Windows 7 / Security and Privacy

Drive Encryption with BitLocker

Windows Vista and Windows Server 2008 have a new feature called BitLocker Drive Encryption. BitLocker encrypts the entire drive or volume on which Windows is installed (and on Windows Server 2008 additional volumes or drives can also be encrypted), so if the computer is stolen, lost, or the drive taken from the computer, information on that drive would be protected. BitLocker requires that a USB device, such as a flash drive, be inserted that contains a key used to start the computer or resume from hibernation (we'll call this a "USB key"). If the computer has a Trusted Platform Module (TPM) version 1.2, a hardware component, BitLocker will additionally verify the integrity of the system when it starts, make the use of the USB key optional, and allow the use of a personal identification number (PIN) as another alternative. If BitLocker with TPM finds that the system integrity has been compromised beginning with the initial boot files, or that the drive is no longer in the original computer, the system will lock down and not start. At that point a BitLocker recovery process can be started. BitLocker therefore has four authentication modes:

  • BitLocker by itself requiring a USB key
  • BitLocker with TPM and no authentication component
  • BitLocker with TPM and a USB key
  • BitLocker with TPM and a PIN

BitLocker is all but transparent to use; other than plugging in the USB key or entering a PIN, there is no evidence BitLocker is in use. Should BitLocker lock down the system whether due to a security breach or a hardware failure, the recovery process is easily implemented by someone with the appropriate recovery key, generally on a USB device, or with a recovery password.

BitLocker Installation

On Windows Server 2008, BitLocker is not installed and must be installed as a feature from Server Manager.

  1. Click Start | Server Manager. Click Features in the left pane and click Add Features in the right pane. The Add Features Wizard will open.
  2. Click BitLocker Drive Encryption, click Next, and then click Install.
  3. Click Close and click Yes to restart the computer. Upon restarting, the installation will resume. When you are told that installation was successful, click Close.

BitLocker Setup and Control

BitLocker is set up and controlled through the BitLocker control panel. If the computer you are setting up does not have TPM, you need to first change a group policy to allow using a USB key in place of TPM. If you think you have TPM (you will be told very quickly if you don't), you can skip the first three steps in the following series.

  1. If you are going to use a USB key for the key, insert it. Then click Start | Run, type gpedit.msc, and press enter to open the Local Group Policy Editor.
  2. In the left pane, open Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption. In the right pane, double-click Control Panel Setup: Enable Advanced Startup Options to open the dialog box of that name.
  3. Click Enabled and assure that there is a check mark beside Allow BitLocker Without A Compatible TPM. Click it if it isn't checked, click OK, and close the Local Group Policy Editor.
  4. Click Start | Control Panel and double-click BitLocker Drive Encryption.
  5. In the BitLocker Drive Encryption window that opens, click Turn On BitLocker under the System drive. You are asked if you really want to use BitLocker Drive Encryption on a server since it reduces performance and is only needed if the server is in an unsecured location (like an outlying office).
  6. If you do want to go ahead, click Continue With BitLocker Drive Encryption. If you have TPM, you can choose, by clicking, to use BitLocker without a key, require a PIN, or require a USB key. Without TPM, you only have the choice of, and need to click, Require Startup USB Key At Every Startup.
  7. If you choose to use a PIN, you are asked to enter and confirm your PIN. If you choose to use a USB key and you have several removable drives, click the drive from those presented. In either case, click Save.
  8. You are asked where you want to store the recovery password and told that it is recommended that the password be stored in several places. Minimum you store it on a USB key and on a hard drive rather than storing any on the computer you are encrypting (because if the computer is stolen, the thief has the key). Click an option and then repeat to save or print the key as many times as you wish.
  9. Click Next. You are told that the encryption is about to start and given the option to run a system check to see if the keys you have stored are all available. It is strongly recommended that you do the check. Click Continue.
  10. Make sure the USB key is plugged in and click Restart Now. After restarting, you should see a balloon message from a system tray icon saying the "BitLocker Drive Encryption Is xx% Complete." If you reopen the BitLocker control panel, you'll see that the drive encryption is in process.
[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Server 2008 Security
  2. Authenticate the User
  3. Network User Authentication
  4. Replacements for Passwords
  5. Certificate Authentication
  6. Control Access
  7. Groups
  8. Permissions
  9. Add New Permissions
  10. Share Permission
  11. Secure Stored Data
  12. Use File and Folder Encryption
  13. Drive Encryption with BitLocker
  14. Use a Computer with BitLocker
  15. Understand Private/Public Key Encryption
  16. Secure Data Transmission
  17. Implement Secure LAN Transmission