SolutionBase: Follow these steps to secure your hard drive with Windows Vista BitLocker

The new BitLocker data protection system in Windows Vista provides volume-level encryption you can use to secure PCs and notebooks. George Ou walks through the process of configuring BitLocker to safeguard your data.

This article is also available as a PDF download and a gallery.

Windows Vista offers BitLocker, a new data protection feature that does volume-level encryption on your hard disk drive. This new feature is supported in the Enterprise and Ultimate editions of Windows Vista to complement, and in some cases replace, Windows EFS (Encrypting File System). To learn more about the differences between BitLocker and EFS and how they can work together, see "Prevent data theft with Windows Vista's Encrypted File System (EFS) and BitLocker."

In this article, I'll show you how to enable BitLocker, which operates only on the Boot partition, typically the drive labeled C:. Before we start, we must meet the minimum requirements for BitLocker encryption. There are two basic options for running BitLocker:

Option 1 Option 2
TPM 1.2 hardware module Generic USB data key *
1.5 GB NTFS Active System partition 1.5 GB NTFS Active System partition
50+ GB Boot partition ** 50+ GB Boot partition **

* Requires local or Active Directory Group Policy modification to enable.
** This isn't officially documented anywhere I've seen, but I had "insufficient space errors" for anything less than that. I'm not sure what the exact drive size requirement is, but this seems to be what BitLocker wants in order to avoid errors. When Microsoft confirms this issue with me, I'll update this article.

The 1.5 GB Active System partition is where the unencrypted bare essential bootstrap files for the Vista operating system are located. The 50+ GB Boot partition is where Windows is installed and where your page files and temporary files should be located, since EFS can't protect these things but BitLocker can.

The best way to set this up is to create a 1.5 GB partition along with a 50+ GB partition when you first install Vista. If you're kicking yourself now because you've already installed Vista, don't worry: A simple utility called the BitLocker Drive Preparation Tool can automatically redo the partitions for you. If you've already made the 1.5 GB partition, you'll still need the preparation tool to transfer the necessary files from your Windows partition to the 1.5 GB partition. Note that using the prep tool for the 1.5 GB partition setup might take extra time if there's no room to create a partition and it has to shrink your existing partitions and move data sectors.

To get the BitLocker Drive Preparation Tool, you can go to Windows Update and look under Vista Ultimate Extras. There, you simply check BitLocker Drive Preparation Tool to download and install. To launch the tool, hit the Start button and type bitl. You'll see it pop up as the first program, as shown in Figure A.

Figure A

This is a cool new way to launch applications by taking advantage of the instant search feature, which can be used to launch any application. If the first search result isn't what you want, just arrow down to launch the desired application. In this case, we can simply hit [Enter] right after typing bitl because the prep tool is already highlighted. The wizard is simple and self explanatory, and you just follow through it and let it reboot the PC. Once rebooted, you can proceed to the next step.

Now, we must launch the Group Policy Editor. For individual home PCs or PCs not joined to an Active Directory, this is the local Group Policy Editor. Active Directory administrators can set this at the AD level and apply it to an Organizational Unit or an entire AD at the global level.

To launch the GP Editor locally, just hit Start and type gpedit.msc, as shown in Figure B.

Figure B

Next, we have to expand our GP Editor out to the BitLocker Drive Encryption folder, as shown in Figure C, and double-click on Control Panel Setup: Enable Advanced Startup Options.

Figure C

Set this control to Enabled and select Allow BitLocker Without A Compatible TPM, as shown in Figure D.

Figure D

Once you make this change, click Apply and OK. Click on Configure Encryption Method (Figure C), and you'll see the window shown in Figure E.

Figure E

AES 128 is considered government secret grade, and AES 256 is considered by the NSA to be insurance against breakthroughs in Quantum Computing. The Diffuser acts as a mechanism that distributes your data evenly throughout the drive so not even the data pattern on your hard drive can be seen. AES 256 bit with Diffuser is the ultimate level of security with the maximum amount of overhead. AES 128 without the Diffuser would be the least secure (a relative term, since it's still extremely secure), although it would have the least overhead.

Once you make the changes you want, hit Apply and OK and close out of the GP Editor. You can avoid a reboot if you force your machine to update its group policy with the command gpupdate /force, as shown in Figure F.

Figure F

Now you're ready to launch the BitLocker Drive Encryption tool. You can use the same shortcut shown in Figure A, pressing the Start button on your keyboard or desktop and typing bitl. But this time, you need to arrow down twice to select BitLocker Drive Encryption. You should then see the screen shown in Figure G.

Figure G

Click on Turn On BitLocker, and you'll see the screen shown in Figure H.

Figure H

Before you continue, insert a USB data key of any size. Remember that this will essentially be the "ignition" key for your PC from this point on. Once BitLocker is enabled, you won't be able to start your PC without this key (or some other key with a replica of the hidden information on this key). You might want to keep this USB key on your keychain instead of in the bag with your laptop. That way, if your bag is stolen, the thief won't have your BitLocker key, too. The key doesn't need to remain in your system, and it needs to be in for just a few seconds immediately after system post before Windows boots. One of those retractable key chains would probably be a good idea so you won't lose your key.

The next step is to back up your password for emergency recovery using the options shown in Figure I.

Figure I

You can save the backup to the same USB drive and copy it elsewhere later. If you try to save the password in a folder, you have to use a folder on a volume other than the boot volume that BitLocker encrypts. And it can't be on the root of the volume, it must go into a folder. Enterprises can back up BitLocker passwords through Active Directory. Remember that the password isn't the actual BitLocker key itself, but something that can derive the key. Once you finish the backup, you can encrypt the drive, as shown in Figure J.

Figure J

Simply hit Continue, and BitLocker will check your system and start encrypting your boot drive. It might take an hour or two, depending on the size of your drive and speed of your system. Then, it will reboot and prompt you for the USB key, if it isn't already inserted. Once you reboot, you're finished; you've got BitLocker running.

To give you an idea of performance, I have an Intel Core 2 Duo E6400 with two hard drives using default BitLocker 128 AES encryption on the Boot partition. I used the second hard drive to copy a large file over to the Boot partition that's BitLocker-encrypted at a speed of 500 mbps disk-to-disk performance, and both CPU cores jumped up to around 30 percent utilization. If I had copied from a fast network source, the CPU would have most likely been around 15 percent higher because of the TCP overhead of 500 mbps of network throughput. Most PCs will rarely, if ever, see a data transfer load this high, since even HD video uses 10 to 24 mbps for video playback. This means BitLocker will have minimal performance impact on a modern PC.