Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Bitlocker To Go – Cool Stuff

Bitlocker To Go – Cool Stuff

  • Comments 2
  • Likes

I guess you know my view to protection of USB-ports. I get often asked how you can protect your user’s from using USB-sticks. There are ways – especially in Vista – but don’t do it. Your users most probably have a good business reason, why they would want to use USB-sticks and by not letting them, they will most probably find another way to transport your sensitive information.

Rather give them the tools to do their business in a secure and safe way. Protect sensitive information with technology like Active Directory Rights Management Services – then you do not have to worry anymore where your data resides. Additionally you might still be worried about the loss of thumb drives as this happens so often. This might be the background why I get so many questions on Bitlocker To Go. Let’s just briefly look at the user experience when using this technology.

I just plugged in a normal USB stick into my Windows 7 box. I then right-click on the USB drive in “My Computer” and get the following menu:

200907_01[1]

So, let’s try to click on Turn on BitLocker… and give it a try:

200907_02[2] This answers one of the questions I often get:How does Bitlocker To Go authenticate the user. As you can see, there are two options:

  • You can use a password to protect it – or even better a passphrase. This will be the option you use, if you want to share the USB-key or if you are not sure what kind of machine you will have to unlock it as you do not know whether there is a smartcard reader (or you know that there is no smartcard reader on the target machine).
  • If you want to make sure you have strong authentication and only you get access, use smartcard!

And then – no, not yet. The drive will not be encrypted yet. As you know from “normal” Bitlocker, there is no encryption without backup keys:

200907_03[1] After having a backup of the key, you are ready to go and to encrypt the USB stick:

200907_04[1] So far so good: Pretty easy! But what happens, if I plug this stick in to another machine? This is what I did and this happened:

200907_05[1] So, I am prompted for the password, I enter it and the device is unlocked. However, if I forgot my password, this happens:

200907_06[1]
So, similar to Bitlocker on your main machine/disk you can use the recovery key to unlock it.

If you look at it, it is a pretty easy and straight forward way to encrypt a USB stick and protect it against loss by encrypting it with the same technology as your main disk.

One final question I get asked pretty often: What editions of Windows 7 support it? In Windows 7 BitLocker Executive Overview, you find the answer: BitLocker To Go can be utilized on its own, without requiring that the system partition be protected with the traditional BitLocker feature. Although you will need a premium Windows 7 SKU to enable protection of removable storage devices with BitLocker, any SKU can be utilized to unlock and use a protected device. Finally, BitLocker To Go provides read-only support for removable devices on older versions of Windows allowing you to more securely share files with users who are still running Windows Vista and Windows XP.

Roger

Comments
  • When i try to unlock my drive, it promt type the recovery key instead of my password.Unfortunately, I forgot to save my recovery key but I know my password.So, please advise what should i do to unlock my drive.

  • Did you enter your password wrongly several times? This is the only readson why I could think of it... However, I am not really online at the moment and it is hard for me to guess from far. I would try to reach out to our support

    Roger

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment