This week, I received my shiny new work laptop, which I'd been anticipating for some time. Normally, I'm not much of a hardware geek and don't get overly excited with new kit, but I was really looking forward to this as it is 64-bit and finally allows me to install Server 2008 and Hyper-V for customer demos, testing, etc.
Although I wanted to use Server 2008, I still wanted Vista as my day-to-day desktop for email and the like, so I planned to dual boot with a shared data partition. However, as I sometimes have sensitive documents on my laptop I wanted to use Bitlocker to secure everything.
At first I wasn't sure what would happen if I just booted to Vista or Server 2008 and Bitlockered all of the drives. Would the system boot at all? Would I lose access to one or both operating systems? What about the shared data?
As it turns out, this dual-boot scenario is no problem for Bitlocker. In case you're faced with a similar scenario, here's how I installed mine:
At this point both operating systems are protected by Bitlocker, both boot fine (using the appropriate PIN) and both can access the unencrypted data partition E:. However, they cannot access each other's partition. Next, to protect E: and make it accessible to both operating systems, I did this:
Now, partitions C:, D: and E: are all protected by Bitlocker and each OS can boot without problem and can access the shared E: drive without any need to enter the recovery key. I deliberately left it so that each OS still can't see the other's install partition, so as to avoid accidental changes, but using the "unlock" method above it would be possible to make all drives accessible under each OS.
There is possibly a neater way of doing this, but apart from waiting for the encryption steps to complete it was all very quick and painless.
A couple of notes:
You are storing anything in Active Directory?
Yes, actually, I did back up the recovery keys to AD, but didn't mention it so as to make the description a bit simpler. If you enable the following Group Policy setting (locally or in AD), Bitlocker will backup your recovery password to AD:
Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Turn on Bitlocker backup to Active Directory Domain Services
There is a sub-setting in that policy called "Require BitLocker backup to AD DS", which prevents Bitlocker encrypting anything unless it can back up your keys in this way.
Get loads of information here:
Configuring Active Directory to Back up Windows BitLocker Drive Encryption and Trusted Platform Module Recovery
In a recent post , I explained how easy it was to use Bitlocker to secure your drives in a dual-boot
You may have seen from a recent post that I received a new laptop that was capable of running Hyper-V.