This article is also available as a PDF download and a gallery.

Windows Vista offers BitLocker, a new data protection feature that does volume-level
encryption on your hard disk drive. This new feature is supported in the
Enterprise and Ultimate editions of Windows Vista to complement, and in some
cases replace,

Windows EFS (Encrypting File System)
. To learn more about the
differences between BitLocker and EFS and how they can work together, see “Prevent data theft with Windows Vista’s Encrypted File System (EFS) and BitLocker.”

In this article, I’ll show you how to enable
BitLocker, which operates only on the Boot partition, typically the
drive labeled C:. Before we start, we must meet the minimum requirements for BitLocker
encryption. There are two basic options for running BitLocker:

Option 1 Option 2
TPM 1.2 hardware module Generic USB data key *
1.5 GB NTFS Active System partition 1.5 GB NTFS Active System partition
50+ GB Boot partition ** 50+ GB Boot partition **

* Requires local or Active Directory Group Policy modification to enable.
** This isn’t officially documented anywhere I’ve seen, but I had “insufficient
space errors” for anything less than that. I’m not sure what the exact
drive size requirement is, but this seems to be what BitLocker wants in order to
avoid errors. When Microsoft confirms this issue with me, I’ll update this article.

The 1.5 GB Active System partition is where the unencrypted bare essential
bootstrap files for the Vista operating system are located. The 50+ GB
Boot partition is where Windows is installed and where your page files and
temporary files should be located, since EFS can’t protect these things but
BitLocker can.

The best way to set this up is to create a 1.5 GB partition
along with a 50+ GB partition when you first install Vista. If
you’re kicking yourself now because you’ve already installed Vista, don’t worry:
A simple utility called the BitLocker Drive Preparation Tool can automatically redo the partitions for
you. If you’ve already made
the 1.5 GB partition, you’ll still need the preparation tool to transfer the
necessary files from your Windows partition to the 1.5 GB partition. Note
that using the prep tool for the 1.5 GB partition setup might take extra time
if there’s no room to create a partition and it has to shrink your existing
partitions and move data sectors.

To get the BitLocker Drive Preparation Tool, you can go to Windows Update and
look under Vista Ultimate Extras. There, you simply check BitLocker Drive
Preparation Tool to download and install. To launch the tool, hit the
Start button and type bitl. You’ll see it pop up as
the first program, as shown in Figure A.

Figure A

This is a cool new way to launch applications by taking advantage of the
instant search feature, which can be used to launch any application. If the
first search result isn’t what you want, just arrow down to launch the desired
application. In this case, we can simply hit [Enter] right after
typing bitl because the prep tool is already highlighted. The wizard is
simple and self explanatory, and you just follow through it and let it reboot the
PC. Once rebooted, you can proceed to the next step.

Now, we must launch the Group Policy Editor. For individual home PCs or
PCs not joined to an Active Directory, this is the local Group Policy Editor.
Active Directory administrators can set this at the AD level and apply
it to an Organizational Unit or an entire AD at the global level.

To
launch the GP Editor locally, just hit Start and type gpedit.msc, as shown
in Figure B.

Figure B

Next, we have to expand our GP Editor out to the BitLocker Drive Encryption
folder, as shown in Figure C, and double-click on Control Panel Setup:
Enable Advanced Startup Options.

Figure C

Set this control to Enabled and select Allow BitLocker Without A Compatible
TPM, as shown in Figure D.

Figure D

Once you make this change, click Apply and OK. Click on Configure Encryption Method (Figure C), and you’ll see the
window shown in Figure E.

Figure E

AES 128 is considered government secret grade, and AES
256 is considered by the NSA to be

insurance against breakthroughs in Quantum Computing
. The Diffuser
acts as a mechanism that distributes your data evenly throughout the drive so
not even the data pattern on your hard drive can be seen. AES 256 bit with
Diffuser is the ultimate level of security with the maximum amount of overhead.
AES 128 without the Diffuser would be the least secure (a relative term, since it’s
still extremely secure), although it would have the least overhead.

Once you make the changes you want, hit Apply and OK and close out of
the GP Editor. You can avoid a reboot if you force your machine to update
its group policy with the command gpupdate /force, as shown in Figure
F.

Figure F

Now you’re ready to launch the BitLocker Drive Encryption tool. You can use
the same shortcut shown in Figure A, pressing the Start button on your
keyboard or desktop and typing bitl. But this time, you need to arrow down twice to select BitLocker Drive Encryption. You should then see
the screen shown in Figure G.

Figure G

Click on Turn On BitLocker, and you’ll see the screen shown in Figure
H
.

Figure H

Before you continue, insert a USB data key of any size.
Remember that this will essentially be the “ignition” key for your PC from
this point on. Once BitLocker is enabled, you won’t be able to start your PC without
this key (or some other key with a replica of the hidden information on this key).
You might want to keep this USB key on your keychain instead of in the bag with your laptop. That way, if your bag is stolen, the thief won’t have your BitLocker key, too. The key doesn’t need to remain in your
system, and it needs to be in for just a few seconds immediately after system
post before Windows boots. One of those retractable key chains would
probably be a good idea so you won’t lose your key.

The next step is to back up your password for emergency recovery using the options shown in Figure I.

Figure I

You can save the backup to the same USB drive and copy it elsewhere later.
If you try to save the password in a folder, you have to use a folder on a
volume other than the boot volume that BitLocker encrypts.
And it can’t be on the root of the volume, it must go into a folder.
Enterprises can back up BitLocker passwords through Active Directory.
Remember that the password isn’t the actual BitLocker key itself, but something
that can derive the key. Once you finish the backup, you can encrypt the drive, as shown in Figure J.

Figure J

Simply hit Continue, and BitLocker will check your system and start encrypting
your boot drive. It might take an hour or two, depending on the size of
your drive and speed of your system. Then, it will reboot and prompt you
for the USB key, if it isn’t already inserted. Once you reboot,
you’re finished; you’ve got BitLocker running.

To give you an idea of performance, I have an Intel Core 2 Duo E6400 with two
hard drives using default BitLocker 128 AES encryption on the Boot partition.
I used the second hard drive to copy a large file over to the Boot partition
that’s BitLocker-encrypted at a speed of 500 mbps disk-to-disk performance, and
both CPU cores jumped up to around 30 percent utilization. If I had copied from a
fast network source, the CPU would have most likely been around 15 percent higher
because of the TCP overhead of 500 mbps of network throughput. Most PCs will
rarely, if ever, see a data transfer load this high, since even HD video uses 10 to
24 mbps for video playback. This means BitLocker will have minimal
performance impact on a modern PC.