I have had many questions about BitLocker so I thought I would answer them in this blog post.
BitLocker is a Trusted Platform Module (TPM) component that allows you to protect data on hard drives. BitLocker is the name given to the encryption component that works on hard disk drives. BitLocker To Go is the exact same thing but it works on removable drives such as USB drives. If the drive is seen by windows as a physical drive it will show up under BitLocker. If it shows as a removable media drive it will be listed under BitLocker To Go. (See Graphic Below)
Why? … If you or someone at your company has ever “lost” a laptop or USB drive with sensitive data on it, you will know why. These types of losses can be catastrophic depending on the business and what data is lost. Consider as an example a small insurance company. The office manager or owner wants to do some “number crunching” and dumps their customer database into an Excel file and puts it onto a USB hard drive (or laptop) to take home and work on it over the weekend. They stop at the store to get a loaf of bread and leave the drive on the seat of the car. Now, 3 mins later, they come out to the car and it is gone! Oh No! Now what? Well the client database was on that unencrypted drive (or laptop if you prefer) and now it is out in the public. After sweating for a while they just hope and pray someone does not do anything with the data? We are not that lucky in this scenario.
It was a kid that took it (or a competitor) and he posts the information on the web (complete with social security numbers). It gets out to the public. Before morning the office has dozens of people calling about it. By the following day the local community paper has written an article about the loss and the breach. Do you think there is much chance that this company will keep their customers? Do you think there is any chance they will be able to replace the customers they lost? Not likely … This is a catastrophic situation for this customer.
There are a number of other scenarios I could easily cover on this topic. Consider medical information that might be in that database from car accident or home fire, or whatever. The vulnerability is not only real, it is very likely. Remember Murphy’s Law: Anything that can go wrong, will go wrong! If the data is encrypted… it is not a problem. so you lose the drive or the laptop. Oh well. You lose the data.. lights out! Yeah, BitLocker really is that good!
BitLocker was introduced with Windows Vista. It is not available on all versions of Vista or Windows 7. You have to be on Enterprise or Ultimate with Windows Vista or with Windows 7. The Enterprise and Ultimate SKU’s will support BitLocker, other SKU’s will will not have the feature. Once a drive is encrypted with BitLocker it can no longer be read by any machine that does not have the “key”. The “key” could be a password or other form of authentication that was defined when the drive was encrypted. Windows XP SP3 and later OS’s can READ the drive (if they have the key) but they cannot write to it.
Check out the BitLocker Center on Technet this page has talks about BitLocker and all the detail. Make sure you do not miss the FAQ’s which talk about:
Yes, you can use a smartcard, password, embedded TPM module, etc to unlock an BitLocker encrypted drive.
You can install/configure BitLocker by going into “Control Panel” and Selecting “System and Security”
then Select “BitLocker Drive Encryption”
“Manage BitLocker” allows you to change or print the recovery key of the encrypted drive. It has slightly different options if it is the boot drive.
“Turn Off BitLocker” allows you to decrypt the drive so that it is no longer protected
“Turn On BitLocker” Allows you to encrypt a drive. Make sure you have some available time when you encrypt a drive. It could take a while. I also strongly recommend you do not allow your computer to fall asleep, suspend, lose power, etc while it is encrypting a drive. According to the specification even if this happens, BitLocker will just pick up where it left off on the next boot. But hey, why chance it? It takes a while to encrypt but reading data and writing data after the initial encryption is VERY FAST! On my Lenovo T61P I encrypted my OS partition and literally did not notice any negative impact.
Yes to both Questions… You can use group policy to enforce BitLocker and/or you can store the keys in AD. Configuring Active Directory to Back Up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information. You need have a windows server 2003 SP1 or later AD infrastructure and server OS. It may work on older versions but it is not supported so you are on your own if you try that.
From the Local Group Policy (mmc.exe; Add Remove Snap-in; Group Policy Object Editor; Current Computer)
Local Computer Policy
-- Computer Configuration
-- Administrative Templates
-- Windows Components
-- BitLocker Drive Encryption
You can download Windows 7 RC from the TechNet download center. At some point the ability to download the bits will expire so if you want it, you probably should get it pretty quickly. Additionally, you want to play with BitLocker or other Windows Server 2008 R2 or Windows 7 features, let me know and I will add you to the “Momentum” early adopter program so you can gain access to the bits.
I have on my list to do a step-by-step recording of this process in the next few weeks. If you are interested in that, check back at my blog. I will try put a link to that blog post here when it is done. If you are in dire need for the information let me know and I will try to move it up the priority list.
Please let me know what you think about this post.
You have explicitly answered questions frequently asked about BitLocker.
As far as I know, Microsoft is forcing their users to use BitLocker on their work computers.
I just wonder how difficult it is to estimate the password ?
I presume you are implying that you work for Microsoft and your employer is forcing the use of Bitlocker :) If "estimating the password" means "guessing the password" .... that all depends on how simple your password is. If you set it to something that anyone could guess then it is pretty easy. If you use standard password restictions Upper Alpha, Lower Alpha, Numbers, Symbols and no birthdates, pets, friends or family names etc. it can be pretty difficult.
You should have the key stored in a SAFE (litterally) place.
If you mean how to I retrieve a lost password... It should also be stored in Active Directory so your helpdesk should be able to help you with unlocking it or changing the key.
Thank you Dan for this information.
Do you know if there is a group policy to force encryption on Operating System drives? The challenge we have is all our users are local admins on their machine (this is a requirement we cannot escape), so at any time, users can go to Control Panel and simply decrypt their drive.
Alternatively, is there any way through group policy to disable users from suspending/decrypting their drive - we only use a single partitioned disk - so OS/data reside on same partition.
Thanks in advance
Hi Mark, Yes. Group Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encription. Under this key, you will see you can control different types of drives. OS, Data, Removable.
we are using windows 7 ultimate on company laptops that are on the road, not connected to a PDC. I have followed the Technet example by bitlocker keeps reporting no suitable certificate. Any idea's on what I need to do to create a self-signed certificate that works?
Thank you Dan.
I enabled a Bitlocker and TPM GPO to save to AD on 2008 Domain and applied it to a Windows 7 Ultimate workstation. When I look at the gpresult on the workstation I can see that the Bitlocker GPO was applied, but the local Gpedit settings for these 2 are NOT Configured and the key does not get saved in AD when I execute the cscript enablebitlocker.vbs.
Should the Local GPO show the 2 settings enabled??
Thank you very very very much.....I was too scared because the bitlocker doesn't unlock at any cost.:-)
steps to unlock bitlocker encrypt disks:
1)Go to address "Control Panel < System and Security < Bitlocker Drive Encryption"
2)And then lock or unlock any drive you wish.
*********************I BET THIS METHOD WILL WORK(but only in windows in which Bitlocker is In-Built *********************
I can not find bitlocker anywhere on my computer. I have win7. Does bitlocker come standard with all win7 ver.? I am having an issue with an sd card that says it is write protected by bitlocker, so I am really confused because I never enabled bitlocker, and as mentioned, I can not find it anywhere. Any help would be recived with much gratitude!