Wednesday, 12 September 2007

Windows Vista - BitLocker caveat - Or maybe not?

Looking forward to incorporating full encryption via the new Windows Vista BitLocker Drive Encryption? We are, and so are our clients who have a huge exposure with client data on all of their laptops.

EFS was not a foolproof option. BitLocker is.

However, a little beforehand research is in order.

One needs to have at least two (2) volumes created before installing Windows Vista.

At least that is how it reads until about the middle of the Help article where it states that if you only have one volume, you can use the BitLocker Drive Preparation Tool to "help get your system ready for BitLocker by creating the required second partition".

From the Windows Vista Help for BitLocker:
Set up your hard disk for BitLocker Drive Encryption

Before you can turn on BitLocker Drive Encryption you need to make sure that your computer's hard disk has the following:

At least two volumes. If you create a new volume after you have already installed Windows, you will have to reinstall Windows before turning on BitLocker [emphasis ours].

One volume is for the operating system drive (typically drive C) that BitLocker will encrypt, and one is for the active volume, which must remain unencrypted to start the computer. The size of the active volume must be at least 1.5 gigabytes (GB). Both partitions must be formatted with the NTFS file system.

Note

The terms partition and volume are often used interchangeably. On most computers, they are the same: one partition equals one volume. On larger computer systems, however, it is possible to have a single volume span several partitions. BitLocker installs on a simple volume, where one volume equals one partition.

If you do not already have two partitions, you can use the BitLocker Drive Preparation Tool to help get your system ready for BitLocker by creating the required second partition [emphasis ours].

If you are using Windows Vista Ultimate, you can download and install the BitLocker drive preparation tool from Ultimate Extras. Download and install the Ultimate extra called BitLocker and EFS enhancements. After you have installed this tool, type BitLocker into the Start menu search box, and then double-click BitLocker Drive Preparation Tool to run the tool. After the tool runs, you must restart your computer before turning on BitLocker.

If you are using Windows Vista Enterprise, you can get the BitLocker drive preparation tool through these standard support channels:

Microsoft Volume Licensing Services

Microsoft Services Premier Support

Additional information about the BitLocker drive preparation tool is available in Knowledge base article KB# 930063.

If your computer meets these requirements, you can turn on BitLocker.

To turn on BitLocker
Click to open BitLocker.‌ If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

Click Turn on BitLocker.

Follow the instructions in the BitLocker Setup wizard.
From the above mentioned Knowledge base article:
How to obtain the BitLocker Drive Preparation Tool

Windows Vista Ultimate

If you are using Windows Vista Ultimate, follow these steps to obtain the tool:
  1. Click Start, type Windows Update in the Start Search box, and then press ENTER.
  2. Click Check for updates.
  3. Click View available Extras.
  4. Click to select the BitLocker and EFS enhancements check box, and then click Install.
We don't have a free system with a TPM at the moment. So, we won't be able to run through the setup procedure to figure out just what is up.

To the Windows Vista team that wrote this particular Help item, please clarify whether we need to have two partitions/volumes before we install the OS or not. The above Help article certainly, at least in our opinion, doesn't make things clear.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

2 comments:

Chris Knight said...

Microsoft had a really good step-by-step document for Beta 2 on the download site, which has now become a TechNet article.

This article states that the partitions are to be set up prior to Vista installation.

Also, you don't need a TPM system to use BitLocker. You can use a non-TPM system, but you need a USB thumb drive that can be accessed during the startup phase. Information can be found here.

Finally, the design and deployment guides can be downloaded here.

Philip E. said...

Chris,

Thank you for the clarification.

This looks really intriguing from the TechNet article:
Implementing BitLocker on Servers

For Windows Server 2008 servers in a shared or potentially non-secure environment, such as a branch office location, BitLocker can offer the same level of data protection that it offers on client computers. This additional feature, which is available for Windows Server 2008, enables an IT administrator to encrypt both the operating system volume and additional data volumes on the same server.

Right away, I can see some potential for reducing data liability ... but killer for a crashed hard drive or array.

Philip