Hardware

Secure your USB drives with BitLocker To Go for Windows 7

Greg Shultz explores the Windows 7 version of BitLocker To Go and shows you how it works on a USB thumb flash drive.
This blog post was originally published in May 2009. Greg Shultz thought we should revisit the topic because encryption is generally underutilized.

When Microsoft introduced Windows Vista, one of the big security features in that operating system was BitLocker, a hard drive encryption scheme designed to protect sensitive data from being accessed on lost or stolen computers -- mainly laptops.

With the huge increase in the use of very small, large capacity, USB drives, the potential for sensitive data to be lost or stolen has really become more of a problem because it is much easier to lose or steal a device no bigger than a package of chewing gum. To protect sensitive data stored on USB drives, Microsoft Windows 7 features the encryption scheme called BitLocker To Go.

In this edition of the Windows Vista and Windows 7 Report, I'll introduce you to BitLocker To Go and show you how it works on a 1GB USB thumb drive.

This blog post is also available in PDF format as a free TechRepublic download and as a TechRepublic Photo Gallery.

How it works

Basically, BitLocker To Go allows you to encrypt a USB drive and restrict access with a password. Without the password, the USB drive is worthless. When you connect the USB drive to a Windows 7 computer, you are prompted for the password, and upon entering it you can read and write to the drive as you normally would.

During the encryption process, Windows 7 installs a special reader on the USB drive. When you connect the USB drive to a computer running XP or Vista, the BitLocker To Go Reader takes control, prompts for the password, and then basically makes the USB drive a read-only device.

BitLocker To Go can be used by both home and business users. In a Domain system, IT administrators can configure a policy that requires users to apply BitLocker protection to removable drives before being able to write to them. Furthermore, the policy can specify password length as well as complexity.

For a comparison, check out "Product Spotlight: IronKey Encrypted Flash Drive."

Setting up a USB drive

Setting up BitLocker To Go on a USB drive is a simple procedure. Once you insert a USB drive, right-click on it and select the Turn on BitLocker command from the menu, as shown in Figure A.

Figure A

When you right-click on a USB drive in Windows 7, you'll see the Turn on BitLocker command.
As soon as you do, BitLocker To Go will begin initializing your USB drive, as shown in Figure B. The process is nondestructive, so you don't have to worry about any data that is already on the drive.

Figure B

When BitLocker To Go initializes your USB drive, you don't have to worry about any data that is already on the drive.
Once the initialization process is complete, BitLocker To Go will prompt you to set up a password that you will use to unlock the drive, as shown in Figure C. If you have a smart card, you can use its PIN to unlock the drive.

Figure C

You can use a password or a smart card to unlock a BitLocker To Go protected drive.
After you set up a password or use a smart card, BitLocker To Go will prompt you to store a recovery key, as shown in Figure D. You can use the recovery key to unlock your drive in the event that you forget the password or lose your smart card.

Figure D

To ensure that you don't lock yourself out of your drive, BitLocker To Go will create a recovery key.
When you create the password and save your recovery key, you'll be prompted to begin the encryption process, as shown in Figure E.

Figure E

You'll be prompted to begin the encryption process once you save the recovery key.
During the encryption process, you'll see a standard progress monitor that will keep you apprised of the operation, as shown in Figure F. The amount of time that it will take to complete the process will depend on how large the drive is. As you can see, there is a Pause button that will allow you to temporarily halt the process should you need to perform another task.

Figure F

A Progress monitor will keep you apprised of the encryption process.
Of course, once the encryption is complete, BitLocker To Go displays a confirmation dialog box and changes the icon associated with the encrypted drive, as shown in Figure G.

Figure G

When the encryption is complete, you'll notice that the drive icon shows a lock on the drive.

Using a BitLocker To Go encrypted drive in Windows 7

When you later insert the BitLocker To Go encrypted drive in the Windows 7 system, you will immediately be prompted to enter the password, as shown in Figure H. If you wish, you can select the Show Password Characters as I Type Them check box, so that you can see the letters; otherwise, you'll see asterisks. After you type the password, you can select the Automatically Unlock on This Computer from Now On check box to store the password in Windows 7's password cache.

Figure H

When you insert the BitLocker To Go encrypted drive in Windows 7 system, you will immediately be prompted for a password.
Once you click Unlock, you'll see an AutoPlay dialog box that prompts you to view the files or use ReadyBoost, as shown in Figure I. When you click the Open Folder to View Files button, you will be able to access the drive and its contents as you normally would.

Figure I

When the AutoPlay dialog box appears, click the Open Folder to View Files button.

Using a BitLocker To Go encrypted drive in Windows XP/Vista

When you insert the BitLocker To Go encrypted drive in a Windows XP or Vista system, you will see an AutoPlay dialog box that prompts you to install the BitLocker To Go Reader, as shown in Figure J. When you click this button, it will take just a moment to install and run the Reader.

Figure J

When you insert the BitLocker To Go encrypted drive in a Windows XP or Vista system, you will be prompted to install the BitLocker To Go Reader.
You'll then see the BitLocker To Go Reader dialog box, which will prompt you to enter your password, as shown in Figure K. Notice that the Automatically Unlock on This Computer from Now On check box is missing from this dialog box. However, the Show Password Characters check box is still available.

Figure K

BitLocker To Go Reader will prompt you to enter your password.
After you type the password and click the Unlock button, you'll see the BitLocker To Go Reader window, which essentially looks like Windows Explorer, as shown in Figure L. However, it doesn't work like Windows Explorer.

Figure L

The BitLocker To Go Reader window allows you to access files on an encrypted drive on a Windows XP or Vista system.
If you attempt to open any file by double-clicking it in the BitLocker To Go Reader window, you'll immediately be prompted to copy the file to the desktop, as shown in Figure M -- you won't be able to open the file on the USB drive.

Figure M

You cannot open files on an encrypted drive from the BitLocker To Go Reader.
If you attempt to copy a file from the computer to the BitLocker To Go Reader window, you'll immediately see the error message shown in Figure N.

Figure N

You cannot copy files to an encrypted drive from the BitLocker To Go Reader.

What's your take?

What do you think about BitLocker To Go? Will you use it when you get Windows 7? Are you using it already? As always, if you have comments or information to share about this topic, please take a moment to drop by the TechRepublic Community Forums and let us hear from you.

TechRepublic's Windows Vista and Windows 7 Report newsletter, delivered every Friday, offers tips, news, and scuttlebutt on Vista and Windows 7, including a look at new features in the latest version of the Windows OS. Automatically sign up today!

About

Greg Shultz is a freelance Technical Writer. Previously, he has worked as Documentation Specialist in the software industry, a Technical Support Specialist in educational industry, and a Technical Journalist in the computer publishing industry.

49 comments
chubyokagbue
chubyokagbue

i used the Bitlocker to lock my hard drive but whenever i try to unlock it , it just doesn't respond. what should i do?

arax
arax

You can combine two programs BitLocker + Rohos Mini = double protection As it was mentioned before, the double safety of your data can be achieved through combining BitLocker and Rohos Mini Drive programs. You will do both provide your data with double protection and create an additional secret partition on the USB disk which will be also secured with a separate password. Double safety is a double trust. You need first create the encrypted partition with the help of Rohos Mini Drive utility and then by means of BitLocker specify additional password to your USB flash drive. In this case you might share the BitLocker safety password with your family members while the Rohos Disk password is to be kept only between you and the utility itself.

EduardLewis
EduardLewis

Bitlocker is a great tool but unfortunately it doesn't work with a Mac. I used TrueCrypt for a while and that was working very well for my documents. However I also stored passwords on my TrueCrypt volume and that became a nightmare. In one occasion I was called in a meeting and forgot to close my computer. At that time someone simply went to my drive and copied the password because TrueCrypt didn't autolock. Since then I moved to a program called EncryptStick from ENC Securities (http://encryptstick.com) which combines a secure vault to protect my files and a password manager. The great thing is that it has a timeout function so if I walk away, it auto locks so that nobody can copy my passwords.

bchangwe
bchangwe

But a USB is meant to be read and written to. Why isn't writing to USB not available? I was about to apply bitlocker but I changed my mind after realising that I cant write the flash after encryption.

boucaria
boucaria

Then I would be very inclined to go with the Ironkey USB products. There are also some USB drives that are physically sturdy ( whilst I like SAN DISK, it is too easy to bend the USB contact, and then why not a lock box for the Drives). Not everyone can afford an Ironkey, but if it really is worth encrypting, you might as well go the whole way.

marvin
marvin

This is the best description on how to use BitLocker I have seen. It helps to solve a security dilemma that you have with USB FOBs and drives that could get in the wrong hands.

wobblyo
wobblyo

Although my Windows 7 machines are all the Pro version, my boss has the Enterprise version installed. I encrypt my USB drives on that computer and then use them on my and friends Windows 7 machines safe in the knowledge that if I lose the USB stick, the (encrypted) contents are safe. Many people think you can only use USB encryption on the Enterprise version, but you can use it on any Windows 7 machine once it has been encrypted.

Peter Sanders
Peter Sanders

Hi Microsoft's way of getting more control of / or over your system. To help persuade the change over to their newer OS. Far too many (mostly unaware) users are becoming more and more under the control of and possible limitations of Microsoft. One flaw in this Bit Locker to Go is that you have to copy your data *OFF* the USB to use it! WHY? Can't Microsoft write their software so that **YOU** and NOT Microsoft, have control over where the data resides, I would consider some of really good third party encryption methods out there! (You can call me paranoid if you want) regards Peter

badbigdad
badbigdad

I wonder how a USB drive with BitLocker To Go installed would function when the drive is intended to be used as a boot device? In order for BTG to work, it would have to replace the boot record with it's own code in order to start BTG when inserted. If I want to boot with a USB configured with BTG at say the point when a boot device is selected from a list of boot devices after the POST, it wouldn't work because BTG would not be available, would it?

mail2ri
mail2ri

Would have saved readers some trouble, had the writer mentioned upfront that this feature is available only on Windows 7 Professional, and Ultimate Editions only. Of course, as in most cases, there are equally good or better alternatives to this built-in Windows feature.

tech
tech

I find it odd that the article doesn't mention you have to have Ultimate or Enterprise version to even use this (GUI) technology (which is almost the only benefit to getting Ultimate over Pro) AND that you cannot unlock the drive remotely later like Ironkey can. I think a version of something like bitlocker existed in command line form prior to the gui interface in Vista and Win7 Pro and possibly even back in XP SP3. It would be nice if some kind of "cloud" solution or group policy control could be applied to removable devices to unlock them remotely or send a poison pill later, etc. Currently I use AxCrypt to secure specific files/folders instead of entire drive. Also Bitlocker slows the drive down greatly and takes a long time to complete encryption and I've lost data to drives that have become corrupt later due to the encryption (reminder of DOS compression tools or first NTFS compression anyone?). Try encrypting a drive for storing VHDs as Microsoft training on virtualization suggests (that was a sarcastic comment unless you like losing data). Even my USB was running very slow with this encryption, but it is an extremely secure one - just not worth the problems and cost of getting a better Windows version just for this option.

ogoody50
ogoody50

This article fails to mention that bitlocker is only available in the Enterprise and Ultimate versions of Vista and WIndows 7 and the WIndows Server 2008. You will also need to purchase the Pro or Enterprise versions of WIndows 8 if you want this feature.

Dreamscentral
Dreamscentral

thanks for sharing. I will be using this from now on.

dpcmoyer
dpcmoyer

Does anyone have any information on if there is a way to read a bit locker to go encrypted drive on a Mac? From what I've seen posted elsewhere the answer is a big NO. Not even read-only.

Zubairmirza12
Zubairmirza12

I have pc running on win7 operating system, i started pitlocker to lock one of my hard disk drive, during encryption my system went down due to power failure. after that when i tried to open my pitlocker encrypted drive it ask for password, and after giving its password everytime when i tried it always hangs my PC i have wait for an hour but nothing happen........ If anyone of you know about this then plzz help me ,,,,,,, thankyou

himanshubansal84
himanshubansal84

mistakenly, my external USB disk got disconnected while decryption was in process and now its getting detected but not opening. help me in this case.. my critical data lyin in disk.

rp_wood_1
rp_wood_1

First, just how strong is the encryption? Secondly, I personally still have many systems that use xp, thus this would make using the thumb drive that much more painful.

onurb_51
onurb_51

I have lots of USB drives, and since I do technical support and work with customers' infected PC's, I wanted a read-only USB, so all of my life-saver utilities could be protected from infections I had no luck finding an USB with a physical "read-only" switch, like SD cards have, so I was frustrated, and didn't want an app like Kingston's, that make a virtual CD device and so much trouble... Besides, for security, I always copied the utilities' executables to the infected computer, so it looks like Bit Locker to go could be what I was looking for

kgunnIT
kgunnIT

I'd have to agree with most other users...read only on machines that are not running Windows 7 just takes away the usefulness and maybe intent of using a USB drive. Sure, having the files locked and secure is nice, but not if they are read-only. Good intentions, poorly implemented by Microsoft. I will look for third-party USB encryption tools, since I do tend to lose my drives. But I really NEED to read/write my files on any machine, including Mac and Linux. Sorry MS!

steve.clark
steve.clark

Can I enforce this?? No USB drive attached that does not have encryption?

swohlers
swohlers

Since BitLocker will only be available two versions of Win7 and it's limited capabilities on other versions of Windows, it will become a an item that is more marketing blip than something truly useful. Other freeware programs will be used for the people who currently and in the future will need to encrypt portable drives and need the ability to move between different OS platforms.

iain.obrien
iain.obrien

I tested BitLocker To Go on my 8GB USB key and I found that once it was up and running that I ran straight into a problem. I connected the USB key into an XP machine and as soon as I tried to open the drive I was told that it needed to be formatted. I went back to Windows 7 and removed Bitlocker To Go and retrieved all my data, and removed BitLocker To Go.

toonz2
toonz2

I'm glad to see it as a built-in option with Windows 7 but it will need to be 100% backwards compatible (read and write capablity) with XP/Vista to satisfy the masses.

wfecng
wfecng

become one-way transfer after encrypt, it's pity

Mark W. Kaelin
Mark W. Kaelin

I recently reviewed the USB drive encryption scheme from Ironkey that seems remarkably similar to BitLocker To Go, at least in terms of operation. Will you give BitLocker To Go a try? Do you encrypt all of your USB drives now?

wobblyo
wobblyo

I am a little confused here. You can read and write to an encrypted stick as long as you are using Windows 7 or (I believe) Vista.

rdrcomp
rdrcomp

actually, it is restricted to win 7 ultimate, and enterprise. Pro does not support this

dbielaski
dbielaski

I had also discovered that BitLocker was limited to those particular versions of Windows when researching a possible replacement to TrueCrypt a year ago. However, I haven't found any contender to knock TrueCrypt off as reigning champ. I, too, only implement volume-based encryption to hold the relatively-small amount of data that I wish to protect (as opposed to encrypting the entire disk / partition), and find that is adequate. TrueCrypt is portable and so can travel with my flash drives (along with the encrypted containers stored on them).

tech
tech

yes, if power is pulled during encryption then it did not complete and your drive has to be re-encrypted. I've seen this happen before. Try formatting the drive before entering a password or google windows "diskpart", but be careful if using diskpart making sure you are selecting the proper drive.

iain.obrien
iain.obrien

I've just tested Bitlocker To Go on my systems here. I have Win 7 RC on one system and XP SP3 on another system. I cannot read my data on the XP machine once BitLocker To Go was enabled. It shows up in XP as an unformatted drive.

steve6375
steve6375

Is a TPM is required or not? re. USB drives with write-protect switches - try Netac e.g. U220, U208 etc.

Greg Shultz
Greg Shultz

In a Domain system, IT administrators can configure a policy that requires users to apply BitLocker protection to removable drives before being able to write to them. Furthermore, the policy can specify password length as well as complexity.

bmcmenamy
bmcmenamy

If you have the password to decrypt the files on the drive why would they make it read only for any other OS besides Windows 7? I find myself constantly having to edit files on a USB drive. Yes I can add them from my Win7 box but then I go offsite need to make edits and ... what do you know, you can't save any of the changes you just made. Who's brain child was that at Microsoft? Can we take some time to think about real world applications of how people use USB drives? What does a read only tool gain you? If you have the password and can access the files to copy them then what good is the encryption doing anyways. It's not protecting the documents that are on the drive if the password is hacked. My only reasoning why they would make it read only is that someone could potentially copy a virus back onto the drive from their xp/vista machines. But as a result you just made your USB drive unusable unless you happen to find someone that is actually running the latest greatest version of Windows. LAME

mike.motes
mike.motes

If I read the article right, in order to change or write files to the drive, it has to be inserted into a machine running Windows 7. It's only one way if used in a machine running XP/Vista.

mike.motes
mike.motes

After having misplaced an 8GB drive, it drove home the importance of having secure storage. I now use True Crypt to protect data on all of our flash drives (and on sensitive data on the hard drives). It's open source, and you can find info about it here: www.truecrypt.org

mail2ri
mail2ri

Thanks @rdrcomp. I stand corrected.

rob.easton
rob.easton

Thanks for your post because I was doing a lot of searching to answer just that question. I work at an office and at home and the office would like the flash drive encrypted... which is fine, but if I use BitLocker at work, then my flash drive doesn't work at home. So, please know that your frustration was a benefit to me, and thanks for posting it.

Ron_007
Ron_007

correct me if I'm wrong (please, tell me I'm wrong!). But as I understand it, Bitlocker (and Applocker) are limited to the Enterprise and Ultimate versions. Has Bitlocker To Go been provided in the lower priced versions. If it hasn't then frankly, what use is it?

bmwpc
bmwpc

It appears that if I use bitlocker at home and do work (Using Win 7) then come to work where we run XP, I will not be able to use ie modify, add to, edit, the encrypted. What good is that? Until It's either backwards compatible of it allows me to open and use the files on ANY system or Windows version I am using, this is both a complete waste of time and may result in a loss of the data or to be unusable when the Win7 beta is withdrawn and i don't buy the released verion.

stevensmj
stevensmj

Same scenario happened to me. I've been employing True Crypt for over a year using an encrypted container file on a USB drive for sensitive data. Can't say enough good things about True Crypt and the peace of mind it has brought.

Gisabun
Gisabun

I've seen a few cases where 2 [or more] Office versions can co-exist. the only exceoption is Outlook because of MAPI issues. "They are known for having "great" ideas and then withdrawing support for them later. " What a bad comment? Name a few of these ideas? Microsoft supports an OS for 10 years [or more]. Apple? Maybe 4-5 years. Linux? Sometimes under 2. MS Office? 10 years. The others [WordPerfect, OpenOffice, Libre Office]? Under 3.

d
d

BitLocker is only available to those with Ultimate or Enterprise versions. Why bother? Microsoft Office versions since 2003 can't play with each other very well with it installed. They are known for having "great" ideas and then withdrawing support for them later.

GetsuTora
GetsuTora

I wouldn't be surprised if the AppDev team for BitLocker didn't extend it. If you look at the capability as it stands today, August 2010, you get a read-only volume for XP. If they were going to allow full functionality, I would expect to see something better than that included.

kyle.nichols
kyle.nichols

And considering how many people (like myself) did all they could to bypass Vista (and I think Microsoft knows this) then it should extend back to XP as well. I mean, it's Microsoft, can they not even get along with themselves?

Gisabun
Gisabun

Bitlocker to Go only for premium OSs SKUs. Of course with Win 8 there is no Ultimate. Just as dumb as not having Bitlocker for all SKUs as laptop users could use it.

Greg Shultz
Greg Shultz

At this point, it appears to be true that BitLocker and BitLocker To Go will only be available in the Enterprise and Ultimate editions of Windows 7. BitLocker technology is aimed more at the enterprise where the protection of sensitive data would be more critical than what the typical home/power users would need. For example, portable USB drives containing company secrets/social security numbers/credit card account numbers. AppLocker, is a completely different animal--it is designed to prevent users from runniong unauthorized software and as such is definitely designed for the enterprise.

Greg Shultz
Greg Shultz

At this point, there is no clear indication that access to a BitLocker To Go encrypted device on any OS other than Windows 7 will be more than read-only. That said, I can speculate that it would seem logical that adding the BitLocker To Go enhancement/add-on to Vista that would allow both read and write would be feasible since the core BitLocker technology is already built into the operating system. However, I can't say the same for Windows XP, since mainstream support for that operating system ended April 14 2009-- security fixes for XP will run until 2014. As such, it is unlikely that XP will ever be able to do more than read data from a BitLocker To Go encrypted device.

Craig_B
Craig_B

This is to encourage everyone to upgrade to Windows 7, since that's the only way you write data. Use TrueCrypt it free, it's open source, it works!