While NT-based versions of Windows have supported per-folder encryption functionality via the Encrypting File System (EFS) for years, Windows Vista was the first to introduce full-disk encryption in the form of BitLocker. Now, in Windows 7, Microsoft has enhanced BitLocker with the ability to protect removable storage devices, such as USB-based hard drives, flash devices, and other media. This functionality is called BitLocker To Go, and while the technology is aimed squarely at enterprises, it's quite useful for almost any Windows 7 user.
Important: BitLocker To Go is available only in the Enterprise and Ultimate versions of Windows 7. But this limitation refers only to the ability to enable protection on a removable storage device. Once BitLocker To Go is added to a storage device, that device can be used normally with any version of Windows 7. (Yes, including Starter edition.) It can also be used in read-only mode with so-called downlevel Windows versions, including XP and Vista. (See below for more information.)
History of BitLocker
Since its introduction with the original shipping release of Windows Vista, BitLocker has undergone a regular series of improvements. The initial version of this technology was conceived as full-disk encryption--that is, it will encrypt any entire partition, not just parts of it--that works both online and offline (i.e. at boot time and when the drive is disconnected) thanks to integration with underlying TPM 1.2 (and higher) chipsets. (BitLocker can also utilize a USB memory key or an alphanumeric password if TPM hardware isn't present.)
Secret: BitLocker was briefly called Secure Startup and Full Volume Encryption before Microsoft settled on the final name.
In this initial version, BitLocker could only be installed to the boot partition. It was also hard to configure. You had to manually create a separate partition for those boot-up files that cannot function while encrypted, and this partition had to be created before the OS was installed. Too, there was no recovery option at all: if the user lost their recovery password or recovery key, the data on a BitLocker drive is completely inaccessible.
To help overcome these issues, Microsoft provided a two tools to Windows Vista Ultimate customers via the Ultimate Extras program. (Apparently, Microsoft's most lucrative enterprise customers were expected to figure out BitLocker on their own.) The first tool, BitLocker Drive Preparation, provides a way to automatically resize an existing system partition and add a new partition of the exact size required by BitLocker. And it does so without requiring you to wipe out your Vista install and start over from scratch. The second tool, the Secure Online Key Backup (SOKB) utility, provides a way to backup BitLocker's recovery password to a secure Microsoft Web site called Digital Locker.
Secret: It's unclear what the fate of Digital Locker will be at this time as Microsoft has ceased operation of the company's original online store, Windows Marketplace.
With the release of Windows Server 2008 and Windows Vista Service Pack 1 (SP1), Microsoft updated BitLocker again. With this release, it was possible to encrypt other non-boot fixed drives in addition to the boot partition. Additionally, Microsoft added optional multifactor authentication to BitLocker that combines a Trusted Platform Module (TPM) key with a USB dongle-based startup key and a 4-character personal identification number (PIN).
Secret: During the development of Windows Vista SP1, I was told that BitLocker would continue to work only with fixed disks and not external USB drives. This was by design.
For Windows 7, BitLocker gets yet another upgrade. It is now far easier to configure and install, and no longer requires manual partitioning or even a separate tool: You can simply right-click a drive in Explorer and choose "Turn on BitLocker" from the context menu that appears. And there's no need to create a special partition, because it's already here: Windows 7 creates a hidden partition for this very purpose during Setup. Windows 7 also adds Data Recovery Agent (DRA) support for all protected disk volumes so that enterprises can store recovery data in Active Directory and recover volumes if needed.
Finally, Windows 7 also extends BitLocker support, for the first time, to removable storage devices. This feature is of course called BitLocker To Go.
BitLocker To Go: The mile-high view
BitLocker To Go is a full-disk encryption protection technology for removable storage devices. Though it is based on BitLocker technology, BitLocker To Go significantly enhances the technical capabilities of BitLocker. For example, it is compatible with all FAT (FAT32, exFAT, etc.) file systems in addition to NTFS, dramatically increasing its compatibility with existing devices.
Not-so-fun facts: An estimated 12,000 laptops are lost or stolen in US airports ... every week. There are over two USB flash drives floating around for every one laptop. By 2011, Microsoft says, a 32 GB flash drive will cost less than $25.
BitLocker To Go is designed primarily for enterprises, where there is serious risk of a user bringing an unprotected storage device into the environment, copying important corporate information (inadvertently or not) to it, and then losing the device outside of the workplace. USB memory keys, in particular, are small and convenient, and quite popular, but they're also easily lost. With BitLocker To Go enabled on the device, one can help protect sensitive corporate--or, for that matter, personal--data in the event of loss or theft.
BitLocker To Go works completely independently of BitLocker, so you do not need to enable BitLocker on the PC, or utilize any TPM hardware, in order to use BitLocker To Go. In use, however, it is similar to BitLocker, and can also be enabled via a simple right-click menu choice.
Tip: While Windows Vista provided enterprises with policy-based mechanisms for blocking USB devices from use on managed PCs, this capability is basically an electronic version of super-gluing USB ports shut. With Windows 7 and BitLocker To Go, the latter of which is also fully manageable, corporations can now control USB storage devices in a far more elegant fashion. For example, one might restrict USB storage device usage only to those devices that have been protected with BitLocker To Go.
Installing and using BitLocker To Go
Enabling BitLocker To Go is straightforward: Simply connected the removable storage device, open Computer, right-click the device, and choose "Turn on BitLocker" from the pop-up menu that appears.
Alternatively, you can manually run the BitLocker Drive Encryption control panel to view the status of BitLocker and BitLocker To Go on your various attached drives. To do so, open the Start Menu and type bitlocker to find and start BitLocker Drive Encryption. From this interface, simply click the Turn on BitLocker link next to the appropriate drive.
Either way, the BitLocker Drive Encryption wizard will start up in a separate window. After a moment's pause, you'll be asked to choose between password- and smartcard-based locking. Most individuals will need to use a password, but many businesses are starting to use smartcards, which allow administrators to centrally manage BitLocker certificates in Active Directory. Smartcards provide two-factor authentication: In addition to the physical card requirement, the user will still need to type in a four-digit PIN.
In the next step of the wizard, you are asked how you would like to store your recovery key. (Assuming this hasn't been already configured in a managed AD environment.) This key will help you recover the contents of a protected drive should you forget your password, lose your smartcard, or suffer some similar problem. You have two choices: Save (to a text file) or print.
If you do choose to print or save the recovery key, you'll see something like this:
- BitLocker Drive Encryption Recovery Key
- <br><br>The recovery key is used to recover the data on a BitLocker protected drive.
- <br><br>To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen.
- <br><br>Recovery key identification: FA0547B2-D965-4D
- <br>Full recovery key identification: FA0547B2-D965-4D42-A2CE-8403A68888A2
- <br><br>BitLocker Recovery Key:
After that, you're prompted that the encryption is about to start.
Warning: Disk encryption is still an agonizingly slow process. It takes BitLocker To Go over 20 minutes to encrypt a 2 GB USB memory stick device, for example. I recently encrypted a 320 GB USB hard drive using BitLocker To Go, which isn't recommended: It literally took all of a work day, or several long hours.
Tip: As suggested by the BitLocker Drive Encryption wizard, you can pause encryption if you need to remove the device for some reason. If you don't do so, you could damage or lose files stored on the device.
Once the drive is encrypted, you'll notice a few changes. The icon for BitLocker To Go-encrypted disks is different, for starters, and includes a padlock/key overlay.
When you remove and then insert a protected storage device, you will be prompted to provide a password to unlock the disk. Once you do so, the normal Auto Run dialog will appear and the device will work normally.
Tip: This dialog will appear when you plug the protected device into any Windows 7-based PC. You do not need Windows 7 Enterprise or Ultimate to use this feature, it is instead compatible with all Windows 7 versions. You only need Windows 7 Enterprise or Ultimate to install BitLocker To Go on a removable storage device.
Note that you can optionally choose to automatically unlock a BitLocker To Go protected disk on a per-PC basis. This is reasonably safe if you provide a password when you logon to your PC and is certainly more convenient than retyping your device password every time you plug it in. If you do enable this option, it will not affect how BitLocker To Go functions on other PCs. (That is, the drive is still protected.)
Configuring BitLocker To Go
Once BitLocker To Go is installed on a storage device, you can configure it in various ways. If you right-click a protected device in Explorer, a new "Manage BitLocker" option appears in the pop-up menu, replacing "Turn on BitLocker." (You can also access this functionality from the BitLocker Drive Encryption control panel, of course.) The resulting dialog provides a number of options, including ways to change and remove the device's password, remove a smart card (if one is configured), add a smart card, re-save or print the recovery key, and automatically unlock the drive on the current PC.
The BitLocker Drive Encryption control panel provides one unique additional option: The ability to turn off BitLocker. This is the only place in Windows 7 from which you can remove BitLocker. (Short of formatting the disk, which would of course also delete any data stored on it.)
Warning: No shocker this time, but decrypting a BitLocker To Go-encrypted device also takes an incredibly long time.
Using BitLocker To Go devices on Windows XP and Vista
BitLocker To Go-protected devices work identically on all Windows 7 systems. But how does this feature work on "downlevel" Windows XP and Vista PCs? For these systems, Microsoft provides a BitLocker Reader application on the encrypted device, allowing users to access the stored files. There is one huge limitation to BitLocker Reader, however: It is read-only. So after you've provided the password to unlock the drive, you can view files and copy them to your PC hard drive. But you cannot save files back to the device. Hey, it's better than nothing.
BitLocker To Go is an excellent disk encryption technology for all kinds of users, and the technology is marred only by two issues, one technical and one marketing. First, while you will typically only need to install Bitlocker To Go on a device once, the process can be extremely time consuming. Second, and more egregiously, BitLocker To Go is only available to Microsoft's enterprise customers or to those who pay top dollar for Windows 7 Ultimate. This will severely limit the adoption of BitLocker with individuals, which is too bad: I'd like to see this capability made available to all Windows users.