Ad Nauseam - ramblings of a technologist

I've been with Microsoft, as a technologist, for over 10 years. Occasionally, I stumble across a nugget that I think others will find interesting. I put those nuggets here.

Lock your bits

Lock your bits

  • Comments 1
  • Likes

One of the new security features in Windows Vista is BitLocker.  The technology allows you to fully encrypt your hard drive, so that in the event that someone 'unsavory' gains possession of your machine, they won't automatically get access to all your files, too.

"but my machine has a password," you say.  "Isn't it protected already?"

That's probably what those guys from Boeing and the Veterans Association and anybody else who recently had laptops with delicate information stored on them thought.  The answer is "Not if someone boots your machine with certain Linux CD's, or maybe a USB key, or just pulls the harddrive out and puts it in another machine."

Enter BitLocker.  The whole drive is encrypted.  A decryption key is stored on the TPM chip in my machine (if it's so equipped) or on a USB key that I carry, or, worst case scenario, I type it in to decrypt my files.  Since the key will be required every time the machine boots up, the first or second options are the most desirable.

The thing that has kept me from using BitLocker in the past is basically poor planning on my part - you need to partition your harddrive with a small (1.5gb) boot partition that will hold the unencrypted boot files.  Without extra tools, there's no easy way to create the partitions needed without reformatting the disk, so I just hadn't gotten to it.

This week, I decided I should really bite the bullet and install BitLocker.  I'm a security guy, so I thought I should go through the process.  Here's how it went:

Step 1:  Search microsoft.com for BitLocker guides.  Find a promising one here.

Step 2:  Backup my data so I can repartition my machine with my new little partition for BitLocker and a big one for my stuff.  My plan is to boot my machine from a Vista PE DVD, then plug in an external drive, and use ImageX to capture an image of my C: drive.  Then I can use fdisk/diskpart/etc. to create the partitions I need, then use ImageX again to put my files back on the machine.  (I use ImageX all the time to do quick and dirty backups and rollbacks of my machines.).

While I'm planning on doing this, I recall that I've running Vista Ultimate Edition, and that it recently downloaded some Ultimate extras.  I recall BitLocker enhancements were part of those extras.  I decide to go see what I got.  Sure enough, there's a BitLocker Drive Preparation Tool.  The readme explains that this will automatically create my little partition and move all my data around without losing any data.  Slick.  According to the BitLocker applet in Control Panel, my machine is equipped with a TPM chip, so it's going to be pretty easy to get this going.

It still recommends I make a backup first, so I boot my PE disk and image my hard drive off to an external disk.  It takes an hour, which surprises me...oh my, I've filled up 85gb on this machine.  Note to self:  time to archive some stuff.  There's no way I need that much stuff on my work machine.  It's probably all Channel9 videos.  The drive preparation tool still saved me at least an hour of time, so that was cool.

After I'm done imaging, I boot the machine back to Vista and go back to the BitLocker applet in Control Panel.  I click the "turn on BitLocker" link.

It prompts me to initialize the TPM hardware.  Basically, it tells me to reboot and follow the directions.  The directions consist of two bit blue boxes at boot time.  One says "F1 to enable TPM."  the other says "F2 to Cancel."  I pick F1.  The machine reboots, and I go back to the BitLocker applet.  It suggests that I do some things to make a backup of my encryption key.  My choices are USB key, folder, or printer.  I opt for the first.

As of right now, my machine is happily cruising along, encrypting my drive in the background while I work.  It's at about 36%.  Once it finishes, my data will be safely encrypted.  As long as I boot my Windows install, I have full access to my data.  Anything else will get prompted for the decryption key.  The TPM will check the integrity of the unencrypted boot files to make sure they haven't been tampered with.  If something goes wrong somewhere along the way, I have a backup of my encryption key on the USB drive on my keychain.

I think I'll go ahead and print off a copy of the key to put in a safe place.  I haven't yet lost a laptop, but I have been known to misplace my keys...

summary:  BitLocker good.  thumbs up.

Comments
  • Great post, explained really well and I could really understand. Thank you.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment