In Windows Vista and Windows Server 2008 Microsoft introduced BitLocker Drive Encryption (BDE), which offers volume-level data encryption for data stored on Windows clients and servers. BDE protects the data when the systems are offline (when the OS is shut down).
BDE also makes the OS itself more resilient in the face of attacks. When BDE is applied to the system volume, it provides a file integrity checking feature that automatically assesses the status of boot files such as the BIOS, Master Boot Records (MBRs), and the NTFS boot sector when the system boots and before the OS starts. If a hacker has inserted malicious code in one of the boot files or has modified one of them, BDE will detect it and block the OS from starting. This feature is available only on computer systems that have a Trusted Platform Module (TPM) 1.2 chip—a special security chip that is part of most of today’s PC motherboards.
BDE can also offer pre-OS-boot multifactor authentication. Before Windows starts, BDE can prompt users to authenticate by providing a secret key that’s stored on a USB token or by entering a PIN.
Pre-OS-boot authentication protects Windows from attacks that attempt to bypass OS–level access checks and get to the data on a Windows-protected volume by booting from a Linux CD-ROM or floppy disk. For a broader introduction to BDE, see “Vista’s BitLocker Drive Encryption”.
The Vista release of BitLocker included some important shortcomings that hindered its widespread adoption. Let’s look at how these shortcomings are addressed and the resulting BDE features in Windows 7 and Windows Server 2008 R2. (All references to BDE features in Windows 7 in this article also apply to Windows Server 2008 R2.)
Note that BDE isn’t available in all Windows 7 versions. As in Vista, BitLocker is included only in the Windows 7 Enterprise and Ultimate editions—the two versions that target high-end home and business users. However, BitLocker support is included in all Windows Server 2008 R2 editions.
Vista’s BDE Shortcomings vs. Windows 7’s BDE Features
In the Vista BDE release, only a single volume, the system boot volume, can be BDE–protected. In Vista SP1 and Server 2008, Microsoft added support for BDE protection of different volumes—including local data volumes. In Windows 7, Microsoft adds BDE support for removable data drives—memory sticks and external data drives—in a feature that Microsoft refers to as BitLocker To Go (BTG), which I discuss later.
In the Vista BDE release, IT departments wanting to deploy BDE on their organization’s Windows desktops were forced to consider the disk partitioning of their systems during Vista deployment. This is because BDE 1.0 requires an active and dedicated volume. This volume is referred to as the BDE system volume and is labeled as the S drive. On Vista and Server 2008, Microsoft recommends that you reserve at least 1.5GB of disk space for the BDE system volume.
To ease the drive configuration when the OS is already installed, Microsoft released the BitLocker Driver Preparation Tool, which automates BDE system drive preparation. The tool automatically shrinks the C drive, creates a 1.5GB S drive, moves boot files to it, and marks the drive as active.
The tool can be downloaded from the Microsoft download website. In Windows 7, Microsoft integrated this tool in the BDE setup.
To make using BDE easier and to completely get rid of the repartitioning, users of a newly installed Windows 7 system (not an upgrade) will notice that Windows automatically creates the separate active system partition that’s required for BDE. (This partition is also leveraged by the Windows Recovery Environment—WinRE.) Microsoft has also worked with OEMs to ensure that new computer hardware preinstalled with Windows 7 ships with drives that are already correctly partitioned for BDE.
It’s also worth pointing out that in Windows 7, the BDE partition size has been reduced to 400MB when WinRE is enabled and to 200MB without WinRE. Also, the BDE system partition is now hidden to users—it’s no longer allocated to the S drive letter.
Finally, BDE in Vista includes only a limited set of recovery features. These features let users access their data on a BDE–protected volume after a PIN loss, TPM error, or boot file modification. All recovery mechanisms are rooted on a recovery password that can be stored on a USB token, or BDE users can simply write it down or remember it.
Administrators can also use Active Directory (AD) to centrally store the BitLocker recovery information of the machines in their domain. This recovery information is attached to the AD computer account and includes the password for each BitLocker-enabled drive, the TPM owner password (if a TPM is present and used for BitLocker), and information that links the recovery information to its corresponding volume.
Windows 7 includes new Group Policy Object (GPO)–based mechanisms for BDE data recovery, which give organizations more centralized BDE data recovery management capabilities. The new GPO settings let administrators maintain access to all BitLocker-protected data located on computers in their AD domain, even if the AD computer accounts holding BitLocker recovery information are accidentally deleted.
BitLocker to Go
BitLocker To Go (BTG) is Windows 7’s most visible new BitLocker feature. You can use BTG to encrypt data on removable hard disks and USB sticks. These devices often contain confidential information and can easily be lost or stolen.
Just like BDE, BTG by default uses the AES 128-bit with Diffuser algorithm to encrypt the volume. This can be changed to AES 256-bit using a GPO setting.
As opposed to BDE, which works only with NTFS–formatted drives, BTG also works with the exFAT, FAT16, and FAT32 file systems. If you want to protect a device or drive with BTG, it must have at least 64MB of available memory. The ability to encrypt a drive with BTG and to read and write data to it is available only in the Windows 7 Enterprise and Ultimate editions.
From other Windows 7 editions you can unlock a BTG-protected drive and read the data on it. I will discuss this in more detail in the section on the BTG Reader further on.
You can start the BTG encryption process of a removable drive by going to the System and Security Control Panel applet in the BitLocker Drive Encryption item and finding the BitLocker To Go section, which Figure 1 shows, that lists all USB sticks and external hard disks connected to your system that can be secured using BTG.
When you click Turn On BitLocker, Windows starts the BitLocker Drive Encryption wizard. The wizard first initializes the drive, then prompts you for an unlock mechanism.
You can unlock a BTG–encrypted drive by using a password, by using a secret key that’s stored on a smart card, or by using a combination of both. Then the wizard asks you to save or print the 48-digit BTG recovery key. (Note that recovery information can also be stored in AD if you enable this option in the BDE GPO settings.)
Finally, the wizard prompts you with Are you ready to encrypt this drive? Clicking Start Encrypting begins the encryption process. This is a time-consuming process: It might take hours to complete depending on the disk size and computer speed.
The good news is that, just like BDE, BTG decrypts instantly when you access a file on a protected disk or volume. When you insert a BTG–protected memory stick or attach the removable hard disk, Windows 7 prompts you to type your password or insert your smart card.
You can also configure Windows 7 to automatically unlock a BTG–protected drive through the Manage BitLocker option in the drive’s context menu or in the Control Panel. From the Manage BitLocker dialog box, you can also remove or change the BTG unlock password, save or change the recovery key, or add a smart card for unlocking the BTG–protected drive.