Protecting Removable Drives with Bitlocker

  • Article

In a recent post, I explained how easy it was to use Bitlocker to secure your drives in a dual-boot scenario with Windows Vista and Server 2008.  Following this I had some discussions with colleagues about how to securely backup copies of the files from the encrypted drive.  Specifically, how to create a portable copy to carry around with you.  Engineers in my team are out on the road a lot and sometimes don't have good access to our corporate network, so having a second copy of important files with you is very useful, but as you can imagine, copying your files from a system secured by Bitlocker to a plane old USB drive renders the Bitlocker a bit pointless, especially if this drive is carried around in the same bag as your laptop!

The good news is that Bitlocker can also secure removable drives.  Admittedly, this makes the drive somewhat less portable, but it does allow you to create a secure backup that you can carry with you.  Here's how to do it:

  • Insert the USB drive and format using NTFS.  If you already have files on the drive, either temporarily copy these elsewhere and run a normal format then copy the files back, or use the convert command at the command-line to change the format with the files in place.
  • Open the Bitlocker Drive Encryption tool from the Control Panel.  Notice that the removable drive is shown as a valid drive for Bitlocker encryption:

clear

The drive used in the above example is a simple 4GB USB drive.

  • Click "Turn on Bitlocker" and follow the prompt to encrypt the drive.   Make sure to save the recovery key to a secure location, which means somewhere other than another USB drive you carry around with you!

Now the drive is fully encrypted by Bitlocker and will be automatically useable on the system it was encrypted on.  So, you can now copy files from your main encrypted system to here and carry the drive around as a secure backup.  If the drive is stolen/lost, the data is inaccessible:

denied

One downside to this is that the increased security has come at the cost of reduced portability.  If all you want is a backup copy of your original files, to be used only when the originals are corrupt or lost, then this is fine as moving between systems isn't really an issue.  However, if you want to use the drive on several machines, say to copy files from a desktop system to your laptop, or vice versa, then the current setup won't do.

To make the drive accessible on another Bitlocker-capable machine, do this:

  • Insert the drive as normal.  As mentioned above, it will be inaccessible in Explorer (or via any other means, for that matter), but it is recognised by the system  as being encrypted:

bl

  • Open the Bitlocker Drive Encryption tool.  The drive will appear as encrypted and locked:

unlock

  • Click "Unlock Volume" and follow the prompt to supply the recovery key.  Once unlocked, the data will be accessible as with a normal USB drive. In addition, if the system used to unlock the drive is itself Bitlocker protected, you will see an option to save the recovery key locally:

save

Using the "Save Keys" option means that each time you insert the drive, it will be automatically unlocked and ready for use, just like a normal USB drive.

You can repeat the steps above on as many systems as you like to make the Bitlocker encryption transparent between these systems, while ensuring that the data on the removable drive remains secure.  Unfortunately, the data is not going to be readable on any system that does not support Bitlocker, but for the scenario I started with (as a secondary, secure, storage for your Vista laptop), then this doesn't really matter.