When you use BTG to encrypt a removable device, Windows 7 copies a utility called BitLockerToGo.exe to the device. This utility is the BTG Reader, which lets you access the protected data on the device from a Vista or XP system.
When you insert a BTG–protected USB token or attach a BTG–protected disk drive to a Vista or XP system, the BitLocker To Go Reader pops up and prompts you for the unlock password. Unlocking a BTG–protected drive using a smart card isn’t possible when using the BTG Reader from Vista or XP.
After you provide your password, the BTG Reader decrypts all content and displays it in the BTG Reader dialog box that Figure 2 shows. An important restriction is that the BTG Reader permits you only to drag files from the protected media and drop them on another location on the Vista or XP system, for example on the user desktop.
On the desktop, the files and folders are no longer encrypted and protected. Also, you can’t copy objects back to BTG–encrypted drives after you change them. Writing to BTG-protected drives is possible only from a system that runs Windows 7 Ultimate or Enterprise editions or Windows Server 2008 R2.
Microsoft put some clever software engineering behind the BTG Reader: It basically reengineered part of the BitLocker architecture to make it work with FAT volumes (FAT is the file system typically used on USB tokens). Microsoft modified the BitLocker architecture to overlay what it calls a "discovery volume" onto the original physical volume.
In the BTG reader this volume shows up as C_Drive. The discovery volume is automatically created when a FAT drive is encrypted; it contains the BitLocker To Go Reader and a readme file. If you want to see these files and how the encrypted information is really stored on the BTG–protected volume, look at the content of the volume from the command line using the dir /AS command (the AS switch displays hidden system files).
Better Centralized Management
Windows 7 includes an extended set of BitLocker GPO configuration settings. To find them, open gpedit.msc to open the Local Group Policy Editor. They are located in the GPO Administrative Templates\Windows Settings\Windows Components\BitLocker Drive Encryption container. This GPO location now holds three subcontainers for storing the BDE configuration settings for fixed data drives, OS drives and removable data drives.
The new GPO settings can control many different BDE and BTG parameters, including the use of unlock passwords and smart cards on fixed and removable data drives, whether the BTG Reader is installed on removable data drives or not.
An interesting GPO setting is Deny write access to removable drives not protected by BitLocker. This setting lets organizations configure removable drives as Read Only unless they are secured with BTG.
You can use this setting to ensure that sensitive or confidential corporate data is write-protected when an employee inserts a USB token accidentally on the wrong machine.
Windows 7 BDE also includes a new data recovery agent feature that allows centralized recovery of the BDE-protected data in an organization. It can be centrally configured using a Group Policy Object (GPO) setting that can be set from the Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption GPO container.
You can define a BitLocker data recovery agent by right-clicking this container and selecting Add Data Recovery Agent, which starts the Add Recovery Agent Wizard.
The BitLocker data recovery agent GPO setting is used to distribute a data recovery agent’s public key certificate to all BitLocker-enabled Windows machines in the organization’s AD domain. To unlock access to a BitLocker (BDE or BTG)–protected volume, the data recovery agent can use the data recovery private key. This is the private key that’s linked to the recovery agent certificate and is securely stored in the recovery agent’s user profile.
This feature ensures that an organization always can get access to BitLocker-protected data even if the BitLocker recovery information stored in an AD computer account is deleted. The BitLocker data recovery agent feature is inspired by the data recovery agent feature that Microsoft has been providing for the Encrypting File System (EFS) since its release in Windows 2000.
Before you can use BDE data recovery agents, you need to ensure that the following BitLocker GPO settings are configured:
• Enable data recovery and the use of a data recovery agent, which Figure 3 shows. The GPO setting you use to do this depends on the volume type you want to secure with BDE/BTG: your options include Choose how BitLocker-protected operating system drives can be recovered; Choose how BitLocker-protected removable data drives can be recovered; or Choose how BitLocker-protected fixed data drives can be recovered.
• Define a BitLocker identification field in the GPO setting titled Provide the unique identifiers for your organization GPO. This setting associates a unique identifier to a new drive that’s protected with BitLocker. These identifiers are required for the management of data recovery agents on BDE/BTG–protected drives.
In addition to the GPO and GUI management changes I mentioned, Microsoft also extended the capabilities of the manage-bde command-line utility and the Windows Management and Instrumentation (WMI) provider for BitLocker. Both the command-line and WMI management interfaces now offer more complete BDE management options than in previous Windows versions.
A Better BitLocker Experience
The new BitLocker features in Windows 7 and Windows Server 2008 R2 focus on providing a better user and administration experience than in the Vista version.
Microsoft adds some important features that were missing in the Vista release of BitLocker 1.0 and that make it more useful, such as removable drive support and better management and recovery support. If you are considering upgrading to Windows 7, I strongly advise you to leverage BitLocker from day one.