Written by Mark Farrugia, Senior Microsoft Premier Field Engineer.
Bitlocker - Windows 7's Best FeatureMobile computers (Laptops, Netbooks, Tablets, etc.) have been outselling desktop computers for years now, and why shouldn’t they?  Some modern day laptops offer better 3D Gaming frame rates than desktop computer counterparts.  With the proliferation of the internet, email, electronic record keeping, digital photos/videos and electronic documents, a lot of personal information is being kept on these mobile devices that can literally be carried anywhere and be left any place, any time.

Protecting data: What’s a user to do?

Protecting your personal data should be a top priority for all users, but unfortunately this can get costly with third party solutions.  Microsoft has included a volume encryption mechanism since Windows Vista, but it was only included in two product SKUs– Windows Vista Enterprise and Windows Vista Ultimate editions.  This feature segregation has continued into the Windows 7 world now, but in my humble opinion it is worth the price of admission to Windows 7 Ultimate for the consumer world and Windows 7 Enterprise for the business space.

Any Improvements to BitLocker from Windows Vista to Windows 7?

Of course there are improvements, some of which are:

  • Windows 7’s installer now automatically prepares the system volume for BitLocker drive encryption on a clean install
  • Windows 7 BitLocker is now able to encrypt multiple drive volumes, not only the system volume as was the case in Windows Vista
  • Windows 7 now supports BitLocker-To-Go, forcing removable drives such as USB keys to use volume encryption to protect contents stored on those devices.

What are the requirements?

Bitlocker’s requirements are very reasonable:

  • A computer with a Trusted Platform Module (TPM) Chip v1.2 or higher, or a removable USB stick if your drive does not have the required TPM chip
  • A hard drive volume with two partitions;
    • 200 MB partition for system startup files
    • The rest of the volume for user and system files
  • All BitLocker volumes formatted to NTFS
  • Have a BIOS that is compatible with TPM and supports USB devices during computer startup.

How Do I Enable BitLocker?

Once all the requirements have been fulfilled, enabling BitLocker it is as simple as going to the Control Panel, System and Security and choosing BitLocker Drive Encryption.  You can choose which volumes you wish to enable encryption on and the wizard will walk you through the rest. In some cases you will have to go into the BIOS of your computer and turn on the TPM Chip, but the BitLocker wizard should tell you to do that.  I won’t bother going through all the steps to enable BitLocker because Microsoft has already published a very detailed TechNet article on that very subject: BitLocker Drive Encryption Step-by-Step Guide for Windows 7

BitLocker will encrypt your system or data volumes, making it impossible for someone to read the contents of the device should they get physical access to your drive. The volume would appear to another Windows machine as an unformatted volume, and without the recovery key, the contents would be impossible to recover.

Another useful situation in which BitLocker can save an organization or individual valuable time is if you are retiring, donating and or discarding hardware; traditionally it is recommended that you run a utility that will “zero” out the disk to try and destroy all the data that was on the drive.  With BitLocker enabled, all you would have to do is clear out the recovery key from the TPM chip and/or not include the USB key containing the recovery key, and the volume is unrecoverable.  I don’t know about you, but I prefer a method that will take minutes over a drive wipe that could take hours to complete, and only growing longer as drive volumes continue to increase.

Should I Use BitLocker?

Absolutely yes, you should use BitLocker, especially if you are a mobile user where your sensitive data could be compromised or stolen. Also encourage your customers, whether you are a consultant, system administrator and or the family tech support person to start securing their data also.

In future articles I will talk about how to manage BitLocker in the enterprise using Group Policy and Active Directory.