Student Zine Competition 1st Place: Bitlocker
By Chris Archer , Microsoft Student Representative.
"This morning, customers of Acme Plc are being advised to ‘stay calm’ after an employee’s laptop was stolen, containing personal information on thousands..."
In an age where our lives are defined by the information others keep, we hear a story like this too frequently. Not only is information theft damaging to customers, but also to the reputation of the company.
Hopefully this type of story will be a thing of the past, thanks to Microsoft’s new drive encryption tool, BitLocker. Shipping with Windows Vista Ultimate and Enterprise, BitLocker allows the complete encryption of the Windows volume.
Expect the best, prepare for the worst
What this now means is that should someone get hold of your laptop or desktop, you can rest a little easier knowing that your data is safe from prying eyes. Should you have used the “Backup and Restore Center”, you can rest even easier knowing you’re data is available elsewhere.
Be aware however, BitLocker does not protect the entire hard drive. Only data stored on the Windows Volume is encrypted. So anything on a data volume will not be protected.
Bring in EFS
This is where the Encrypting File System (EFS) comes into play. If the user encrypts all or some of the files on a Data Volume using EFS, the ‘root secrets’ of the EFS are stored on the Vista volume. This means that should someone manage to break into the User’s account, the data will be decrypted. So when BitLocker is enabled, the User’s account is protected. Therefore all data protected by EFS will be additionally protected by BitLocker.
Now even easier
Originally, BitLocker took a bit of effort to set up. You had to know what you were doing before installing Vista. Customers spoke up, and Microsoft listened, resulting in the release of the Microsoft BitLocker Drive Preparation Tool. Available right now, Vista Ultimate users can get this tool as an Ultimate Extra from the Windows Update Control Panel, while Enterprise users can open the tools page on the Microsoft premier website.
On running the tool, you are presented with a wizard. Notice this drive S: which will be created. This is a 1.5GB volume where BitLocker stores all the boot files, as depicted in the previous illustrations. This volume remains unencrypted, so make sure you don’t store any files on it. As with any major system changes, make sure you back up your data first.
Accessing a BitLocker protected system
OK. So you’ve created a BitLocker volume, and are ready to encrypt your Windows volume. You’re probably wondering how you’re going to access the system once the process has completed. Simple. You save a decryption key to a USB flash drive, or choose a passcode, which you are required to enter on every system boot. You are prompted for this choice during setup.
Failsafes
At the end of the setup, you will see a screen with options.
Should you lose your USB key or forget your passcode, you will require a BitLocker recovery password.
In the event that your Windows volume becomes corrupt and unable to boot, you will require a ‘recovery certificate’ in order to decrypt your EFS files.
You now have the option to store both of these on a free Microsoft website called digital locker, so that you can access them at any time from any computer connected to the Internet. So no more sticky notes under the keyboard.
One last thing
All Done? Great. You’re protected. However...
Never store your USB key in your laptop’s side pouch! This might seem obvious, but it happens.