Getting Started with BitLocker
Posted on Mon, Sep 27, 2010
BitLocker: Using USB Flash Drives for Key Storage
BitLocker has been a Windows OS option since Windows Vista, but with the introduction of Windows 7 new features and improvements have made it easier to implement and use. BitLocker and BitLocker-to-Go are available in Windows 7 Ultimate and Enterprise versions. The technology is whole volume encryption, which protects your hard drive volumes in the event that it is removed from your computer. If your computer has multiple volumes, you can select which ones are protected. BitLocker-to-Go extends this protection to removable devices like U
SB keys and external hard drives.
BitLocker requires a separate partition on the hard drive to function, which is automatically created with the setup wizard. In Vista this partition had to be manually created, which was often a roadblock to activating the feature on machines that were deployed with only one volume. One of the other requirements for the functionality of BitLocker is a location to store the startup key, which is required to encrypt and decrypt the drives for boot up and use. The default location of this key would be a TPM chip, but many computers that are capable of running Windows 7 may not include this chip, especially netbooks, which are quickly becoming an economical choice for traveling workers.
Out of the box, it’s not obvious how to activate BitLocker without a TMP chip. The wizard will check for a chip, once it’s not located, will simply stop. If your machine belongs to a domain, there are several policy settings that can provide other options for the storage location of the startup key. For stand-alone machines, these settings can be accessed through the local group policy. The policy that needs to be adjusted to allow basic BitLocker functionality without a TPM chip is located in Computer Configuration – Administration Templates – Windows Components –BitLocker Drive Encryption – Operating System Drives – Require additional authentication at startup. By enabling the policy and checking the single box that reads “Allow BitLocker without a compatible TPM”, you can get started with BitLocker by using a standard USB flash drive as the storage location for the startup key.
Since USB flash drives are notorious for being easy to lose, it’s important to duplicate your startup key and also make a copy of the recovery key. Your startup key can be duplicated to another USB flash drive and the recovery key can be printed, saved to file or saved to a USB flash drive. You can find the wizard used to duplicate these keys in the BitLocker control panel applet after you’ve enabled the feature on at least one drive.
If your computer is a member of a domain, recovery keys can be saved in Active Directory. There are several things that need to be configured before storing recovery keys in Active Directory depending on if you are managing Windows 7 clients or Windows Vista clients. Be sure to review the information available in TechNet for Backing Up BitLocker and TPM Recovery Information to AD DS.
Finally, if you are going to activate BitLocker on a laptop, it’s also a requirement for the machine to be plugged into a power source before the wizard will allow you to continue. However, if the computer is turned off or put into hibernation during the encryption process, it will suspend and resume when the computer is turned back on again. This is also true even in the event of a power failure.
Drive encryption can be a valuable tool for protecting user data within your organization. However leveraging any encryption technology requires thoughtful planning to ensure that not only is your data protected, it is also recoverable in the event of a problem. The BitLocker Deployment Guide is another great place to begin.
Jennelle Crothers, Sr. Network/Systems Administrator for Conservation & Liquidation
Jennelle Crothers Blog: www.techbunny.com