Windows 7 / Security and Privacy

Use a Computer with BitLocker

Using a computer with BitLocker is not much different than using one without it, except that unless you have TPM, you must plug in the USB key before starting the computer.

There are several logistical issues to keep in mind:

  • If you create, copy, or move a file on or to a BitLocker drive or volume, it will be automatically encrypted, but will remain so only on that drive. Given that the system is started with the USB key, a PIN, or TPM, the file will be available in the same way it was before installing BitLocker.
  • If you copy or move a file from the BitLocker drive or volume to another unencrypted drive, the file will automatically be unencrypted on the second drive.
  • If you share files on the BitLocker drive, other users with appropriate permission will be able to see and use the files as they could on a non-BitLocker drive. The files will remain encrypted on the BitLocker drive, but the user will be able, with the correct permission, to copy the file to an unencrypted drive where the file will be unencrypted.
  • If the computer you are working on has TPM and you have installed BitLocker, when it starts up, it looks for any condition that might represent that someone has been trying to hack into it. This might be changes to the startup files, disk errors, or changes to the Basic Input/Output System (BIOS). When TPM with BitLocker sees any of these conditions, it will lock the system and prevent it from starting. The same items that TPM/BitLocker look at can be affected by hardware failure, which can cause the system to lock up. With the recovery key, though, the system can be easily unlocked.
TIP: Once you have started the computer with the USB key, it is a good idea to remove the key and keep it in a safe place.

You can temporarily disable BitLocker or turn it off altogether by clicking Turn Off BitLocker in the BitLocker Drive Encryption control panel. Disabling the drive lets the system be restarted without the key, as you might want to do to upgrade the system, change the BIOS, or to change any of the startup files, but the drive remains encrypted and uses a plain text key that has been stored on the computer. Turning off BitLocker decrypts the drive, which can take some time.

You can duplicate either the startup key or the recovery password by clicking Manage BitLocker Keys in the BitLocker Drive Encryption control panel. When you click Duplicate The Recovery Password, the same Save The Recovery Password dialog box opens that you saw earlier, and you can save a copy of the recovery password on another USB key, in a folder on a hard drive, or print it. If you click Duplicate The Startup Key, you can choose another USB key on which to save it.

BitLocker Recovery

If the USB key is not present or the system locks down for some other reason, you get a message that BitLocker has prevented the system from starting and that you should either insert a USB key (it can be one with the startup key or one with the recovery password) and press esc to reboot, or you should press enter to see a screen where you can enter the recovery password. If you don't have a numeric keypad, you can use the function keys as numbers (F1=1, F2=2, F10=0, and so on). Once you have entered the correct password, the boot process automatically continues.

[Previous] [Contents] [Next]

In this tutorial:

  1. Windows Server 2008 Security
  2. Authenticate the User
  3. Network User Authentication
  4. Replacements for Passwords
  5. Certificate Authentication
  6. Control Access
  7. Groups
  8. Permissions
  9. Add New Permissions
  10. Share Permission
  11. Secure Stored Data
  12. Use File and Folder Encryption
  13. Drive Encryption with BitLocker
  14. Use a Computer with BitLocker
  15. Understand Private/Public Key Encryption
  16. Secure Data Transmission
  17. Implement Secure LAN Transmission