How to Choose the Right Cybersecurity Solution REGISTER >
The loss or theft of a laptop is an all-too-frequent occurrence. Whether it’s swiped from the trunk of a car, absentmindedly left in the back seat of a cab, or vanishes amidst the confusion of a busy airport security check-in, it usually means that an expensive piece of equipment will never be seen again.
But the value of the hardware may pale in comparison to that of the data that resides on it, especially if the data’s of a sensitive nature, such as confidential company plans or client contact information. If your laptop’s running either the Ultimate or Enterprise editions of Windows 7 or Windows Vista, you can take advantage of the BitLocker feature to encrypt the hard drive via 128-bit AES, ensuring that even if the laptop is lost or stolen, valuable data will be safe from prying eyes.
In contrast to Windows Encrypting File System (EFS), which encrypts individual files and folders, BitLocker encrypts the entire hard drive--the operating system (including the hibernation and paging files) along with all applications and data. As a result, it provides a level of protection far beyond what you get from standard Windows account authentication or NTFS file permissions.
Before attempting to activate BitLocker, it’s important to determine whether your laptop has an integrated Trusted Platform Module (TPM), which is available on various business-focused laptops from vendors like Dell, HP, Lenovo, and others. Having a TPM-equipped laptop maximizes security by eliminating the possibility that someone might suss out a Bitlocker encryption key by attempting to circumvent the Windows boot process (e.g. by accessing the hard drive via specialized utilities and/or from another computer).
You can still use BitLocker if your system lacks a TPM, but you’ll need a USB storage device to hold the encryption key. This storage device will act as a startup token, so Windows won’t start without it. If you do have a TPM, it will securely store the encryption key for you.
Turning it on
If you don’t have a TPM, Windows 7 won’t let you turn BitLocker on until you first make a modification via the system’s Local Group Policy Editor. To do so, run gpedit.msc from the Start menu and navigate to Computer configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives. Then select Require additional authentication at startup, click Enabled, and make sure Allow BitLocker without a compatible TPM is checked.
BitLocker requires that your laptop’s hard drive be divided into two partitions: a system partition and an operating system partition. The latter is the one that gets encrypted, while the former holds the boot files and remains unencrypted so the computer can start. You don’t need to deal with partitioning your drive for BitLocker in Windows 7; when you enable BitLocker, a 100 MB system partition is automatically carved out. (This partition is hidden from normal view; it doesn’t get a drive letter in order to discourage you from inadvertently saving data there.)
(Please note that the following steps pertain to enabling BitLocker in Windows 7; see the end of this section for information on how the process differs in Vista.)
To get started with BitLocker, open Windows Explorer, right-click the drive Windows is installed on, and select the Turn on BitLocker option to start the wizard. If your laptop has a TPM, the system will need to reboot to activate it-- when the system restarts, you’ll be asked to confirm you want to enable the TPM, then when Windows loads the BitLocker wizard will resume from where it left off. If there’s no TPM, you can select the Require a Startup key at ever startup option.
Next you’ll need to save a recovery key, which will be necessary to access your system in the event BitLocker locks your hard drive (or in case of a problem). You can print the recovery key, save it to a file, or if you’re using a USB startup key, save it onto a USB drive, as well. (Needless to say, if storing startup and recovery keys on USB drives, don’t keep them with the computer.) Of course, you won’t be allowed to save the recovery key onto the drive you’re encrypting.
Before the encryption process starts, you have the option to run a system check that will first confirm the keys are working. The process takes a while and it involves a reboot, but it’s a very good idea to run it. After the system restarts, BitLocker’s tray icon will let you know that encryption has begun and you can click it for status. The encryption process can take several hours depending on how much data is on your hard drive, but you can continue to work during encryption (albeit with system performance taking a bit of a hit). When BitLocker’s encryption is complete, the system will run exactly as it did before, though you’ll see a padlock and key added to the drive’s icon in Windows Explorer.
Note that if your system has more than one disk partition (not including the special system partition created when BitLocker was activated), they are not encrypted when you enable BitLocker on the Windows drive. Rather, you need to turn BitLocker on separately for each individual partition or drive you want to encrypt. Also, once you’ve got BitLocker up and running, it’s best to avoid using Sleep mode when your laptop’s not in use because this leaves the encryption key active in memory and thus somewhat vulnerable. Instead, hibernate the notebook (remember, the hibernation file is encrypted).
Earlier, we mentioned that BitLocker worked somewhat differently in Windows Vista. For starters, it doesn’t automatically partition your operating system drive the way Windows 7 does, so before using BitLocker on Vista you’ll need to download and run Microsoft’s BitLocker Drive Preparation tool to do the job. Second, Bitlocker in Vista can only encrypt the operating system drive. Last, but not least, Vista’s version of BitLocker doesn’t include BitLocker to Go, which brings us to our next topic…
BitLocker to Go
Available in Windows 7 only, BitLocker to Go gives you the ability to encrypt not just operating system and other fixed drives, but removable storage devices like USB flash memory and hard drives, as well.
To encrypt a removable drive using BitLocker to Go, right-click it and select Turn on BitLocker. You’ll then be prompted to create a password for drive access (or you can use a smart card and PIN if you have one configured), and save or print the recovery key prior to encrypting the drive.
Once your portable drive is secure, you’ll see the drive icon change to the padlock with key, indicating that it’s protected, but currently unlocked. When you remove and reinsert the drive, that icon will become a lock sans key and you’ll automatically be prompted to enter your password for access. (A “forgot my password” link will give you the opportunity to enter use your recovery key if necessary.) You can modify files or add files to a Bitlocker to Go-protected drive from any system running a version of Windows 7 (not just Enterprise and Ultimate) so your secure data remains portable.
If you need to be able to access a BitLocker-to-Go-protected drive on a Vista or XP system, you can, but with a couple of caveats. First, you’ll need a separate Microsoft utility called the BitLocker to Go Reader, which you can download here. (Note that there are four versions of the utility, reflecting the 32- and 64-bit versions of both Vista and XP.) Second, as the name “Reader” suggests, the utility will let you read the drive, but not write it. When you open a protected drive you’ll see the Bitlocker to Go Reader icon which will prompt you for the password when you run it. Afterward, an Explorer-like interface will display the contents of the drive and let you drag an (unencrypted) copy of files or folders onto your desktop for viewing.
Turning it off
To disable BitLocker protection on either a fixed or removable drive, run Manage BitLocker from the Start menu and you’ll find a Turn off BitLocker link, as well as a Manage BitLocker option that will let you do things like save the recovery key again or change the password on a BitLocker to Go drive. For operating system drives only, you’ll see an additional Suspend Protection option. Use it before upgrading a laptop’s hardware or BIOS, as this will be construed as system tampering and cause BitLocker to lock down the drive.
BitLocker won’t help you recover a pilfered portable computer or hard drive, but it will help ensure that your loss is limited to the cost of the hardware.
Joseph Moran is a veteran technology writer and co-author of Getting StartED with Windows 7 from Friends of Ed.