Last year I began my search for an encryption solution for end-user computers. I did some research on several different well-known solutions and ended up picking Mobile Armor’s Data Armor (now owned by Trend Micro). My thinking was that Trend Micro’s Anti-Virus solution integrates well with VMware, so if we changed to Trend Micro AV and used Trend Micro for encryption, we would have a more centralized administration console…eventually. I did a lot of testing and rolled it out to some other folks in our IT department and we didn’t notice any issues. However, after a few months, we started getting complaints about a fairly consistent “stutter” from several different users. After some extensive testing with support techs from Trend Micro, we were able to conclude that the issue was with their encryption software. It most likely had something to do with our use of SSDs and their software. They told me that they wouldn’t guarantee the issue would be fixed anytime soon, so I set out to find a new solution and decided on BitLocker which is integrated in Windows 7 (Enterprise and up, note…BitLocker does not work with Windows 7 Professional).
What I like about BitLocker is that is basically transparent to the user. There’s no initial login, besides the regular Windows login that all domain users have to get through anyway. There’s no concern about remote users having to sync their passwords every time they have to change them, which is great for reducing support calls. Another perk is that you can integrate it with Group Policy and Active Directory, so users are unable to change the encryption settings if you don’t want them too, and the recovery key can be automatically saved in Active Directory, making any recovery issues fairly simple to solve. By default, BitLocker uses AES 128 bit encryption, but you are able to change it to 256 bit encryption in Group Policy.
In order to turn on BitLocker, you need only right-click on the drive (the C: drive for example) and click on the Turn on BitLocker option. You may get an error and need to turn on TPM in the BIOS, and then activate TPM, which may require two restarts. After that, try to turn on BitLocker again. BitLocker will ask you to print out or save to USB the 40-digit recovery key. It will then ask you to do another restart, and then once you’re back at the desktop it will appear in the systray. You can see the status of the initial encryption by double clicking on the icon in the systray. It will encrypt in the background while you continue to work. The encryption process took about an hour on an 80GB SSD hard drive.
Now the great thing, that I mentioned earlier, is that you can save the recovery keys in Active Directory using Group Policy. I should mention that we are on a Windows 2008r2 Domain level, so there might be some extra schema configurations you need to do to make the Active Directory/Group Policy integration work, but I only needed to go into the group policy editor and configure the settings there.
1. Go to Computer Configuration>>Administrative Templates>>Windows Components and click on BitLocker Drive Encryption.
2. Double click on Store BitLocker Recovery Information in Active Directory and click Enabled. Then configure the settings as you would like.
3. Now go to Computer Configuration>>Administrative Templates>>System and click on Trusted Platform Module Services.
4. Double click on Turn on TPM Backup to Active Directory Domain Services and click Enabled.
You can now check that the recovery key is being stored in Active Directory by right-clicking on your domain in Active Directory Users and Computers and clicking on Find BitLocker Recovery Password. It will give you a window that will allow you to search for a particular computer name and find the Recovery Password associated with that computer.
As with anything there are caveats. By design, making changes to the hard drive or BIOS, as well as swapping hard drives between computers, can cause issues. If you need to make changes, you can either unencrypt the drive first and then re-encrypt when you’re done, or there is an option to input the recovery password when it presents the option after a restart and then suspend the encryption and resume again. If you would like to test recovering a computer or see more configuration options, please see this document.
I have to say that I’m very happy with BitLocker. After getting over the learning curve, I’ve basically had no issues. The employees who complained about the Trend Micro Data Armor encryption are not even aware that they now have BitLocker. In an SMB such as ours, where help desk issues can take valuable time away from other duties, it has really saved a lot of time and frustration in the long run.