Welcome to Sign in | Join | Help
in
Home Blog Forums

The Lazy Admin

Encrypt Drive with BitLocker

Sponsor

We've done a few post on BitLocker around some of the more advanced features and controls.  The one thing we haven't touched yet is just how easy it is to encrypt your drive with BitLocker.  Before we get started on the procedure a little review of the options you can choose is in order.

  • TPM Only - This is the easiest to deploy and use.  Everything happens in the background invisible to the user.
  • Dongle Only - This is used with systems that do not have a TPM 1.2 chip.  Rather than store the ket in TPM it stores it on a USB key which must be insterted prior to booting the PC
  • TPM + PIN - This is more secure.  In effect it is a form of two factor authentication, what you have (the TPM chip with the key) and what you know (the PIN)
  • Dongle + PIN - This is another form of two factor authentication again for older systems with no TPM 1.2 chip

Personally I prefer TPM + PIN as I usually store my USB keys in my notebook bag.  Should that ever get lost or stolen the person has all they need to get access to the system (at least to a password prompt). 

To enable PIN or Dongle capabilities you will need to edit the local computer policy first.  We already wrote about that here and here so I won't cover that again.

To begin, the first step is to prep the drive.  Prepping the drive creates a small partition, usually called S:, which will store the required boot files.  To prep the drive is quite easy using the BitLocker Drive Preparation Tool, on Windows Vista Ultimate it is an Ultimate Extra which you can download and install from Windows Update.  For Enterprise edition users it is downloaded from the EA licensing site.  With the tool installed it is an automatic process that will reboot the system.

Once the drive is prepped launch the BitLocker Drive Encryption tool by searching for "BitLocker"

Next click on "Turn On BitLocker"

Choose the location of the drive recovery key.  This is a crucial file that you will need if something ever need to recover data due to a failed BIOS, TPM chip, motherboard etc...  I usually store one copy on a USB key and print one out and store it in a safe.

If you chose to use TPM + PIN you will also be asked to specify the PIN.  Once complete drive encryption will begin and run in the background.  You can shutdown, reboot, continue working while BitLocker encrypts the drive.  Depending on the size of the drive it can take quite a few hours.

If you chose TPM + PIN the next time you boot you will be asked to specify the PIN.  If you ever need to recover the data because the BIOS reset (i.e. during a BIOS upgrade) or something happens to the TPM chip (i.e. motherboard is damaged, hard drive moved to a different PC) you will  need to either insert the USB key with the recovery key on it

Or click enter and type in the recovery password that you printed out.  If you do not have the recovery password there is absolutely nothing you can do.  Make sure you have a copy saved in a secure location, oh and the S: drive is not a secure location :)





Published Saturday, September 22, 2007 12:09 PM by rodney.buike
Filed under: ,
Anonymous comments are disabled

This Blog

Sponsor

 

Syndication

Advertising

Get a free 5GB e-mail account @isalazyadmin.com

Affiliates

Canadian IT Professionals

Canadian IT Managers

Certifications & Awards


All postings are provided "AS IS" with no warranties, and confer no rights.
Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.
Copyright TheLazyAdmin Inc. All Rights Reserved 2004-2008