Windows Vista – BitLocker Drive Encryption

Windows Vista – BitLocker Drive Encryption

BitLocker provides extra security for computer disks, especially those of laptops.  It works because the drive remains encrypted, even if the disk is transferred to another machine.  Without the encryption keys, thieves cannot interrogate the disk by installing a parallel copy of Vista, or any other operating system.

Topics for Windows Vista BitLocker Drive Encryption


Pre-requisites for BitLocker Drive Encryption

  1. Buy Windows Vista Ultimate, because this is the only edition that supports BitLocker.
  2. Check that the Vista computer has a modern BIOS which supports TPM (Trusted Platform Module).  This ensures that the disk is encrypted at startup.  Consequently, if the disk were stolen and removed to a different computer, the thief would need the recovery keys before they could read the data.
  3. Set the BIOS to boot from the first disk.

Creating the BitLocker Partitions

As ever, planning is the key.  The best solution is to create the two partitions, need by BitLocker, during install.  For this task, seek out detailed instructions, particularly learn how Diskpart creates and formats the BitLocker partition.  Meanwhile, here are outline instructions for the task.

  1. As you install Vista, create at least two partitions, one for the operating system one for the encrypted data.  The secret is to click on ‘System Recovery Options’.  As you install Vista Ultimate, look at the lower left of the pages, System Recovery Options appears on about the second install screen, just after you select the Keyboard Layout
  2. If you have already installed Vista, but without this configuration, don’t despair, seek out the Windows BitLocker Drive Preparation Tool.

Configuring BitLocker Drive Encryption

  1. Assuming that Vista boots and you logon, this is where you find the BitLocker Drive Encryption configuration settings: Control Panel, Security, BitLocker Drive Encryption, now click: ‘Turn On BitLocker on the operating system volume’.
  2. If your TPM (Trusted Platform Module) is not initialized, then the wizard will guide you through the  initialization process.
  3. Pay careful attention to the ‘Save the recovery password’ page, your options include:Save the password on a USB drive.Save the password in a folder. Print the password.
  4. You should now be on the page: ‘Encrypt the selected disk volume’.  Confirm that the ‘Run BitLocker System’ check box is selected.
  5. You should now see the status bar. To monitor the progress of your disk volume encryption, drag your mouse over the icon in the tool bar.  (It’s at the bottom of your screen.)

SOKB – Secure Online Key Backup

The idea is to use Secure Online Key Backup to protect both BitLocker’s recovery password, and your recovery certificate for the Encrypting File System.  I like the idea of backing up important files to storage areas in the internet.  SOKB takes this concept one stage further by connecting to a secure Microsoft Web site called Digital Locker.  The benefit is if you lost these keys and certificate, you could download them from Microsoft’s secure Digital Locker site.

SOKB - Secure Online Key Backup

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

EFS (Encrypted File System)

In addition to BitLocker’s secruity, Microsoft has enhanced EFS (Encrypted File System) in the Ultimate, Business and Enterprise Vista Editions.  For example, you now have the ability to encrypt the page file and recovery keys onto smartcards.

BitLocker and Vista SP1

Thanks to Vista Service Pack 1 (SP1), there are enhancements to the BitLocker feature and also Microsoft made available three new tools for its management and repair.

Though BitLocker can be used with or without a Trusted Platform Module (TPM) chip, TPM offers an additional level of security and is the preferred way to use BitLocker in Vista or Windows Server 2008.

In our scenario, we’ll assume that you have a Vista laptop with a TPM chip installed on the motherboard. In order to get BitLocker working, you’ll first need to configure the TPM settings in the laptop’s BIOS, and then configure BitLocker in the OS.

TPM is a microchip that supports several advanced security features, such as storing encryption keys, digital certificates and passwords. The BitLocker feature in Vista works with the TPM chip. Depending on your BIOS and manufacturer, TPM Security may be set to OFF in the BIOS by default, meaning TPM can’t be used.  More specifically, there were two settings for TPM in the BIOS on my computer — TPM Security and TPM Activation — and they were both turned off by default.

Enabling TPM Security is very simple: Go into BIOS and set it to ON. To turn on TPM Activation, you first need to set TPM Security to ON, save the changes in the BIOS setup, reboot the computer, and then return to the BIOS setup to activate TPM.

Once this is done, you’re ready to configure BitLocker in the OS.

BitLocker OS Requirements

Before you get started, make sure that your computer meets the minimum system requirements for BitLocker

You need two partitions, one for the system volume (e.g., Drive D) and one for the OS volume (e.g., Drive C). * The system partition (Drive D) is unencrypted and the OS volume (Drive C) is encrypted. * The system partition (Drive D) is at least 1.5GB and is set as the active partition.

Conclusion: BitLocker Drive Encryption

As a result of the above BitLocker procedures, you can encrypted the operating system volume and create a recovery password.  However, the only time that you notice the BitLocker Drive Encryption, is if there are changes to key system files, or if someone tries to start the computer from a disk.  In this instance you will see the recovery mode interface – waiting for a password.

If you like this page then please share it with your friends


Windows Vista Security:

Other Sections