Recovery


Enabling BitLocker for the First Time

So now that you have kept up this far, you are officially blessed with the author's permission to enable BitLocker and encrypt your Windows OS volume. The steps to turn on BitLocker are very simple, provided that your disk is set up beforehand. Here's what to do.

First make sure you have:

  • A computer that meets the minimum requirements for Windows Vista.

  • A TPM microchip, version 1.2. Some computer manufacturers require you to explicitly activate the TPM in the BIOS; however, most should simply allow Windows to detect it and communicate with TPM Base Services.

  • A Trusted Computing Group (TCG)–compliant BIOS.

  • Two NTFS drive partitions-one for the active partition (the "system volume" from which the computer will start) and one for the Windows OS volume (on which Vista will be installed). The active partition must be at least 1.5 GB.

  • The BIOS set to boot first from the hard drive with the active partition, not the USB or CD drives.

New computers designed to support Windows Vista are expected to ship with the hard disk configured with two partitions, in a way that is compatible with BitLocker. However, if you are upgrading from Windows XP or you have installed Windows Vista on a hard drive partitioned with only one partition (volume) you are going to need to configure your hard drive into two partitions first.

If you are doing a "clean" install, you can set up the disk with the correct partitions during the Windows Vista setup. Note that this will erase anything you might already have on the disk. Here are the steps to follow, as per the "Windows BitLocker Drive Encryption Step-by-Step Guide," published by Microsoft (see http://www.microsoft.com/technet/windowsvista/library/.mspx#BKMK_S1):

  1. Start the computer from the Windows Vista product DVD.

  2. In the initial Install Windows screen, choose your "Installation language," "Time and currency format," and "Keyboard layout," and then click Next.

  3. In the next Install Windows screen, click System Recovery Options, located in the lower left of the screen.

  4. In the System Recovery Options dialog box, choose your keyboard layout and click Next.

  5. In the next System Recovery Options dialog box, make sure no operating system is selected. To do this, click in the empty area of the Operating System list, below any listed entries. Then click Next.

  6. In the next System Recovery Options dialog box, click Command Prompt.

  7. To use the Diskpart tool to create the necessary partitions, at the command prompt, type diskpart, and then press Enter.

  8. Type select disk 0.

  9. Type clean to erase the existing partition table.

  10. Type create partition primary size=1500 to set the partition you are creating as a primary-type partition.

  11. Type assign letter=S to give this partition the S: designator.

  12. Type active to set the new partition as the active partition.

  13. Type create partition primary to create another primary-type partition. You will install Windows on this larger partition. Because no size is specified, it will default to using all of the remaining space on the drive.

  14. Type assign letter=C to give this partition the C designator.

  15. Type list volume to see a display of all the volumes on this disk. You will see a listing of each volume, volume numbers, letters, labels, file systems, types, sizes, status, and information. Check that you have two volumes, that they are NTFS, and that you know the labels.

  16. Type exit to leave the diskpart application.

  17. Type format c: /y /q /fs:NTFS to properly format the C: volume.

  18. Type format s: /y /q /fs:NTFS to properly format the S: volume.

  19. Type exit to leave the command prompt.

  20. In the System Recovery Options window, use the close window icon in the upper right (or press ALT-F4) to close the window to return to the main installation screen. (Do not click Shut Down or Restart.)

  21. Click "Install now" and proceed with the Windows Vista installation process.

When installing Vista, choose the larger volume, not the active partition, as the destination for Vista.

If you already have a Vista installation, but only one volume, you have limited options with the RC1 version of Vista. Only repartitioning a new disk (or clean installation) is officially supported. There are a number of repartitioning tools out there, and there is the shrink command in the diskpart tool. However, to repartition a live system to turn it into a compatible state for BitLocker is not for the faint of heart.

At the time Windows Vista releases, there should be some help. The BitLocker team announced on their blog in June 2006 that they were working on a utility to automatically reconfigure the disk to support BitLocker (see http://www.blogs.technet.com/bitlocker/archive/2006/06/09/PartitionVistaB2.aspx).

After Windows Vista has been successfully installed and the system has the correct volumes configured, follow these steps to enable BitLocker on your computer:

  1. Click Start image from book Control Panel image from book Security image from book BitLocker Drive Encryption.

  2. If the User Account Control dialog box appears, verify that the proposed action is what you requested, and then click Continue.

  3. From the BitLocker Drive Encryption screen, click Turn On BitLocker on the Windows OS volume. If your TPM is not initialized, you will see the Initialize TPM Security Hardware Wizard. Follow the directions to switch on the TPM and reboot your computer. Once the TPM is initialized, click Turn On BitLocker on the system volume again.

  4. In the Save the recovery password dialog box, you will see the following options:

    • Save the password on a USB drive. Saves the password to a removable drive.

    • Save the password in a folder. Saves the password to a network drive or other location.

    • Print the password. Prints the password.

  5. Choose any of these options to preserve the recovery password.

  6. From the "Encrypt the selected disk volume" dialog box, confirm the Run BitLocker System check box is checked and click Continue.

  7. Confirm you want to reboot the computer by clicking Restart Now. The computer reboots and BitLocker ensures that the computer is BitLocker-compatible and ready for encryption. If it is not, you will see an error message alerting you to the problem before encryption starts.

  8. If it is ready for encryption, the Encryption in Progress status bar is displayed. You can monitor the ongoing completion status of the disk volume encryption by dragging your mouse cursor over the BitLocker Drive Encryption icon in the toolbar at the bottom of your screen.

Note 

These steps are based on the Microsoft documentation, available at http://www.microsoft.com/technet/windowsvista/library/.mspx.

The actual encryption process will take some time, but your computer will remain usable during the conversion. The actual time will vary depending on the amount of free space on the volume (since free space can be handled more quickly than space in use), but a good rough estimate is about 1 minute per gigabyte, so a 250 GB drive will likely take between 2 and 3 hours.




Administering Windows Vista Security. The Big Surprises
Administering Windows Vista Security: The Big Surprises
ISBN: 0470108320
EAN: 2147483647
Year: 2004
Pages: 101

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net