Review: Windows 7 BitLocker to Go – Part 1: Usability

Michael PietroforteMVP By Michael Pietroforte - Thu, January 29, 2009 - 6 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

Articles in this series

Windows 7 Bitlocker

BitLocker to Go is a new feature in Windows 7 that allows you to encrypt data on removable drives such as USB sticks. I believe that BitLocker to Go will be more popular than BitLocker for fixed-drive encryption, which I reviewed in my last article. Portable drives get lost much easier simply because they are smaller than laptops. Because they often contain important business data, unencrypted memory sticks pose a considerable security risk for any organization.

bitlocker-drive-encryptionOf course, flash drive encryption isn’t anything new. Many portable storage devices come with their own encryption software and there are also free tools such as TrueCrypt that support USB stick encryption. However, in corporate environments, BitLocker to Go has some important advantages over these free solutions. In this article, I will discuss BitLocker to Go from the end user’s perspective. In my next post, I will cover the management features.

bitlocker-windows-explorer An important argument for BitLocker to Go is that it is integrated into Windows 7, which simplifies its usage. The BitLocker applet in the Control Panel displays all connected USB sticks. You can also turn on BitLocker to Go in Windows Explorer through the context menu of the memory stick. Before Windows can encrypt the flash drive you have to choose a password or a smart card that will be required later for unlocking the device.

bitlocker-to-go-recovery-password Furthermore, you can store a 48-digit recovery key in a file. It is also possible to print the key. The recovery key is needed if you forget your password or lose your smart card. If you click on “I forgot my password” when BitLocker prompts you to enter the password to unlock the flash drive, you can either type the recovery key or load it from another flash drive. The second option was grayed out when I tried this feature. I didn’t find a Group Policy setting to enable it, so perhaps it is not yet implemented in Windows 7 Beta 1.

bitlocker-to-go-manageEncryption takes a couple of seconds for 100MB. The speed certainly depends on the capabilities of the stick. Once it is encrypted you can launch the BitLocker management tool from the context menu where you can change the password, remove the password, add a smart card (which is necessary if you remove the password), save the recovery key again, and enable automatic unlocking of the memory stick. Decrypting a portable drive is only possible through the Control Panel applet.

What I dislike about BitLocker to Go is that you have to encrypt the entire memory stick. I prefer to have an unencrypted section for files that need no protection. I always feel a little uncomfortable when I enter a password on other people’s computers because there might be a key logger running in the background. Thus, I want to use my password only if I really need access to confidential data. Of course, you can always bring a second unencrypted flash drive with you for this purpose. However, this is just another device that can get lost or forgotten.

bitlocker-windows-xp A more severe downside of BitLocker to Go is that it is not possible to write to encrypted USB sticks on Windows Vista and Windows XP. Moreover, read access is quite cumbersome. It is not possible to directly open a file in Windows Explorer. After you enter the BitLocker password on Vista or XP, a window pops up where you have to choose which file you want to copy to the desktop.

I must admit I don’t understand why this procedure is necessary. The BitLocker to Go application is on the USB stick. Hence, it should be possible to allow direct read and write access. Some features, such as the integration in Windows Explorer or the control via Group Policy, can only work if certain components are available on the desktop. However, it would have been possible to install these at the same time as the USB stick is inserted. Other flash drive encryption solutions can be used on any Windows version. Considering that the point of a portable device is to use it on multiple machines, it certainly is an important shortcoming of BitLocker to Go that its full functionality is only available on Windows 7. I hope that Microsoft will at least offer updates for Vista and XP that will offset this downside.

Even though BitLocker to Go has some disadvantages from the end user’s perspective, I believe it is a good choice in corporate environments because it can be managed centrally. This will be the topic of my next post.

Series NavigationWindows 7 BitLocker Review - Review: Windows 7 BitLocker to Go – Part 2: Manageability

-1+1 - Rate this post
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

6 Comments- Leave a Reply

  1. [...] a bit more info on it here 4sysops – Review: Windows 7 BitLocker to Go – Part 1: Usability I’ve just noticed this however [...]

  2. System says:

    I have used Bitlocker-To-Go to encrypt a USB drive on my Windows 7 machine and then used the drive on a Vista Home Premium machine without any problems. It asked for a password when I tried to access the drive and then let me get at my data. I haven’t tried it on XP or 2000 yet but I don’t imagine they would have nay problems either.

  3. Paul says:

    It is unfortunate that Microsoft has restricted the capability to write to such a “Bitlocker To Go” encrypted device to only 7 Ultimate and Enterprise. I, as a personal user, (and am sure many others) would be willing to upgrade to Ultimate to be able to create an encrypted USB stick, but the fact that I wouldn’t be able to write to it on any other standard Windows machine would completely put me off even using this feature in the first place.

  4. Matt says:

    A real downside to every software encryption system right now is that you can’t mount the encrypted disk on just any computer. Usually you’re stuck with a extremely cumbersome reader/writer program as a middle man between explorer and the disk. The reason for this is because “limited” users don’t have privileges to load drivers and the only way to get the encrypted disk to talk with the OS directly is with a driver. And even if Microsoft would backport this to XP, it still wouldn’t work on Linux or Mac systems. What is needed is a good STANDARD encryption format for removable devices. Currently, every OS has encryption capabilities, but they all do it in different ways so nothing is interoperable.

  5. Dave says:

    I was wondering how are encryption keys shared in a corporate environment? For example, if I have a department sharing removable media, I want it encrypted with a key that they can all access and don’t need to call me for the password or recovery password.

  6. Greg says:

    For me the downside is that I have encrypted a drive and now I can’t seem to open it anywhere except on the machine I used to encrypt it…..makes no sense….makes my external HDD….a paperweight!

===Leave a Comment===

Login

Lost your password?