CertCities.com  -- The Ultimate Site for Certified IT Professionals
Register today for a Free Sponsored Tech Library Webcast and you could WIN! Share share | bookmark | e-mail
 More Certs
 Salary Surveys
 Exam Reviews
 RSS Feeds
 Press Releases
 About Us

Advanced Search
 Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter

See What's New on

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets

Let us know what you
think! E-mail us at:

...Home ... Editorial ... Columns ..Column Story Friday: April 18, 2014

 Zubair's Security Zone  
Zubair      Alexander
Zubair Alexander

  •  BitLocker Drive Encryption in Windows Vista
    Zubair walks you through one of the most useful new security features in Vista.
    by Zubair Alexander  
    1/17/2007 -- As expected, Windows Vista is loaded with system enhancements and cool new features, especially when it comes to security. Encrypting File System (EFS) never really caught on due to its shortcomings. Among other things, EFS is a file encryption method which is useful under certain circumstances, but it's not an ideal solution when it comes to mobile devices, such as laptops. With the new BitLocker Drive Encryption (BitLocker) feature in Vista, we finally have a drive encryption mechanism that offers data security to laptop users running Microsoft's operating system.

    Although there are numerous third-party drive encryption tools available today and businesses and government agencies around the world have been utilizing them for years, BitLocker is a built-in feature of Windows Vista, and it's free.

    Hardware Requirements
    Just like any other drive encryption solution, BitLocker has its pros and cons. One of the advantages of BitLocker is that it supports Trusted Platform Module (TPM). TPM is a microchip that supports several advanced security features, such as storing encryption keys, digital certificates and passwords. TPM doesn't rely on the operating system, so it's not as susceptible to software vulnerabilities and attacks as other methods. It requires RSA SHA-1 and HMAC cryptographic algorithms. BitLocker supports TPM version 1.2 or higher.

    TPM is supported in newer computers, but what if your computer hardware doesn't support TPM? Luckily, Microsoft's BitLocker also supports removable USB devices for storing BitLocker keys. For example, you can use any USB Flash drive to store the keys. During my tests, I noticed that the two files stored on my USB Flash drive only used 8KB of disk space.

    BitLocker requires that your BIOS be compatible with TPM and that it support USB devices. BitLocker also requires that you have at least two partitions. Typically, you'll have the drive C where Vista is installed. This will be the partition that BitLocker will encrypt. You'll need at least one other active, unencrypted partition which is used to start the computer. As one will expect, the hard drive must be formatted with NTFS. Because the Windows partition will be encrypted with BitLocker, if you want to protect your data on other partitions, you can use Windows built-in EFS.

    Note that TPM is not a replacement for a USB token or smart card -- they perform different functions. A USB token/smart card is a portable token used to authenticate users, while a TPM is a fixed token used to authenticate a computer.

    The Encryption Process
    Unlike EFS, BitLocker encrypts the entire Windows volume, including the system files, pagefile, hibernation file, data files, etc. The encryption key is removed from the hard drive and stored on the TPM. When you boot your computer, the operating system integrity is checked to ensure that you are not booting off a different partition or trying to tamper with the system. Once the integrity is verified, the key for the encrypted partition is released from the TPM and you can access your operating system. If the TPM is missing or modified, BitLocker will enter what is known as a recovery mode. In a recovery mode you will be required to provide a recovery password before you can unlock the drive and proceed.

    I mentioned earlier that you can also use a USB device to store encryption keys. However, this method is less secure in the sense that your keys are not secured on a TPM. Each time you boot with a USB device, you will be prompted for a start-up key that you can create on a USB device, such as a USB flash drive. The key can be backed up to a different drive. For example, you can copy your encryption key from the original drive to another USB flash drive and boot off of that. The text file that stores your key and password looks something like this:


    Recovery password for the disk volume VISTA DATA 11/26/2006.

    The recovery password ID is {FE3695FD-6F9E-4D3F-83F9-065923654012}.

    Needless to say, if someone else finds your USB flash drive, they can boot to your encrypted drive because they will have your key and password. If you feel you can't adequately protect your USB device, it's best to rely on the TPM to secure your drive. With proper BitLocker protection, your lost or stolen laptop can stay secure; with BitLocker protection enabled, people can't boot to another partition or reinstall Windows and access your confidential files on your laptop.

    Enabling BitLocker
    Enabling BitLocker requires only a few steps. Use the following procedure to turn on BitLocker.

    1, Go to Start, Control Panel, BitLocker Drive Encryption. Click Turn on BitLocker. If your TPM is not initialized, you will see the Initialize TPM Security Hardware wizard. Follow the instructions on the screen and reboot your computer when you are finished.

    2. After you have initialized TPM, click Turn On BitLocker on the system volume once again.

    3. In the Save the recovery password dialog box, you will have the options to save the password on a USB drive, a folder, or to print the password. Whatever option you choose, just make sure that you've made a copy of this password and stored it in a safe place away from this computer. You will require this password if you ever decide to move your drive to another computer, or if BitLocker enters a locked state, because the key is tied to this particular system.

    Disabling BitLocker
    When it comes to decryption, you have a couple of options. You can temporarily turn BitLocker off by disabling it, or permanently disable it by decrypting the partition. If you want to turn off BitLocker temporarily, make sure you disable it using the first option. Disabling and enabling only takes seconds. However, if you were to decrypt the volume using the second option, it will take considerably longer, depending on the size of your volume.

    To disable a BitLocker volume, follow the procedure described below.

    1. Go to Start, Control Panel, Security and select BitLocker Drive Encryption.

    2. On the volume that you want to disable BitLocker, click Turn Off BitLocker Drive Encryption.

    3. Depending on the level of decryption you desire, you can either Disable the BitLocker Drive Encryption or Decrypt the volume. Get Encrypting.

    With Windows Vista, we finally have an easy method to encrypt an entire volume and protect our mobile computers in case they are stolen or lost. BitLocker is useful not only to meet legal requirements; it also offers cost savings when you have to decommission computers.

    BitLocker is a refreshing improvement over EFS in Windows XP. EFS only allowed users to encrypt files or folders, didn't offer a mechanism to encrypt a drive, and there was a definite training factor for users that needed to be addressed. BitLocker takes the next step to securing your data by offering a transparent solution that secures the entire drive and doesn't require end user training.

    For additional information on BitLocker, go here.

    Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at alexander@techgalaxy.net.


    More articles by Zubair Alexander:
  • FrontPage Server Extensions on 64-bit Windows Server 2008
  • Synching Outlook 2007 Contacts with SharePoint
  • Saving SharePoint Files to the Server
  • Moving, Deleting a File That's Always in Use

  • -- advertisement --

    There are 2 CertCities.com user Comments for “BitLocker Drive Encryption in Windows Vista”
    Page 1 of 1
    4/4/07: Orac from Canada says:How is a stolen laptop secure? The process described above does not prompt a user for authentication when booting, thus how is TPM to know that you are you or a thief before releasing the keys to Vista
    4/10/07: Anonymous says:If you provide the correct password then TPM will release the key otherwise you won't be able to boot to Vista.
    Your comment about: “BitLocker Drive Encryption in Windows Vista”
    Name: (optional)
    Location: (optional)
    E-mail Address: (optional)

    -- advertisement (story continued below) --