First, the good news — BitLocker is free and does most everything a user could want. However, there's a catch: The full BitLocker product is only available with the Windows 7 Ultimate and Enterprise editions (or the Vista Enterprise and Ultimate editions), versions that are rarely installed on netbooks and seldom on notebooks. In addition, the Vista version of BitLocker lacks the ability to encrypt removable media, a very important feature now that USB key drives and external hard drives are common.
I looked at the BitLocker application included with Windows 7, which is broken down into two services: BitLocker, which works with hard drive partitions, and BitLocker to Go, which is meant for removable media.
BitLocker uses the AES encryption algorithm in cyber-block chaining (CBC) mode with a 128-bit key, combined with the Elephant diffuser for additional disk-encryption-specific security not provided by AES.
At a Glance
Price: Free (with Windows 7 Ultimate and Enterprise editions or Vista Enterprise and Ultimate editions)
The application works by encrypting a disk partition; that partition can be located on the system or on a removable device. If you are using BitLocker to secure your system's hard drive, for example, it will create a system partition (which contains the files needed to start your computer) and an operating system partition, which contains your applications, data and Windows. The operating system partition will be encrypted and the system partition will remain unencrypted so your computer can start.
BitLocker reaches its full potential on computers equipped with TPM. BitLocker can use either transparent operation mode (where the TPM automates key entry) or a user authentication mode (where the user must manually input a password). The TPM hardware detects any unauthorized changes to the pre-boot environment, including to the BIOS and master boot record (MBR). If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device or a recovery password entered by hand. Either of these cryptographic secrets will decrypt the Volume Master Key (VMK) and allow the bootup process to continue.
BitLocker offers additional protection in the form of BitLocker To Go, an encryption option that can be used with removable media.
BitLocker is tightly integrated into Windows 7; it launches from the Windows 7 Control panel and includes a wizard-driven setup that simplifies configuration. To get started, I launched the BitLocker application from the Windows 7 Control panel on the Toshiba Portege and chose "Turn on BitLocker." This launched a system requirements wizard, which checked to make sure that the system was compatible with the software and listed any changes that needed to be made. In my case, BitLocker recommended that I turn on the TPM security hardware on my test system, which required me to reboot the system and enable the TPM hardware in the system BIOS.
On my Lenovo T61p, TPM was already enabled, so BitLocker was able to start the drive encryption process immediately.
As part of the encryption process, BitLocker offers a way to save a "recovery key" — a 40-digit code provided specifically as a means to access your data if there is a problem with your system or you lose your PIN. You can save the recovery key to a USB drive or a local file, or you can print it out. The encryption process can take some time to complete — it all comes down to the amount of data stored on the partitions, the speed of the hard disk and processor performance. The Toshiba Portege system, which had a solid-state drive with about 30GB of data, took over 3 hours to encrypt (luckily, the encryption process can run in the background). The Lenovo T61p, with 70GB of data stored on an internal 120GB hard drive, took a lot longer — in fact, I wound up letting the encryption process run overnight.
After encrypting the drives, I found little difference in how the systems performed — applications seemed to load as quickly, boot times remained about the same and operations such as file copying seemed just as fast. That said, there was some measurable CPU overhead when encrypting and decrypting files, but, as indicated by Windows Task Manager, it was less than 8% and was not noticeable during normal use.
BitLocker To Go
BitLocker To Go proved to be very easy to use. All you do is launch the product and create a passphrase (or use a smartcard) to encrypt/decrypt the drive. The process takes just a few minutes; like its big brother, the utility creates a 40-digit recovery key. Once configured, BitLocker To Go can automatically encrypt USB drives whenever you insert one. That tight integration with the operating system makes it extremely easy to use for removable media. The BitLocker To Go reader automatically launches when a USB drive is inserted into a system, and then it asks for the passkey to access the data stored on the device. I encrypted eight USB key drives of various sizes — each only took a few minutes to encrypt and all worked flawlessly.
BitLocker To Go allows the removable drive to be used with other systems, such as Windows XP and Windows Vista PCs. The only catch is that the application only allows older OSes to read the data — new data cannot be added.
BitLocker and BitLocker To Go are a great way to encrypt and protect data files on Windows 7 PCs and should be one of the first choices for mobile and home workers who want to protect their sensitive data files.
BitLocker also supports Windows Networks, and administrators can set up Windows group policies that can enforce the use of Bitlocker on removable storage devices and also encrypt the hard drives on servers and PCs — which may be a good way to prevent data being taken off a retired piece of IT equipment, just in case the administrator forgets to properly wipe or destroy the hard drive.
- IDG Research Survey: Are you Paying Too Much for Your NMS? Feel like you're paying too much for network monitoring? You're not alone. This survey brief summarizes findings from research recently fielded by IDG...
- Using Packet Analysis for Quality of Experience Monitoring In this whitepaper, we will discuss what Packet Analysis is, some of the useful information it can provide, and how this info can...
- The business impact of BYOA: Five major challenges and how your enterprise can solve them This E-Book reviews five major challenges of BYOA with key subject matter experts and outlines how businesses can solve them.
- The BYOA Opportunity Visual demonstration of problems that unmonitored, employee-introduced cloud apps can cause a business, and why IT managers need a solution to help and...
- Live Webcast Master the Changing SAP Landscape with Performance Management SAP landscapes are not getting simpler. Gradually, business processes that used to be contained on a single SAP system now involve a range...
- Tips to Simplify Database Administration and Development Make your job easier while getting the most from the leading productivity tool for database professionals. Learn tips from Dell Software's Oracle® ACE,...
- Data Breaches - Don't Be a Headline Whether it's a HIPAA/HITECH, Sarbanes Oxley, Gramm-Leach-Bliley violation, or a State breach notification law, a data breach can have substantial legal and financial... All Applications White Papers | Webcasts