Blogs

Vista, Server 2008 and the Case of the Bitlocker Dual Boot

  • Comments 4
  • Likes

This week, I received my shiny new work laptop, which I'd been anticipating for some time.  Normally, I'm not much of a hardware geek and don't get overly excited with new kit, but I was really looking forward to this as it is 64-bit and finally allows me to install Server 2008 and Hyper-V for customer demos, testing, etc.

Although I wanted to use Server 2008, I still wanted Vista as my day-to-day desktop for email and the like, so I planned to dual boot with a shared data partition.  However, as I sometimes have sensitive documents on my laptop I wanted to use Bitlocker to secure everything.

At first I wasn't sure what would happen if I just booted to Vista or Server 2008 and Bitlockered all of the drives.  Would the system boot at all?  Would I lose access to one or both operating systems?  What about the shared data?

As it turns out, this dual-boot scenario is no problem for Bitlocker.  In case you're faced with a similar scenario, here's how I installed mine:

  1. Installed Vista Ultimate SP1 to C: partition.  Vista Enterprise also supports Bitlocker.
  2. Installed Server 2008 Enterprise on D: partition.
  3. Created data partition E:.
  4. Created a small partition, S:, for the unencrypted boot files.  You can do this manually with Disk Manager or you can use the Bitlocker Drive Preparation Tool (also available as an Ultimate Extra).
  5. Booted into Vista and applied Bitlocker to the C: drive, saving the recovery key to a USB drive and setting a boot PIN.
  6. Booted into Server 2008 and applied Bitlocker to D:, saving the recovery key to a USB drive and setting a boot PIN.  The PIN is not shared across the two operating systems, but you can use the same number for both.

At this point both operating systems are protected by Bitlocker, both boot fine (using the appropriate PIN) and both can access the unencrypted data partition E:.  However, they cannot access each other's partition.  Next, to protect E: and make it accessible to both operating systems, I did this:

  1. Booted into Vista and applied Bitlocker to the E: partition, saving the recovery key to a USB drive.
  2. Booted into Server 2008, where E: is now inaccessible.
  3. Started the Bitlocker Drive Encryption tool and selected the "Unlock Volume" option for E:
  4. Selected to load the volume recovery key from removable media when prompted and inserted the USB drive.
  5. Selected the "Save key..." option and unlocked the partition.

Now, partitions C:, D: and E: are all protected by Bitlocker and each OS can boot without problem and can access the shared E: drive without any need to enter the recovery key.  I deliberately left it so that each OS still can't see the other's install partition, so as to avoid accidental changes, but using the "unlock" method above it would be possible to make all drives accessible under each OS.

There is possibly a neater way of doing this, but apart from waiting for the encryption steps to complete it was all very quick and painless.

A couple of notes:

  • I used a new system with clean installs of Vista and Server 2008, so if things had gone wrong all I'd have lost is a bit of my time.  If you do this on an existing system, please remember to back up your data first - I'm sure everything will be fine, but you never know ...
  • If you follow the method above you will end up with a USB drive with all of your recovery keys on it.  Remember to keep this in a safe place away from your computer (e.g. don't leave it in your bag with your laptop).
  • If you're interested in dual-booting with an OS that doesn't support Bitlocker, have a look here.
  • Above, I assume you know how to turn on Bitlocker, but if you don't, you can find details in the Windows BitLocker Drive Encryption Step-by-Step Guide.
Comments
  • You are storing anything in Active Directory?

  • Keith

    Yes, actually, I did back up the recovery keys to AD, but didn't mention it so as to make the description a bit simpler.  If you enable the following Group Policy setting (locally or in AD), Bitlocker will backup your recovery password to AD:

    Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Turn on Bitlocker backup to Active Directory Domain Services

    There is a sub-setting in that policy called "Require BitLocker backup to AD DS", which prevents Bitlocker encrypting anything unless it can back up your keys in this way.

    Get loads of information here:

    Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery Information

    ~ Richard

  • In a recent post , I explained how easy it was to use Bitlocker to secure your drives in a dual-boot

  • You may have seen from a recent post that I received a new laptop that was capable of running Hyper-V.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment