Microsoft

Windows 7: Mobile Data Protection with Bitlocker To Go

Still looking for an easy, affordable solution for encrypting USB storage? Working on a limited budge while trying to figure out how to force encryption of mobile data? Your problems may be over if you can wait for Windows 7.

Windows 7 contains several new features, including one I'm pretty excited about: Bitlocker To Go.  Expanding the Bitlocker offering in Vista, Microsoft provides encryption support for removable USB storage—a wide channel for escaping data—on the Enterprise and Ultimate versions of its new, still in beta, OS.

Bitlocker ToGo Features Overview

Bitlocker To Go (BtG) provides a right-click selection to enable encryption, as shown in Figure 1.  The drive selected is a Lexar 512MB USB flash drive.

Figure 1

Encryption time is pretty fast, and the final result is a mobile storage device which can be accessed only with a password, passphrase, or PIN.  And access isn't limited to Windows 7 systems.

Files on a BtG protected device are not only accessible by Windows 7 systems.  They are also available using Windows XP and Vista.  Files written to the drive during the encryption (shown in Figure 2) process make this possible.  If auto-running applications when connecting a USB drive is disabled on your computer—and it very well should be—selecting the drive via Windows Explore displays the BtG application (arrow).  The files shown in this picture are only items accessible until the drive is unlocked.

Figure 2

Unlocking a BtG encrypted device on a Windows 7 system allows a user to see it as standard drive, with both read and write privileges.  However, using XP or Vista provides read only access, requiring copying a file to the local drive before access is granted.

No action is necessary to relock a drive other than removing it from the USB port.  Security managers don't have to worry about someone forgetting to lock a device or copy a file to a secure area before taking it on the road.  Further, use of BtG on any connected USB storage is controllable with group policy object settings.

So what didn't I like?  Not much, actually.  The biggest issue I had during testing was the lack of an un-encrypt function to restore the drive to an unprotected state.  It might exist, but like other functions in Windows 7 beta it might simply be in an  inconvenient (where I can easily find it) location.  Otherwise, I think this is a great new feature; one I wish was available on all versions of Windows 7 and Vista.

If you're interested in a more detailed description of how to use BtG, read on.

Setup and testing

For my test, I used a Dell desktop running Windows 7 beta (Ultimate) and a Dell laptop running Windows XP SP2.  There's nothing to download or set up to get started.  BtG is part of the standard install.

I plugged the 512MB Lexar drive into a USB port on the desktop and waited for Win7 to set it up for use.  I then brought up the drive list, right-clicked on the Lexar, and selected Turn on Bitlocker, as shown in Figure 1.

The first window to appear is shown in Figure 3.  I had a choice between using a password, a smart card, or both.  I chose password only.  The application checks the strength of the password entered.  If it doesn't meet the requirements for a strong password, you can't proceed until one is entered which does.  If in doubt, help is available in Win7 which describes what makes up an acceptable password or passphrase, as shown in Figure 4.

Figure 3

Figure 4

After entering a strong password, the drive was encrypted (less than two minutes) and I was asked how I wanted to store my unlock code.  The unlock code is used when the password or passphrase is forgotten or a smart card lost.  As shown in Figure 5, I could save it to a file or print it.  Although Microsoft recommends doing both, I opted to only store it in a text file on my desktop's local drive.  And that's it.

Figure 5

To test unlocking the drive, I removed it from the USB port, waited a second or two, and plugged it back in.  Win7 immediately saw it was a BtG enabled device, and displayed the unlock window shown in Figure 6.

Figure 6

The first time I tried this, I entered my password and the drive was instantly ready for use.  During the second test, I clicked I forgot my password which brought up the unlock key entry screen in Figure 7.

Figure 7

Note the recovery key identification code.  This is written to the drive when encrypted to identify the device.  It is also written to the text file or printed with the recovery key so you know which recovery key goes with which drive.  I copied and pasted the recovery key from the text file created earlier.  The next step provided the option of changing the password or authentication method to facilitate future access.

Since this worked flawlessly, it was time to test accessing the drive from my XP-based laptop.  Since autorun is disabled, I had to select the drive from Windows Explorer and manually run BtG, as shown in Figure 2.  This brought up the unlock window in Figure 8.

Figure 8

Note the difference between the XP unlock and the Win7 unlock shown in Figure 6.  At any time I can tell BtG on Win7 to automatically unlock my device.  This is not an option for XP.

I entered my password, and an Explorer-like window appeared telling me to copy the files I wanted to view to the local drive.  This is necessary on non-Win7 systems or the files are not accessible.  I also attempted to copy a file back to the drive without success (not a supported feature, but you never know…).

Overall, I found BtG a great addition to Windows for both individual and business users.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks

Free Newsletters, In your Inbox