwords in Active Directory. Should you loose your encryption key or forget your password, you can contact your help desk and they can help you unlock your encrypted device.

History of BitLocker Drive Encryption

BitLocker Drive Encryption first appeared with Windows Vista, but with encryption functionality limited to just the primary drive. With Windows Vista SP1, and Server 2008 SP1, Microsoft added support for BitLocker protection of different volumes, as well as local volumes. With Windows 7 and Windows Server 2008 SP2, BitLocker supports encryption for other internal and external drives and storage devices such as thumb drives. Windows 7 also extended BitLocker functionality to removable drives, with BitLocker-to-Go. BitLocker-to-Go gives you the ability to encrypt your thumb drives and even USB hard drives. BitLocker drives can be encrypted with 128 bit or 256 bit encryption.

With Windows 8.1, BitLocker Drive Encryption works the same  as Windows 7, but with extended functionality. For one, with Windows 7, BitLocker has to be set up after the operating system is installed. With Windows 8.1, a drive can be pre-configured with BitLocker through the Windows Pre-installation Environment (WinPE). This way, when BitLocker  is configured for ‘Used disk space only’, encryption can be set up in a matter of seconds, as opposed to hours that it takes for BitLocker on Windows 7 to encrypt a drive.

 System Requirements

To configure and use BitLocker Drive Encryption, you first need to have a supported operating system:

  • Microsoft Windows Vista Ultimate or Enterprise editions
  • Microsoft Windows 7 Ultimate and Enterprise editions
  • Microsoft Windows 8.1 Pro and Enterprise editions
  • Microsoft Windows Server 2008 and later

You must also have at least two partitions on the drive(s) to be encrypted, and a Trusted Platform Module (TPM – a special chip that runs an authentication check on your hardware, software, and firmware). If your computer does not support TPM, there is a work-around a few lines down on this page.

If you are not sure if your system will support BitLocker Drive Encryption, don’t worry. BitLocker will check your system when you start BitLocker Drive Encryption, and will let you know if any incompatibilities were found.

If your computer does not support TPM

You can configure BitLocker Drive Encryption to run on a computer that does not support TPM. Here’s how:

  1. Click on the Start button ->Type ‘gpedit’ in the Search box, launch gpedit.msc
  2. Open Administrative Templates.
  3. Navigate to Windows Components -> BitLocker Drive Encryption -> Operating System Drives -> and open Require additional authentication at start-up.
  4. In the Options section, check the box to Allow BitLocker Drive Encryption without a compatible TPM (Requires a password or start-up key on a USB flash drive)

gpedit_bitlocker_tpm

Setting up BitLocker Drive Encryption

BitLocker Drive Encryption console is located in the Control Panel. Or if you prefer, you can type the word ‘bitlocker’ in the Search box of the Start menu, and select BitLocker Drive Encryption in the Control Panel. For this article, I am using a Windows 7 desktop PC without BitLocker Drive Encryption configured for my screenshots, but you will see basically the same things in Windows 8.1.

When you launch the BitLocker Drive Encryption utility, the BitLocker Management Interface pops up and displays the encryption status of the hard drives internally or externally connected to your computer. BitLocker Drive Encryption must first be enabled and configured on the primary (C:) drive before you can use BitLocker on any other drives in the computer. From the BitLocker console, simply click the ‘Turn on BitLocker’ for the C: drive.

bitlocker_hard_disk_drives

BitLocker then scans the computer to see if it meets the system requirements to run BitLocker Drive Encryption. (Just a note, this computer I am using does not have a TPM, so I had to use the Group Policy Editor to reconfigure the authentication requirements. ) Once the system requirement scan is completed, BitLocker Drive Encryption will prepare the primary drive for encryption. BitLocker Drive Encryption will create a second partition, and then prepares the computer for the encryption process. This process shouldn’t take very long, ten minutes or so. Once this process is complete, the computer must be restarted.

bitlocker_encryption_setup

Because my computer does not support TPM, I am required to use a start-up key on a removable USB drive. Otherwise, I would have the options to select use BitLocker without additional keys or require a PIN at every start-up. Since I am storing the start-up key on a USB drive, I am also going to save the Recovery Key to the USB drive, and make a backup of the USB Drive to be stored in a remote location. This is important to me because if anything happens to the USB drive or the keys on it, I would be in serious trouble without a backup.

bitlocker_startup_preferences

If your computer does support TPM, you can use BitLocker without additional keys, or require a PIN at start-up.

BitLocker will next ask you where you want to save your start-up key. This is very important: You want to make sure that you store your BitLocker keys in a safe and secure location, and then you should backup your keys and store them in a secure off-site location. I have selected ‘Require a start-up key at every start up’. This means that I need to have the USB key present and plugged into the computer in order to start Windows. (A great security feature if I need to leave for a few days).

bitlocker_save_startup_key

Next, BitLocker will ask where you want to store your recovery key. Again, this is very important. Store your key in a safe and secure location, and create an off-site backup.

bitlocker_store_recovery_key

The final step in this phase of preparing for encryption. BitLocker confirms that the C: drive has been selected for encryption and gives you an option to run a BitLocker system check. I recommend that you leave this option checked. Just in case.

bitlocker_ready_to_encrypt

This phase is now complete, and BitLocker needs to restart Windows and start encrypting your drive. If you are using a flash drive to store your start-up key and Recovery key, plug the USB flash drive into your computer and restart Windows.

bitlocker_restart

BitLocker Drive Encryption will run in the background while encrypting the primary hard drive. So you can still use your computer while the encryption process is underway, although you will experience a notable reduction in performance while BitLocker is encrypting your hard drive. Depending on the size of the drive being encrypted, this process can take anywhere from a few hours to overnight. As I am using a 500 GB primary hard drive, it is taking about 10 minutes for every percent of the process to complete.

And that’s it! When this process is done, your drives are secure should they wind up in the wrong hands.

I am not completely done with this article, but felt like I had enough information to go ahead and post it a little ahead of schedule. I am going to add some useful resources, some of which I used to study BitLocker Drive Encryption, and at least one piece on using BitLocker-to-Go. I hope you found this useful, and I welcome any comments or suggestions or questions you might have. Thanks for reading!

Other Resources

Comments are closed.

Translate This Page:

Post Categories:

Post Archives: