Use BitLocker to encrypt your hard disks

Protecting personal data, especially intellectual property is one of the major concerns of businesses and individuals today. Billions of sensitive data transactions take place across the globe daily. Keeping that protected is becoming an even more complex task, one of the the biggest concerns being espionage and misuse of information that can jeopardize the safety of individuals and competitiveness of businesses. With the recent WikiLeaks episode dominating the media, we are witnessing a perfect example of how sensitive information released into the wrong hands can be more than just a nightmare, but also a risk to civilian lives. The vessel for most of what’s happening is the Internet. There is not much you can do about that, you can’t lock down the Internet since it was designed to be an open environment from the beginning.

In the case of the PC though, you have a bit more control. I am not just talking about passwords and access rights, these things are important of course, but there is more to think about today. Users need to look at more advanced tools to keep their sensitive data much safer, especially if you are in the field/on the road a lot. The risks get so much higher everyday for Notebook users, laptops are stolen around the clock and recovery in most cases is next to impossible. This is where an important technology known as Encryption comes in.

Encryption in Windows 7 depends partly on the edition you are using, by default, you get standard  file and folder encryption in Windows 7 Professional, Enterprise and Ultimate editions. If you need advanced encryption such as BitLocker, BitLocker to Go, you will need to have either Windows 7 Enterprise or Ultimate. I will be looking at third party tools users can use if they are running Windows 7 Starter, Home Basic or Home Premium in a future article. 

What is Encryption?

Encryption is the process of converting readable data into unreadable characters to prevent unauthorized access. Encrypted data can be treated just like any other data, whether its storing it or sharing it through email. To access the encrypted data in a readable form, the recipient must first decrypt it. In the encryption process, the unencrypted, readable data is called plaintext. The encrypted (scrambled) data, the originator of the data converts the plaintext into what is called ciphertext. To encrypt the data, the originator of the data converts the plaintext into ciphertext using a password or an encryption key.

An encryption key is a formula that the recipient of the data uses to decrypt ciphertext.

As I noted earlier, there are two types of encryption available in Windows 7 depending on the edition. In the case of Windows 7 Professional, you only have the Encrypting File System which only supports encrypting Files and Folders. If you are running the Enterprise or Ultimate editions of Windows 7, you will get access to more powerful tools built in.

Introducing BitLocker

A feature first introduced in Windows Vista called BitLocker Drive Encryption allows you to encrypt a fixed hard disk. BitLocker Drive Encryption can help to protect all files stored on the drive Windows is installed on (operating system drive) and on fixed data drives (such as internal hard drives). 

Unlike Encrypting File System (EFS), which enables you to encrypt individual files, BitLocker encrypts the entire drive. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by removing it from your computer and installing it in a different computer.

When you add new files to a drive that is encrypted with BitLocker, BitLocker encrypts them automatically. Files remain encrypted only while they are stored in the encrypted drive. Files copied to another drive or computer are decrypted. If you share files with other users, such as through a network, these files are encrypted while stored on the encrypted drive, but they can be accessed normally by authorized users.

If you encrypt the operating system drive, BitLocker checks the computer during startup for any conditions that could represent a security risk (for example, a change to the BIOS or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and require a special BitLocker recovery key to unlock it. Make sure that you create this recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. If your computer has the Trusted Platform Module (TPM) chip, BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.

Setup

Note: I strongly recommend before using encryption software, at least have your hard disk backed up. Having your data secure is one thing, but not having access to it is another problem. You can reference articles about how to backup your personal files and hard disk here and here 

By default, BitLocker requires that your computer have the Trusted Platform Module (TPM), 1.2 hardware chip technology. If your computer does not support this feature (mine does not), there is another option, you can use a USB thumbdrive which is what I will be using. First, you will need to configure the system to not require TPM. If you try to run BitLocker without the necessary requirements, you will receive the following message:

To work around this:

Click Start, type: gpedit.msc

Then hit Enter on your keyboard.

This will open the Local Group Policy Editor (please note I am working on Windows 7 Ultimate).

Next, expand Administrative Templates then Windows Components then Bitlocker Drive Encryption then click Operating System Drives

In the Right pane, right click Require additional authentication at startup then click Edit

Next apply the following changes to the following window:

  • Select Enabled
  • Under options, check the box that says ‘Allow BitLocker without a compatible TPM
  • Then click Apply and OK
  • Close the Local Group Policy Editor

Next, click Start and type: gpupdate.exe /force then press Enter on your keyboard to enforce changes, restart your system just confirm things.

We are now ready to encrypt our internal hard disk.

Preparing the drive

Click Start, then click Computer

Right click your Local hard disk, then click Turn on BitLocker

This will start the BitLocker encryption wizard

Checking to see if your system meets the minimum requirements

BitLocker will prepare a reserved hidden partition of approximately 300 MBs for encryption data.

Making changes to the drive.

Restart your system to confirm changes.

After restarting, the wizard will then continue with the encryption process.

BitLocker Drive Encryption wizard

I strongly implore that you have a USB thumbdrive, in fact, you will need it to move forward. Having a thumbdrive to store the encryption key somewhere safely is important when you need to decrypt the drive to access the operating system and your personal files.

 

Select the location where the Encryption key will be stored.

Save the recovery key to the thumb drive

BitLocker will do a trial run just to make sure the thumbdrive can decrypt the hard disk drive. If it is not possible to use the thumbdrive, you can still do the encryption, but you will need to remember the 48 character encryption key. That’s why it is best that you have it stored somewhere safe or print it and store it safely so you can reference it when you need to. The reason why it might not be possible to use the thumbdrive as a Start up key, the thumbdrive is not formatted using a supported file system such as exFAT, FAT 16, FAT32 or NTFS or your BIOS needs to be updated. If all goes well, when you start the computer, the BitLocker Drive Encryption program will automatically start, if not, you will receive an error.

Recommendation, re-run the BitLocker Drive Encryption wizard again, but this time, uncheck Run BitLocker system check then click Continue. Again, please be sure you have access to the key or its printed or you have memorized all 48 characters in the encryption (which I personally think is next to impossible for most persons). The reason why the character is so long is to make it harder to be cracked. The longer and more complex the encryption key is the less likely it will be for a successful attack.

Encryption can take some time depending on the size of the drive, you can continue using your computer while it does its thing.

Click close when complete

When you open Computer (from the Start menu), you will now notice a Padlock emblem on your hard disk, this indicates the drive is now encrypted.

BitLocker now enabled on my hard disk.

What happens next?

Everytime you start your computer, the Startup key (thumbdrive) needs to be present, if not, you will see the following screens:

Press Enter to access the BitLocker Recovery screen

Enter the 48 character encryption key to decrypt the drive

If you believe your data is at no risk of unauthorized access, you can suspend BitLocker Encryption. This is especially convenient if you are sharing a computer with someone such as your family at home where the risk is much lower for theft.

To suspend BitLocker drive encryption, click Start, type: BitLocker

Hit Enter on your keyboard.

Under BitLocker Drive Encryption – Hard Disk Drives, click the Suspend Protection link

Click Yes to confirm

You will now notice a exclamation emblem on the hard disk icon indicating that BitLocker is now suspended, you can click the Resume Protection link when you are ready to use it again.

Again I, strongly recommend before using encryption software, at least have your hard disk backed up. Having your data secure is one thing, but not having access to it is another problem. You can reference articles about how to backup your personal files and hard disk here and here When combined with practices such as password protection at the BIOS level and at Windows log on, BitLocker Encryption provides the most ultimate level of safety for Windows users.

In a part 2 article, we will look at using a free disk encryption solution for users of Windows 7 Professional, Home Premium, Home Basic and Starter.

4 Comments

Filed under 7 Journal

4 responses to “Use BitLocker to encrypt your hard disks

  1. Andre,
    Check you Clubhouse profile. This blog is listed twice causing double postings. Several of us have had this happen. Just deactivate the second entry.

  2. Pingback: El valor de la información en la empresa « elChelo

  3. klsd

    bitlocker drive encryption for windows xp…

    • Use Truecrypt, BitLocker is exclusive to Windows Vista Ultimate, Windows 7 Ultimate, Windows Vista Enterprise, Windows 7 Enterprise and Windows 8 Pro/Enterprise editions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s