Here is the second of my posts on BitLocker under Windows 7. While not strictly deployment focused I found these points of interest. We all tend to use USB disks for moving data around and securing these is becoming more important. For example how many people have a deployment point on their USB stick that might have user names and passwords in clear text?
BitLocker to Go and legacy versions of Windows
When using BitLocker to Go you can encrypt removable drives with NTFS, but you won’t be able to read them on a down level OS i.e. Windows XP or Windows Vista. However if you encrypt a FAT (or exFAT, FAT32) formatted drive, you will see the BitLocker to Go Reader when you plug it into a down level machine, which will allow read access to your files.
When considering the usage of BitLocker to Go it’s worth noting that you can configure whether or not the BitLocker to Go Reader is included on the removable drive when you encrypt it using Group Policy – Run GPEdit > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Drives > Allow access to BitLocker-protected removable data drives from earlier versions of Windows.
BitLocker to Go, Certificates and Smart Cards
If anyone has tried out Bitlocker to Go you will have seen the option to encrypt an external disk using your smart card. However not all certificates are suitable for this use.
A certificate is considered valid for BitLocker to Go if the following conditions are met for Key Usage:
No KU is present
KU is present and contains one of the following keyEncipherment bits:
A certificate is considered valid for BitLocker to Go if the following conditions are met for Extended Key Usage:
No EKU is present
EKU is present and contains BitLocker™ OID
EKU is set to anyExtendedKeyUsage
NOTE: The BitLocker OID is configurable in group policy
This post was contributed by Richard Trusson, a Senior Consultant with Microsoft Consulting Services - U.K.