Subscribe via e-mail: 
Review: Windows 7 BitLocker to Go – Part 1: Usability
By Michael Pietroforte | 5 Comments | Permalink | Trackback | Previous | NextCheck out all reviews and tips about Windows 7 on 4sysops.
- Review: Windows 7 AppLocker – Part 1: Overview
- Review: Windows 7 AppLocker – Part 2: Tips
- Review: Windows 7 Action Center and the Control Panel
- Review: Windows 7 BitLocker
- Review: Windows 7 BitLocker to Go – Part 1: Usability
- Review: Windows 7 BitLocker to Go – Part 2: Manageability
- Windows 7 DirectAccess – Features
- Windows 7 DirectAccess – Experiences
BitLocker to Go is a new feature in Windows 7 that allows you to encrypt data on removable drives such as USB sticks. I believe that BitLocker to Go will be more popular than BitLocker for fixed-drive encryption, which I reviewed in my last article. Portable drives get lost much easier simply because they are smaller than laptops. Because they often contain important business data, unencrypted memory sticks pose a considerable security risk for any organization.
Of course, flash drive encryption isn’t anything new. Many portable storage devices come with their own encryption software and there are also free tools such as TrueCrypt that support USB stick encryption. However, in corporate environments, BitLocker to Go has some important advantages over these free solutions. In this article, I will discuss BitLocker to Go from the end user’s perspective. In my next post, I will cover the management features.
An important argument for BitLocker to Go is that it is integrated into Windows 7, which simplifies its usage. The BitLocker applet in the Control Panel displays all connected USB sticks. You can also turn on BitLocker to Go in Windows Explorer through the context menu of the memory stick. Before Windows can encrypt the flash drive you have to choose a password or a smart card that will be required later for unlocking the device.
Furthermore, you can store a 48-digit recovery key in a file. It is also possible to print the key. The recovery key is needed if you forget your password or lose your smart card. If you click on “I forgot my password” when BitLocker prompts you to enter the password to unlock the flash drive, you can either type the recovery key or load it from another flash drive. The second option was grayed out when I tried this feature. I didn’t find a Group Policy setting to enable it, so perhaps it is not yet implemented in Windows 7 Beta 1.
Encryption takes a couple of seconds for 100MB. The speed certainly depends on the capabilities of the stick. Once it is encrypted you can launch the BitLocker management tool from the context menu where you can change the password, remove the password, add a smart card (which is necessary if you remove the password), save the recovery key again, and enable automatic unlocking of the memory stick. Decrypting a portable drive is only possible through the Control Panel applet.
What I dislike about BitLocker to Go is that you have to encrypt the entire memory stick. I prefer to have an unencrypted section for files that need no protection. I always feel a little uncomfortable when I enter a password on other people’s computers because there might be a key logger running in the background. Thus, I want to use my password only if I really need access to confidential data. Of course, you can always bring a second unencrypted flash drive with you for this purpose. However, this is just another device that can get lost or forgotten.
A more severe downside of BitLocker to Go is that it is not possible to write to encrypted USB sticks on Windows Vista and Windows XP. Moreover, read access is quite cumbersome. It is not possible to directly open a file in Windows Explorer. After you enter the BitLocker password on Vista or XP, a window pops up where you have to choose which file you want to copy to the desktop.
I must admit I don’t understand why this procedure is necessary. The BitLocker to Go application is on the USB stick. Hence, it should be possible to allow direct read and write access. Some features, such as the integration in Windows Explorer or the control via Group Policy, can only work if certain components are available on the desktop. However, it would have been possible to install these at the same time as the USB stick is inserted. Other flash drive encryption solutions can be used on any Windows version. Considering that the point of a portable device is to use it on multiple machines, it certainly is an important shortcoming of BitLocker to Go that its full functionality is only available on Windows 7. I hope that Microsoft will at least offer updates for Vista and XP that will offset this downside.
Even though BitLocker to Go has some disadvantages from the end user’s perspective, I believe it is a good choice in corporate environments because it can be managed centrally. This will be the topic of my next post.
[...] a bit more info on it here 4sysops – Review: Windows 7 BitLocker to Go – Part 1: Usability I’ve just noticed this however [...]
I have used Bitlocker-To-Go to encrypt a USB drive on my Windows 7 machine and then used the drive on a Vista Home Premium machine without any problems. It asked for a password when I tried to access the drive and then let me get at my data. I haven’t tried it on XP or 2000 yet but I don’t imagine they would have nay problems either.
It is unfortunate that Microsoft has restricted the capability to write to such a “Bitlocker To Go” encrypted device to only 7 Ultimate and Enterprise. I, as a personal user, (and am sure many others) would be willing to upgrade to Ultimate to be able to create an encrypted USB stick, but the fact that I wouldn’t be able to write to it on any other standard Windows machine would completely put me off even using this feature in the first place.
A real downside to every software encryption system right now is that you can’t mount the encrypted disk on just any computer. Usually you’re stuck with a extremely cumbersome reader/writer program as a middle man between explorer and the disk. The reason for this is because “limited” users don’t have privileges to load drivers and the only way to get the encrypted disk to talk with the OS directly is with a driver. And even if Microsoft would backport this to XP, it still wouldn’t work on Linux or Mac systems. What is needed is a good STANDARD encryption format for removable devices. Currently, every OS has encryption capabilities, but they all do it in different ways so nothing is interoperable.
I was wondering how are encryption keys shared in a corporate environment? For example, if I have a department sharing removable media, I want it encrypted with a key that they can all access and don’t need to call me for the password or recovery password.