First, the good news — BitLocker is free and does most everything a user could want. However, there's a catch: The full BitLocker product is only available with the Windows 7 Ultimate and Enterprise editions (or the Vista Enterprise and Ultimate editions), versions that are rarely installed on netbooks and seldom on notebooks. In addition, the Vista version of BitLocker lacks the ability to encrypt removable media, a very important feature now that USB key drives and external hard drives are common.
I looked at the BitLocker application included with Windows 7, which is broken down into two services: BitLocker, which works with hard drive partitions, and BitLocker to Go, which is meant for removable media.
BitLocker uses the AES encryption algorithm in cyber-block chaining (CBC) mode with a 128-bit key, combined with the Elephant diffuser for additional disk-encryption-specific security not provided by AES.
At a Glance
Price: Free (with Windows 7 Ultimate and Enterprise editions or Vista Enterprise and Ultimate editions)
The application works by encrypting a disk partition; that partition can be located on the system or on a removable device. If you are using BitLocker to secure your system's hard drive, for example, it will create a system partition (which contains the files needed to start your computer) and an operating system partition, which contains your applications, data and Windows. The operating system partition will be encrypted and the system partition will remain unencrypted so your computer can start.
BitLocker reaches its full potential on computers equipped with TPM. BitLocker can use either transparent operation mode (where the TPM automates key entry) or a user authentication mode (where the user must manually input a password). The TPM hardware detects any unauthorized changes to the pre-boot environment, including to the BIOS and master boot record (MBR). If any unauthorized changes are detected, BitLocker requests a recovery key on a USB device or a recovery password entered by hand. Either of these cryptographic secrets will decrypt the Volume Master Key (VMK) and allow the bootup process to continue.
BitLocker offers additional protection in the form of BitLocker To Go, an encryption option that can be used with removable media.
BitLocker is tightly integrated into Windows 7; it launches from the Windows 7 Control panel and includes a wizard-driven setup that simplifies configuration. To get started, I launched the BitLocker application from the Windows 7 Control panel on the Toshiba Portege and chose "Turn on BitLocker." This launched a system requirements wizard, which checked to make sure that the system was compatible with the software and listed any changes that needed to be made. In my case, BitLocker recommended that I turn on the TPM security hardware on my test system, which required me to reboot the system and enable the TPM hardware in the system BIOS.
On my Lenovo T61p, TPM was already enabled, so BitLocker was able to start the drive encryption process immediately.
As part of the encryption process, BitLocker offers a way to save a "recovery key" — a 40-digit code provided specifically as a means to access your data if there is a problem with your system or you lose your PIN. You can save the recovery key to a USB drive or a local file, or you can print it out. The encryption process can take some time to complete — it all comes down to the amount of data stored on the partitions, the speed of the hard disk and processor performance. The Toshiba Portege system, which had a solid-state drive with about 30GB of data, took over 3 hours to encrypt (luckily, the encryption process can run in the background). The Lenovo T61p, with 70GB of data stored on an internal 120GB hard drive, took a lot longer — in fact, I wound up letting the encryption process run overnight.
After encrypting the drives, I found little difference in how the systems performed — applications seemed to load as quickly, boot times remained about the same and operations such as file copying seemed just as fast. That said, there was some measurable CPU overhead when encrypting and decrypting files, but, as indicated by Windows Task Manager, it was less than 8% and was not noticeable during normal use.
BitLocker To Go
BitLocker To Go proved to be very easy to use. All you do is launch the product and create a passphrase (or use a smartcard) to encrypt/decrypt the drive. The process takes just a few minutes; like its big brother, the utility creates a 40-digit recovery key. Once configured, BitLocker To Go can automatically encrypt USB drives whenever you insert one. That tight integration with the operating system makes it extremely easy to use for removable media. The BitLocker To Go reader automatically launches when a USB drive is inserted into a system, and then it asks for the passkey to access the data stored on the device. I encrypted eight USB key drives of various sizes — each only took a few minutes to encrypt and all worked flawlessly.
BitLocker To Go allows the removable drive to be used with other systems, such as Windows XP and Windows Vista PCs. The only catch is that the application only allows older OSes to read the data — new data cannot be added.
BitLocker and BitLocker To Go are a great way to encrypt and protect data files on Windows 7 PCs and should be one of the first choices for mobile and home workers who want to protect their sensitive data files.
BitLocker also supports Windows Networks, and administrators can set up Windows group policies that can enforce the use of Bitlocker on removable storage devices and also encrypt the hard drives on servers and PCs — which may be a good way to prevent data being taken off a retired piece of IT equipment, just in case the administrator forgets to properly wipe or destroy the hard drive.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- Increase IT Performance from the Enterprise to the Cloud with WAN Optimization Massive consolidation and data mobility, enabled by virtualization, have radically altered how we build servers, design applications, and deploy storage for the emerging...
- Live Webcast
Transforming Finance, Procurement and Supply Chain Effectiveness with Cross-Functional Analytics
Date: May 6th, 2014
Time: 1 PM EDT
Attend this Webcast to find out how Oracle's packaged analytic applications enable line-of-business managers to examine all...
- Video Stream Quality Impacts Viewer Behavior This scientific white paper, using statistical data from Amakai's streaming network, analyzes how changes in video quality cause changes in viewer behavior.
- Service-Enabling CICS Applications: Best Practices This informative webcast provides an informed, thorough look into CICS service-enablement options and how they can affect your environment. You'll learn how to... All Applications White Papers | Webcasts