BitLocker to Go is a new feature in Windows 7 that allows you to encrypt data on removable drives such as USB sticks. I believe that BitLocker to Go will be more popular than BitLocker for fixed-drive encryption, which I reviewed in my last article. Portable drives get lost much easier simply because they are smaller than laptops. Because they often contain important business data, unencrypted memory sticks pose a considerable security risk for any organization.
Of course, flash drive encryption isn’t anything new. Many portable storage devices come with their own encryption software and there are also free tools such as TrueCrypt that support USB stick encryption. However, in corporate environments, BitLocker to Go has some important advantages over these free solutions. In this article, I will discuss BitLocker to Go from the end user’s perspective. In my next post, I will cover the management features.
An important argument for BitLocker to Go is that it is integrated into Windows 7, which simplifies its usage. The BitLocker applet in the Control Panel displays all connected USB sticks. You can also turn on BitLocker to Go in Windows Explorer through the context menu of the memory stick. Before Windows can encrypt the flash drive you have to choose a password or a smart card that will be required later for unlocking the device.
Furthermore, you can store a 48-digit recovery key in a file. It is also possible to print the key. The recovery key is needed if you forget your password or lose your smart card. If you click on “I forgot my password” when BitLocker prompts you to enter the password to unlock the flash drive, you can either type the recovery key or load it from another flash drive. The second option was grayed out when I tried this feature. I didn’t find a Group Policy setting to enable it, so perhaps it is not yet implemented in Windows 7 Beta 1.
Encryption takes a couple of seconds for 100MB. The speed certainly depends on the capabilities of the stick. Once it is encrypted you can launch the BitLocker management tool from the context menu where you can change the password, remove the password, add a smart card (which is necessary if you remove the password), save the recovery key again, and enable automatic unlocking of the memory stick. Decrypting a portable drive is only possible through the Control Panel applet.
What I dislike about BitLocker to Go is that you have to encrypt the entire memory stick. I prefer to have an unencrypted section for files that need no protection. I always feel a little uncomfortable when I enter a password on other people’s computers because there might be a key logger running in the background. Thus, I want to use my password only if I really need access to confidential data. Of course, you can always bring a second unencrypted flash drive with you for this purpose. However, this is just another device that can get lost or forgotten.
A more severe downside of BitLocker to Go is that it is not possible to write to encrypted USB sticks on Windows Vista and Windows XP. Moreover, read access is quite cumbersome. It is not possible to directly open a file in Windows Explorer. After you enter the BitLocker password on Vista or XP, a window pops up where you have to choose which file you want to copy to the desktop.
I must admit I don’t understand why this procedure is necessary. The BitLocker to Go application is on the USB stick. Hence, it should be possible to allow direct read and write access. Some features, such as the integration in Windows Explorer or the control via Group Policy, can only work if certain components are available on the desktop. However, it would have been possible to install these at the same time as the USB stick is inserted. Other flash drive encryption solutions can be used on any Windows version. Considering that the point of a portable device is to use it on multiple machines, it certainly is an important shortcoming of BitLocker to Go that its full functionality is only available on Windows 7. I hope that Microsoft will at least offer updates for Vista and XP that will offset this downside.
Even though BitLocker to Go has some disadvantages from the end user’s perspective, I believe it is a good choice in corporate environments because it can be managed centrally. This will be the topic of my next post.