Skip the navigation

Review: 3 encryption apps keep your data safe

By Frank Ohlhorst
February 9, 2010 06:00 AM ET

BitLocker

First, the good news — BitLocker is free and does most everything a user could want. However, there's a catch: The full BitLocker product is only available with the Windows 7 Ultimate and Enterprise editions (or the Vista Enterprise and Ultimate editions), versions that are rarely installed on netbooks and seldom on notebooks. In addition, the Vista version of BitLocker lacks the ability to encrypt removable media, a very important feature now that USB key drives and external hard drives are common.

I looked at the BitLocker application included with Windows 7, which is broken down into two services: BitLocker, which works with hard drive partitions, and BitLocker to Go, which is meant for removable media.

BitLocker uses the AES encryption algorithm in cyber-block chaining (CBC) mode with a 128-bit key, combined with the Elephant diffuser for additional disk-encryption-specific security not provided by AES.

At a Glance

BitLocker
Microsoft
Price: Free (with Windows 7 Ultimate and Enterprise editions or Vista Enterprise and Ultimate editions)

The application works by encrypting a disk partition; that partition can be located on the system or on a removable device. If you are using BitLocker to secure your system's hard drive, for example, it will create a system partition (which contains the files needed to start your computer) and an operating system partition, which contains your applications, data and Windows. The operating system partition will be encrypted and the system partition will remain unencrypted so your computer can start.

BitLocker reaches its full potential on computers equipped with TPM. BitLocker can use either transparent operation mode (where the TPM automates key entry) or a user authentication mode (where the user must manually input a password). The TPM hardware detects any unauthorized changes to the pre-boot environment, including to the BIOS and master boot record (MBR). If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device or a recovery password entered by hand. Either of these cryptographic secrets will decrypt the Volume Master Key (VMK) and allow the bootup process to continue.

BitLocker offers additional protection in the form of BitLocker To Go, an encryption option that can be used with removable media.

Bitlocker
BitLocker is only available with the Vista/Windows 7 Ultimate and Enterprise editions.
Click to view larger image

BitLocker is tightly integrated into Windows 7; it launches from the Windows 7 Control panel and includes a wizard-driven setup that simplifies configuration. To get started, I launched the BitLocker application from the Windows 7 Control panel on the Toshiba Portege and chose "Turn on BitLocker." This launched a system requirements wizard, which checked to make sure that the system was compatible with the software and listed any changes that needed to be made. In my case, BitLocker recommended that I turn on the TPM security hardware on my test system, which required me to reboot the system and enable the TPM hardware in the system BIOS.

On my Lenovo T61p, TPM was already enabled, so BitLocker was able to start the drive encryption process immediately.

As part of the encryption process, BitLocker offers a way to save a "recovery key" — a 40-digit code provided specifically as a means to access your data if there is a problem with your system or you lose your PIN. You can save the recovery key to a USB drive or a local file, or you can print it out. The encryption process can take some time to complete — it all comes down to the amount of data stored on the partitions, the speed of the hard disk and processor performance. The Toshiba Portege system, which had a solid-state drive with about 30GB of data, took over 3 hours to encrypt (luckily, the encryption process can run in the background). The Lenovo T61p, with 70GB of data stored on an internal 120GB hard drive, took a lot longer — in fact, I wound up letting the encryption process run overnight.

After encrypting the drives, I found little difference in how the systems performed — applications seemed to load as quickly, boot times remained about the same and operations such as file copying seemed just as fast. That said, there was some measurable CPU overhead when encrypting and decrypting files, but, as indicated by Windows Task Manager, it was less than 8% and was not noticeable during normal use.

BitLocker To Go

BitLocker To Go proved to be very easy to use. All you do is launch the product and create a passphrase (or use a smartcard) to encrypt/decrypt the drive. The process takes just a few minutes; like its big brother, the utility creates a 40-digit recovery key. Once configured, BitLocker To Go can automatically encrypt USB drives whenever you insert one. That tight integration with the operating system makes it extremely easy to use for removable media. The BitLocker To Go reader automatically launches when a USB drive is inserted into a system, and then it asks for the passkey to access the data stored on the device. I encrypted eight USB key drives of various sizes — each only took a few minutes to encrypt and all worked flawlessly.

BitLocker To Go allows the removable drive to be used with other systems, such as Windows XP and Windows Vista PCs. The only catch is that the application only allows older OSes to read the data — new data cannot be added.

BitLocker and BitLocker To Go are a great way to encrypt and protect data files on Windows 7 PCs and should be one of the first choices for mobile and home workers who want to protect their sensitive data files.

BitLocker also supports Windows Networks, and administrators can set up Windows group policies that can enforce the use of Bitlocker on removable storage devices and also encrypt the hard drives on servers and PCs — which may be a good way to prevent data being taken off a retired piece of IT equipment, just in case the administrator forgets to properly wipe or destroy the hard drive.



Our Commenting Policies