Introduction to BitLocker and BitLocker To Go:
The BitLocker feature of Windows 7 is available only in Ultimate and Enterprise edition of Windows 7. This feature enhances the security of the data on your computer by encrypting the entire drive which contains your data and Windows. Once you turn on BitLocker service on a drive, any file that you save on that drive is encrypted automatically. This means that if a computer is stolen, the data cannot be recovered unless the thief also has the password to the system. This helps companies keep sensitive data from falling into the wrong hands when a computer is stolen, and also makes hard drive disposal much easier.
BitLocker To Go is also a security enhancement mechanism offered by Windows 7 which gives the lockdown treatment to easily-misplaced portable storage devices like external hard drives and USB flash drives.
BitLocker Drive Encryption can use a Trusted Platform Module (TPM) to validate the integrity of a computer’s boot manager and boot files at startup, and to guarantee that a computer’s hard disk has not been tampered with while the operating system was offline. To encrypt the drive on which you have installed Windows, BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk. Therefore to use BitLocker service on your computer, it must have one of the following:
- For BitLocker to use the system integrity check provided by a TPM, the computer must have a TPM version 1.2. If your computer does not have a TPM, enabling BitLocker will require you to save a startup key on a removable device such as a USB flash drive.
- A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS. The BIOS establishes a chain of trust for pre-operating system startup and must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require a TCG-compliant BIOS.
- The system BIOS (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
In order to enable BitLocker Drive Encryption on the operating system drive, your computer's hard disk must meet the following requirements:
- Your computer’s hard disk must have at least two partitions: the operating system partition and the active system partition. The operating system partition is that partition where you have installed Windows and it will be encrypted. The active system partition is left unencrypted so that the computer can be started, and this partition must be at least 100 MB in size. In Windows 7, by default, the system partition is not assigned a drive letter and is hidden from the user. If your computer does not have a separate, active partition, the required partition is created during BitLocker setup.
- Both the partitions, the operating system and active system partitions must be formatted with the NTFS file system.
- The BIOS must be compatible with the TPM or should support USB devices during computer startup.
BitLocker can encrypt the computer’s data drives and removable data drives like external hard drives and USB flash drives. For encryption, a data drive must be formatted by using the FAT, FAT16, FAT32, or NTFS file system and must be at least 64 MB in size.
BitLocker is similar to EFS, but there are some important differences as shown in the table below:
|Encrypts all files on the drive that Windows is installed on.||Encrypts selected files on any drive.|
|BitLocker is either on or off for all users or groups.||Encrypts files associated with the user account that configured EFS. If a computer has multiple users, each can encrypt their own files.|
|Uses the Trusted Platform Module (TPM), a special chip in some computers that supports advanced security features.||Does not require or use any special hardware.|
|You must be an administrator to turn BitLocker encryption on or off after it is enabled.||You do not have to be an administrator to use EFS.|
- TPM-only mode - In this mode, the user is unaware that BitLocker is in effect and they do not have to provide a password, PIN, or startup key to start the computer. TPM-only mode is the least secure implementation of BitLocker because it does not require additional authentication.
- TPM with startup key - This mode requires that a USB device hosting a preconfigured startup key be available to the computer before the computer can boot into Microsoft Windows. If the device hosting the startup key is not available at boot time, the computer automatically enters recovery mode. This mode also provides boot environment protection via the TPM.
- TPM with PIN - In this mode, the user must enter a PIN before the computer boots. You can configure Group Policy so that it is possible to enter a password containing numbers, letters, and symbols rather than a simple PIN number. If you do not enter the correct PIN or password at boot time, the computer automatically enters recovery mode. This mode also provides boot environment protection through the TPM.
- TPM with PIN and startup key - This is the most secure option. You can configure this option through Group Policy. When you enable this option, a user must enter a startup PIN and have the device hosting the startup key connected before the computer will boot into Windows 7. This mode also provides boot environment protection through the TPM.
- Without TPM - This mode provides hard disk encryption but does not provide boot environment protection. This mode is used on computers without TPM chips. You can configure BitLocker to work on a computer that does not have a TPM chip by configuring the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\Require Additional Authentication At Startup policy. When you configure BitLocker to work without a TPM chip, you need to boot with a startup key on a USB storage device.
Do I have TPM Hardware:
Before configuring BitLocker, you will want to know if your computer has TPM hardware. To find out, follow these steps:
- Click the Start button, then Control Panel.
- Click Security, and then click BitLocker Drive Encryption. (If you do not see BitLoker Drive Encryption as an option, the most likely reason is that you are not running the Ultimate or Enterprise edition of Windows 7).
- If the TPM administration link appears in the left pane, your computer has the TPM security hardware. If the link is not there, you will need a removable USB device such as a flash drive to turn on BitLocker and store the BitLocker startup key.
If the TPM Administration link is available, clicking on it will allow you to store TPM recovery information in Active Directory Domain Services (AD DS), clear the TPM, reset the TPM lockout, and enable or disable the TPM.
Follow these steps to configure BitLocker:
- Open the BitLocker Drive Encryption control panel following the instructions in the section directly above. This screen presents a list of all the drive partitions under Help protect your files and folders by encrypting your drives. You can choose the drive that you want to encrypt with BitLocker. Let’s suppose you choose drive D.
- Select the Turn On BitLocker link next to the volume description of drive D.
- Select the method you want to use to unlock your protected drive. You can choose between password unlocking, unlocking using a smart card or you can also select to unlock automatically. Let’s suppose you choose to unlock with password. Then select Use a password to unlock this drive checkbox, enter the password and click Next.
- On the How do you want to store your recovery key page, select an appropriate option. If you select print the key, you can take out the printout. If you select to store it on a file you’ll get the key in a file with xps extension. Selecting the option to store the key on a USB drive, you need to insert the drive and will get the key on that. Click Next.
- On Encrypt the drive page, click Start Encrypting. It encrypts your drive.
- You can now manage your encrypted drive from BitLocker Drive Encryption page, mentioned in Step no. 2. For drive D, you’ll observe certain options next to your BitLocker controlled drive: Turn Off BitLocker andManage BitLocker. You can change or remove the password, or can also change the method to unlock the encrypted drive to Smart Card unlocking.
If you selected Use a password to unlock this drive, when you try to access your drive, you will receive a password prompt to unlock the drive. If you selected the smart card option, you will be prompted to insert the smart card.
Configuring BitLocker To Go:
- Connect the USB drive for which you want to enable BitLocker Encryption.
- Click Start, then click Control Panel.
- Click System and Security, then click BitLocker Drive Encryption. This screen presents a list of all the drive partitions and the connected USB flash drive under Help protect your files and folders by encrypting your drives.
- Click the Turn On BitLocker link option next to the volume description for the USB drive. It starts the initialization process of BitLocker Drive Encryption.
- Select the method you want to use to unlock your protected drive. You can choose between password unlocking or unlock using a smart card. Lets suppose you choose to unlock with password. Then select Use a password to unlock this drive checkbox, enter the password and click Next.
- On How do you want to store your recovery key page, select an appropriate option. If you select print the key, you can take out the printout. If you select to store it on a file you’ll get the key in a file with xps extension, and prompts you for the location to save the file. Click Next.
- On Encrypt the drive page, click Start Encrypting. It encrypts your drive.
- You can now manage your encrypted drive from BitLocker Drive Encryption page, mentioned in Step no. 3. For your encrypted USB flash drive, you’ll observe certain options next to your BitLocker controlled drive: Turn Off BitLocker and Manage BitLocker. You can change or remove the password, or can also change the method to unlock the encrypted drive to Smart Card unlocking.
BitLocker Data Recovery Agents:
Data Recovery Agents are special user accounts that can be used to recover encrypted data. You can configure such an account to recover BitLocker-protected drives if the recovery password or keys are lost. Data Recovery Agents can be used across an entire organization, meaning that you can recover all BitLocker-encrypted volumes using a single account rather than having to recover a specific volume’s recovery password or key.
Before a data recovery agent can be configured for a drive, you must add the data recovery agent to Public Key Policies\BitLocker Drive Encryption in either the Group Policy Management Console (GPMC) or the Local Group Policy Editor. You must also enable and configure the Provide the unique identifiers for your organization policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will only manage and update data recovery agents when an identification field is present on a drive and is identical to the value configured on the computer.
To assign a BitLocker identification field to a BitLocker-protected drive follow given steps:
- Log on as an administrator to the computer where you want to assign the identification field.
- Click Start, type cmd in the Search programs and files box.
- At the command prompt, type the following command, replacing [drive letter] with the BitLocker-protected drive's identifier (for example, E:): manage-bde -SetIdentifier [drive letter]
- The Manage-bde command-line tool will set the identification field to the value specified in the Provide the unique identifiers for your organization Group Policy setting.
- After the value has been set, Manage-bde will display a message informing you that the drive identifier has been set.
To configure an identification field:
- Click BitLocker Drive Encryption in the GPMC or Local Group Policy Editor under Computer Configuration\Administrative Templates\Windows Components, to show the policy settings.
- Double-click the Provide the unique identifiers for your organization policy setting in the details pane.
- Click Enable. In BitLocker Identification Field, enter the identification field for your organization. This would be the identifier configured in the steps above.
- Click OK to apply and close the policy setting.
To configure a data recovery agent:
- Open GPMC or the Local Group Policy Editor.
- In the console tree under Computer Configuration\Windows Settings\Security Settings\Public Key Policies, right-click BitLocker Drive Encryption.
- Click Add Data Recovery Agent to start the Add Recovery Agent Wizard. Click Next.
- On the Select Recovery Agents page, click Browse Folders, and select a.cer file to use as a data recovery agent. After the file is selected, it will be imported and will appear in the Recovery agents list in the wizard. Multiple data recovery agents can be specified. After you have specified all the data recovery agents that you want to use, click Next.
- The Completing the Add Recovery Agent page of the wizard displays a list of the data recovery agents that will be added to the Group Policy. Click Finish to confirm the data recovery agents, and close the wizard.