One of the reasons I run Windows 7 Ultimate edition on my netbook is to take advantage of features like BitLocker. For those who are not aware of this technology, BitLocker has offered whole drive encryption for fixed hard disks since Windows Vista but Windows 7 also includes encryption capabilities for removable devices (BitLocker To Go).
Even though I don’t keep much data on my netbook, it’s exactly the sort of device that’s likely to be lost or stolen and it seems like a perfect candidate for data encryption – although my main concern was that I might encrypt the device and then lock myself out (and I’m not the only one who’s had those concerns). Luckily there are options for key recovery – ranging from storing a copy of the key in a file or in Active Directory (not applicable for me as my netbook is not domain-joined) to the most basic printing the key on a piece of paper and keeping it in a safe place (i.e. not the carry case for my computer!).
So, armed with the knowledge that I had backed up all my critical data, just in case something went wrong, last weekend I “BitLockered” my netbook and I’m pleased to say it was really straightforward (especially as Windows 7 creates the necessary drive partition at install-time). It would have been even easier if my computer had a trusted platform module (TPM) chip but, even so, Windows can be configured to allow encryption without a TPM – I just need to supply a startup key when I turn the computer on – in this case I used a small capacity USB thumb drive to store the key, then remove it from the computer after the drive has been unlocked. In effect, I can only start (or resume) the computer with that USB “key” – or enter the recovery key to disable the encryption entirely.
There are two common ways to allow Windows to use BitLocker without a TPM: one involves editing the Local Security Policy and the other uses a few registry tweaks, which is the one I chose:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
“UseAdvancedStartup”=dword:00000001
“EnableBDEWithNoTPM”=dword:00000001
“UseTPM”=dword:00000002
“UseTPMPIN”=dword:00000002
“UseTPMKey”=dword:00000002
“UseTPMKeyPIN”=dword:00000002
To revert to the default settings, use a .reg file with the following contents:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
“UseAdvancedStartup”=-
“EnableBDEWithNoTPM”=-
“UseTPM”=-
“UseTPMPIN”=-
“UseTPMKey”=-
“UseTPMKeyPIN”=-
Then, using Windows Explorer, right click the drive you want to encrypt and select the option to turn on BitLocker, and follow the wizard. Make sure you store a copy of the recovery key, as this will be required to recover the data on a BitLocker protected drive.
It took a while for my drive to encrypt and, despite almost every reference for this that I’ve seen saying that a dialogue box will be presented showing encryption progress, I didn’t see this – all I saw was that the drive was almost full and lots of hard drive activity, then I got my free space back and the icon for the drive had a padlock and a key on it. Now, if I right click the drive there are options to manage BitLocker, including duplicating the startup key and saving/printing a new copy of the recovery key.
All in all, it was pretty painless and I haven’t noticed any performance degradation but if someone does take a fancy to my netbook, they won’t be able to access the data on it.
For more information, see the Windows BitLocker Drive Encryption Step-by-Step Guide on the Microsoft TechNet website and the BitLocker drive encryption team blog (although that hasn’t been updated in a while). Michael Pietroforte has also compared BitLocker with TrueCrypt, concluding that TruCrypt lets you choose your own recovery passphrase; however BitLocker can be managed with Group Policy and the keys can be stored in Active Directory Domain Services. There’s more information on storing BitLocker keys in Active Directory on the TechNet website (domain controllers must be running Windows Server 2003 SP1 or higher and schema extensions are required).
You might not have seen the encryption progress because of the Windows 7 “hidden icons” feature in the system tray. I did this to my laptop a few weeks ago, also with no TPM chip, and the progress dialog was definitely there, I just had to click the systray icon to get to it.
To be honest having to use a USB key to start the laptop (or even restart it) was a major pain for me. Last week I turned off bitlocker again – the major reason actually being the extra heat that my laptop generated with bitlocker enabled – it was burning my knees!
I’ll be interested to hear what your experiences are with bitlocker too. Love your blog, keep up the good work!
Just done the same with my new laptop – the progress bar appeared for me until I did my first reboot, then it carried on silently in the background. I couldn’t find an obvious way to ‘reshow’ the progress bar whilst encryption was continuing (though the 5GB free on a 300+GB drive was a good indication it was in progress!).
@NiXC and @David Saxon – glad it wasn’t just me.
Thanks for the tip Nick – I’ll check that out when I repeat this on my work machine (which I think does have a TPM).
Most the time the information on a notebook is not whats used but just to sell the notebook.
Have you considered just using EFS to encrypt sensitive data? What I do is back up my active data and archive data to a Truecrypt volume stored in my dropbox folder. That gives me easily recoverable copies of my data in case the Netbook is stolen.
Then I encrypt just “my documents” and “desktop” folders with EFS. It makes that data useless if the Netbook is stolen without creating too much CPU overhead when I use it.
Yeah, EFS could do it, but seems like old technology and (probably because I don’t know anyone using it), I assume it’s not as secure…
…I have nothing to base that on, mind you. So happy to be educated!
Even though I use TruCrypt and not BitLocker I am very glad that Microsoft decided to deploy a very robust information security control to the consumers. In this way it pushes its clients to consider encrypting their devices. Thanks for the post!