Using Bitlocker to Encrypt Your Entire Hard drive

Security at Your Fingertips Part 3 of 5

We took a quick break from our five part series so I could write about software that, in my opinion, is not HIPAA compliant because it requires the user to have Administrative rights just for the software to run.  You can find that article here:

Today, let's get back on track with Security at Your Fingertips with our new installment:

Using Bitlocker to Encrypt Your Entire Hard drive

Bitlocker is a built-in feature of Windows but only for certain editions of Windows.  In order to use Bitlocker, you have to be running one of the following Editions of Windows:

· Windows Vista Enterprise or Windows 7 Enterprise
· Windows Vista Ultimate or Windows 7 Ultimate

Notice that I am now including Windows 7 in the list.  That's right, friends, Windows 7 was Released to Manufacturing (RTM) just a few days ago.  By October 22 of this year, you should be able to purchase new computers with this fantastic new operating system installed! 

But also notice that our list does not include the Business or Home editions.  Personally, I would have thought the Business edition of Windows Vista or Windows 7 would include Bitlocker, but sadly that is not the case. 

So what exactly is Bitlocker?  Well, as the title suggests it is a way to encrypt your computer's entire hard drive.  Why is this important?  Recall all those stories we've heard about laptops being stolen or lost that had some really important information on them.  Once the machine is stolen, the bad guy doesn't have to guess your passwords.  Instead, he can remove the laptop's hard drive and install it as a second drive in another computer.  Once done, the bad guy can boot into his copy of Windows or some other operating system, mount your C drive as his E drive, then read all your files.  This falls right in with our earlier rule that if a bad guy has unrestricted physical access to your computer then it's not your computer anymore.  With Bitlocker, however, we now have a fighting chance.  Once we encrypt the entire contents of our hard drive, if the bad guy removes the drive from the stolen laptop and tries to read it in his computer then all he'll see is a bunch of scrambled stuff that is meaningless.  So, while the bad guy may have a free $1200 laptop, he doesn't have all your data.  And that's what's important because I'm sure you'll agree the data on your laptop is worth far more than the laptop. 

So how does Bitlocker work?  Well, as we mentioned earlier you have to have one of the versions of Windows that supports it.  Also, to get the most out of Bitlocker, your laptop needs to have what's called a TPM (Trusted Platform Module) chip.  Pretty much all laptops sold today have this chip in them, but if your laptop does not have the TPM chip (you'll need to check with your manufacturer to see if it does), fear not as you can use a USB thumb drive in place of the TPM chip. 
When the laptop first boots up, the TPM chip checks all the components of the computer to see if anything has changed since the last boot.  If so, the system refuses to boot and you'll have to use a key stored on a USB stick or entered by hand to unlock the machine or you'll need to restore from backup.  Once the system or key entered has been verified, the system boots as normal and the user notices no other differences.  If your system does not have a TPM chip installed, you'll need to provide a USB stick every time for the system to boot or restore from backup if you've lost your USB stick with the key.

Let's pause for a moment so I can make clear two very important things:

1. Notice I said the words "restore from backup."  That's right, Bitlocker is very serious technology.  If you decide to use Bitlocker, follow all the instructions and make certain you have your IT guy there with you to show you exactly how all this works.  You can make hardware upgrades to your laptop and have Bitlocker accept those upgrades (remember, if Bitlocker detects changes to your laptop it will refuse to boot because it assumes the laptop has been stolen) but you must follow procedure.  Furthermore, if you lose your USB drive with your decryption key, then there is nothing you can do except re-format your hard drive, reinstall Windows, and then restore your data from backup.  Bitlocker has no backdoors, no other secret ways in, nor any type of fallback plan that everyone can just magically use to get it to work.  And what would be the point?  If there was a secret way in it would only be a matter of time before it was posted all over the Internet and then Bitlocker would be useless.  Please, follow procedure and keep good backups (which you should be doing, anyway).

2. If you do not have a TPM chip in your laptop and you are using a USB drive to hold your encryption key, then do not store the USB thumb drive in the bag with your laptop!  Think about it.  If you put the USB thumb drive in a pocket in your laptop bag, and your laptop bag gets stolen, didn't you just defeat the purpose?  Keep the thumb drive key in your pocket or something similar.

All that being said, I highly recommend Bitlocker.  Once you get it set up, it's actually very easy to use and has a negligible performance penalty on your system.  It's also the best protection you can have should your laptop be stolen while you're in the airport of if you lose your laptop while on vacation. 

If you decide to implement Bitlocker, be sure to have a good backup before you start in case you make a mistake (did I mention that good backups are something you should be doing anyway?).  Also, be sure to have your IT support there with you.  To find out the individual steps needed to get Bitlocker up and going on your system, go to Start then click Help and Support on your Windows Vista or Windows 7 system and type "Bitlocker" in the search help field.  Windows help will have all the steps you need to move forward.  Once you get Bitlocker going, then (Heaven forbid) should your laptop get stolen the biggest concern you'll have is getting your insurance company to pay for a new laptop and then getting your data restored on that one.

James Summerlin, Information Systems Management and Software Development
Professional Data Management, Inc. Contact him at