Latest posts by Michael Pietroforte (see all)
- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
BitLocker was introduced with Windows Vista and, as far as I know, it was not very popular. This might be because it is available only for Windows Vista Ultimate and Windows Vista Enterprise. But the main reason probably is that it is complicated to set up. I compared BitLocker to TrueCrypt a year ago and concluded that the Open Source tool is the better drive encryption solution. BitLocker in Windows 7, however, has significantly improved. In this article I discuss BitLocker's system drive encryption, and in my next post I will review BitLocker-to-Go, the new encryption solution for removable storage devices.
BitLocker for Vista was too complicated to set up once the operating system is installed. Users had to shrink the system partition to make space for the BitLocker partition. Microsoft acknowledged that this was too difficult for end users, and too time consuming for administrators, and released the BitLocker Drive Preparation Tool, which is part of the Ultimate Extras and is also available for Windows Vista Enterprise.
BitLocker drive preperation is now integrated into Windows 7. It greatly simplifies the encryption of a system drive. BitLocker can be found under System and Security in the Control Panel. Basically, you only have to turn on BitLocker, and the Drive Preparation Tool does the rest. This works, however, only if the computer has a TPM (Trusted Platform Module). If not, the encryption key also can be stored on a USB stick.
But USB stick support has to be enabled before being used. Unfortunately, this can't be done via the Control Panel; it has to be enabled through Group Policy or the Local Group Policy Editor (type gpedit.msc at Start Search). I am sure this will confuse many people. The settings' location has changed slightly in Windows 7: "Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components |Operating Systems Drives | BitLocker Drive Encryption -> Require Additional Authentication at Startup". Please note there are two independent keys for Windows 7 and Server 2008/Vista.
Once you have allowed BitLocker without TPM, the wizard in the BitLocker Drive Preparation will let you store the Startup Key on a USB flash drive. It also allows you to save a Recovery Key, which you will need if you have lost your USB stick. You will then be asked whether you want to run a BitLocker System Check. If you agree, your computer will be restarted to check whether the USB device is available during the boot-up process. Note that this usually doesn't work if you try it in a virtual environment. But there are workarounds (VMware Workstation, Virtual PC). These posts were written for Vista, but they should work for Windows 7 also.
BitLocker preparation works differently in Windows 7 from Vista because the BitLocker partition is already available. I am not sure if Windows 7 setup will create it also in editions that don't support BitLocker. Like with Vista, BitLocker will be supported only for the Ultimate and Enterprise editions. The BitLocker partition has 200 MB (400MB if WinRE (Windows Recovery Environment) is installed). Unlike in Vista, it has no drive letter and is hidden, which makes sense. You can see it in Disk Management, though. According to Microsoft, upgrades from Vista to Windows 7 are possible if BitLocker is enabled.
The encryption process seemed quite fast to me but, because I was testing in a virtual environment, that might not mean much. For 1GB, BitLocker took approximately 30 seconds. Once the system drive is encrypted, you can boot-up Windows 7 only if the USB stick (and/or the TPM) is present. If you have lost the USB drive, you will require the Recovery Key or the Recovery Password.
Windows 7 chooses the Recovery Password, which has 48 digits. So it is not really a viable alternative to the TPM or the USB stick. I prefer TrueCrypt here; it allows you to choose a memorable passphrase and it doesn't require special hardware for it. This might not be as secure BitLocker's method, but I think it is secure enough if you don't happen to be a CIA agent. If you forget the USB stick or the Recovery Key at your office before a trip, your laptop will be useful only as ballast for your luggage. Note that for system drives, you can use only a PIN, instead of a USB stick, if your computer is equipped with a TPM. Unlocking a fixed drive with a password works only for volumes other than the operating system volume.
However, BitLocker has two important advantages over TrueCrypt. It can be centrally managed through Group Policy, and it allows you to store the Recovery Key and the Recovery Password in Active Directory. BitLocker has quite a few new Group Policy settings compared to Vista, mostly because of the new features such as BitLocker-to-Go. Vista also supports Active Directory integration, but Windows 7 has an important new recovery option, the Data Recovery Agent. I will write more about this feature in my next post about BitLocker-to-Go, because I think this feature will be used more often for portable devices.