Vista's BitLocker Encryption: All It's Cracked Up to Be?

Microsoft's boot-drive encryption works best with specialized hardware and requires some effort to set up and run. After all that, does it work?

When Microsoft announced that Windows Vista was going to be available in multiple editions, curiosity turned toward the higher-end versions of Vista targeted at corporate environments (Vista Enterprise) and enthusiasts (Vista Ultimate). Among the features in these high-end editions is BitLocker Drive Encryption, which Microsoft included to address "the theft or unwanted disclosure of data made available through physical loss of computer devices."

Say what?

In plain language, BitLocker is an on-disk encryption system that encrypts the computer's boot drive, making the system data on it unreadable to unauthorized users -- someone who's just made off with your laptop at the airport, for example. Without a boot key -- either a manually entered PIN, a USB flash drive or a secure module on the PC itself -- everything on a BitLocker-encrypted drive is indistinguishable from random data.

In the face of any number of new stories about government agencies and businesses losing notebooks and the data on them, Microsoft has stumped hard to convince users that BitLocker is the best means of preventing data loss through theft or espionage. A lost BitLocker-protected computer, Microsoft argues, can be safely written off without concern that the data on it could be compromised; and, as we are all well aware, the cost of a lost notebook is minor compared with the cost of losing the data on it.

But how realistic are Microsoft's declarations about BitLocker? What the company promises that BitLocker can do doesn't always match up with how BitLocker faces the challenges of the real world. Or, to put it another way, like many other encryption products, BitLocker is only as capable as the hands it's in.

Getting the Goods


Organizations considering BitLocker for their notebook PCs can find themselves confronting some cost issues from the word go.

BitLocker is included only in the Enterprise and Ultimate SKUs of Vista -- the two most expensive editions of Vista on the market. Also, Vista requires 512MB of RAM minimum (and most experts recommend 1GB or higher), which means companies might find themselves having to add RAM to existing machines or spend their money on a new fleet of notebooks.

Finally, to get the most out of BitLocker, Microsoft recommends using it on a computer equipped with a Trusted Platform Module (TPM), a microchip embedded in a PC's motherboard that stores passwords, keys and digital certificates. (See the following section for more information about TPM.)

BitLocker in Action


In front of the system volume to be encrypted, BitLocker creates a 1.5GB boot partition that contains decryption and boot data. When Vista was first released, users had to create this partition manually before installing Vista, but after a number of complaints, Microsoft revised the BitLocker setup process so that you can create the partition on an existing system.

One of the Vista Ultimate Extras (also available for the Enterprise Edition) is labeled "BitLocker and EFS enhancements," which contains the BitLocker Drive Preparation tool. This program automates the setup process and encrypts an existing drive for BitLocker while the system is running. (It's still always best to have BitLocker set up on a system before it has been personalized for a given user so there is no chance of unencrypted data being stored on it at any time.)

1 2 3 4 Page 1
Page 1 of 4
Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon