Turn-on-BitLocker Perhaps you believe your office is your well-protected castle. You think nobody can access your disks and, because you don't have laptop users, you don't need BitLocker disk encryption in your organization. This post provides seven reasons why you are wrong. In my view, hard disk encryption is a must for all PCs in your organization. BitLocker alone justifies the deployment of Windows 7 Enterprise or Ultimate instead of Windows 7 Professional.

1. Confidential data ^

It is true that the most common use of BitLocker is to protect the data on stolen laptops. Since you are probably an IT pro, you know that anybody can access the data on an unencrypted disk without requiring any passwords by booting up from a second drive. Thus, hard disk encryption is the only way to protect the data on a stolen laptop. However, who says that the disks in your PCs or servers can't be stolen? Did you ever wonder what a disgruntled employee could do with the easy-to-remove hot-plug hard disks in your servers? If you use RAID, you might not even notice the theft for a while. I suppose, your organization protects all your valuable printed documents in a safe. Do you have the same security precautions for your valuable digital data?

2. System data ^

Okay, you say you don't have any confidential data in your organization. Let's forget for a moment that this is probably only an excuse. But what about the security relevant data that is stored on every system disk? Password hashes for example. Once an attacker has physical access to one of your company’s system disks, this opens a variety of ways to attack your whole network. Brute force attacks to crack cached passwords is only one option. If the stolen computer is a domain member, a hacker can use its trust relationship to access other machines in your organization. However, if the disk is encrypted, the bad guy has little chance to compromise your network.

3. Disk crashes ^

You think all your disks are physically well protected? Read on. What are you doing with a crashed disk that you just bought a year ago? Right, you send it to the manufacturer so they can verify that the disk is really broken and that the terms of the guarantee are met. Who knows, perhaps it’s only a malfunction of the electronics and they can even repair the hard drive. Now, do you really want to send an unencrypted disk with security relevant data to people you don't really know? The same applies if you have a support contract with your PC vendor that damaged PCs will be repaired or replaced with new ones. And you don't really trust the nice guy from UPS who picks up the broken PCs. Do you?

4. Disk disposal ^

For every hard drive comes the time when the last journey to the scrap yard becomes inevitable. I know, you are a conscientious admin and erase every disk thoroughly with a special hard drive eraser tool. Don't blush now. You didn't do that in the past? I know, disposing of a couple hundred PCs is work enough and erasing just one big hard disk can take days. However, if all the disks in your organization are BitLocker encrypted, you can be a conscientious admin without erasing hard disks for weeks before you dispose of them.

BitLocker-Group-Policy

5. Why not a third party drive encryption software? ^

I hope, I have already convinced you by now that hard disk encryption is a must. BitLocker is certainly not the only encryption solution out there. A popular contender is TrueCrypt. I outlined already a few days ago why I am not really a friend of TrueCrypt drive encryption. Other encryption solutions exist, such as from PGP. However, I wouldn't use third-party software for this purpose because system drive encryption always requires tight integration with Windows. I could also tell you some stories about former versions of PGP drive encryption. With any Windows update you are in danger that your encryption software breaks and that your PCs become unusable. The problems I had with TrueCrypt demonstrate how difficult it is to integrate drive encryption into Windows. Moreover, if you have more than 50 machines in your network, BitLocker is the best choice because of its good integration in Active Directory.

BitLocker-Recovery-Agent

6. Why not Encrypting File System (EFS)? ^

Okay, no third party encryption software. But what about the Encrypting File System (EFS)? It is perfectly integrated into Windows and like BitLocker it can be managed centrally. The advantage of EFS is that you don't need Windows 7 Enterprise or Ultimate and you can deploy Windows Professional instead. However, the problem with EFS is that you can't encrypt the whole system drive. Therefore, EFS doesn't help with the concerns I outlined above. EFS is useful if you want to encrypt a couple of private files. But it is no option for encrypting a whole disk drive.

7. Sleep well ^

Okay, I admit it. I made this one up because I needed a seventh reason. All such blog posts about Windows 7 need seven reasons these days. But then, a good sleep is so important. No more nightmares of your CEO's computer with all the confidential data falling into the hands of a competitor. Isn't that reason enough to deploy BitLocker? 😉