Section 21.4. BitLocker Drive Encryption: Enterprise Ultimate

Previous page
Table of content
Next page

21.4. BitLocker Drive Encryption: Enterprise ¢ Ultimate

If you think EFS sounds like a great way to keep prying eyes out of your files, you ain't seen nothing yet!

Vista's standard protectionsyour account password, the encryption of certain files, and so onare all very nice.

But when million-dollar corporate secrets are at stake, they're not going to stop a determined, knowledgeable thief . The guy could swipe your laptop or even steal the hard drive out of your desktop PC.

If security is that important for you, then you'll be happy to know about BitLocker Drive Encryption, a new Vista feature. When you turn on this feature, your PC automatically encrypts (scrambles) everything on your entire system hard drive , including all of Windows itself.

If the bad guy tries any industrial-strength tricks to get into the drivetrying to reprogram the startup routines, for example, or starting up from a different hard driveBitLocker presents a steel -reinforced password screen. No password, no decryption.

You won't notice much difference when BitLocker is turned on. You log in as usual, clicking your name and typing your password.

We're talking hard-core , corporate-level securitywith hard- core , corporate-level requirements:

  • The Enterprise or Ultimate edition of Vista.

  • Two NTFS hard drives or drive partitions on your system: one that will be encrypted, and one that Vista will use to boot the system. (It won't move your Windows folder there, but it will use that drive to hold the files needed to boot up a PC whose C: drive is encrypted.)

    The bad news is that the second drive needs to come before your C: drive, and must be configured as the active partition (the partition that the system boots from). It's unlikely that you've set your system up with such a configuration, so if you want to use BitLocker, you'll need to reinstall Vista from scratch.

  • You generally need a Trusted Platform Module (TPM) , a special circuit that's built onto the system boards of BitLocker-compatible PCs, although there's a sneaky workaround if your PC doesn't have this item. Details in a moment.

To find out if the planets are aligned and all the components are installed for you to use BitLocker, choose Start Control Panel. Open the Security applet and click BitLocker Drive Encryption.

If you see an option there to "Turn on BitLocker" (Figure 21-9), well, great! You're ready to step up to the strongest encryption Vista has to offer. Click that link, and wait while Vista encrypts your hard drive. Oh, and don't forget the password you provide.

21.4.1. Reinstalling Vista on Two Partitions

If, on the other hand, you see a note there explaining why you can't use BitLocker (Figure 21-8), proceed like this:

Figure 21-8. Unfortunately, this computer doesn't have what it takes to run BitLocker. But with the right tweaks, you might be able to change Vista's mind about that .


  • If you don't have two partitions, you'll need to back up your data, dig out your Vista installation DVD, create the partitions, and reinstall.

  • If you don't have a TPM, you'll need a USB flash drive. With some tweaks to Vista's configuration, you can use this as the "ignition key" to bootstrap BitLocker's strong encryption, eliminating the need for the TPM.

    The USB flash drive option works only on PCs whose BIOS can see flash drives in the "pre-OS environment"that is, before Windows has actually loaded at startup.

    Note: Microsoft may one day release a software tool that eliminates the need to manually repartition your system. Keep an eye on the BitLocker team blog for updates: http:// blogs .technet.com/bitlocker/

Here's what you need to do to reinstall Vista with two partitions for BitLocker:

  1. Start up from the Vista installation DVD .

    Sooner or later, the Install Windows screen appears.

  2. Choose "Repair Your Computer."

    You arrive at a screen where you can choose an operating system to recover. If you're installing Vista on a brand-new hard drive, you won't see anything listed here. Otherwise, select your currently installed operating system and click Next .

    Now you've got a bunch of recovery tools to choose from.

  3. Choose Command Prompt .

    Here's where you have to get your hands dirty at the command line.

  4. Type diskpart at the Command Prompt and press Enter .

    The DISKPART> prompt appears. The next step will create one drive (with drive letter S:) that meets the BitLocker minimum size (1.5 GB), set it as active, and then create a C: drive with the remaining space. This will erase everything on your hard drive , so you'd better have backed things up!

  5. Type the following commands: 

     select disk 0 clean create partition primary size=1500 assign letter=S active create partition primary assign letter=C exit

    Now you're back at the Command Prompt. You have to format the two drives you created:

  6. Type these commands: 

     format S: /y /q/ fs:NTFS /V:BITLOCKER format C: /y /q /fs:NTFS /V:VISTA

    As usual, press Enter after each command.

  7. Type exit to close the Command Prompt, click the X in the upper-right corner of the list of System Recovery Tools (don't click Shut Down or Restart), and install Vista onto the C: drive you just formatted .

If there's a TPM chip in your PC, you should now be able to turn on BitLocker on your drive (see Figure 21-9).

Figure 21-9. You're now ready to encrypt your drive to keep it safe from prying eyes .


21.4.2. The Flash-Drive Workaround

Of course, a TPM is a special circuit that you either have in your PC or you don't. Fortunately, there's a clever workaround that, believe it or not, lets you use an ordinary USB flash drive instead of a TPM:

  1. Open the Start menu. In the search box, type gpedit.msc . Press Enter .

    You've just opened the Group Policy Object Editor, a program you can use to configure advanced settings on Windows.

  2. Drill down to Local Computer Policy Computer Configuration Administrative Templates Windows Components BitLocker Drive Encryption .

    Examine the right side of the window.

  3. Find "Control Panel Setup: Advanced Setup Options," and double-click it .

    The Properties dialog box appears.

  4. Select Enabled. Make sure "Allow BitLocker without a compatible TPM (requires a startup key on a USB flash drive)" is turned on. Click OK .

    Reboot your computer.

21.4.3. Turning on BitLocker

Now reopen the Control Panel, and select Security BitLocker Drive Encryption; the window should now look like Figure 21-9. Click Turn On BitLocker, follow the instructions, and let Windows encrypt your drive; this can take some time. Youre now protected, even from the most determined and knowledgeable hard drive thieves .

Note: Along the way, BitLocker asks you to save your password somewhere. Be sure to keep it secret and keep it safe. You're going to need it if Vista decides that you've done something that makes it think you're a hacker trying to get in, like installing a second operating system in a dual-boot configuration.


Previous page
Table of content
Next page
Windows Vista. The Missing Manual
Windows Vista: The Missing Manual
ISBN: 0596528272
EAN: 2147483647
Year: 2006
Pages: 284
Authors: David Pogue
BUY ON AMAZON
Database Modeling with MicrosoftВ® Visio for Enterprise Architects (The Morgan Kaufmann Series in Data Management Systems)
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
The .NET Developers Guide to Directory Services Programming
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Quantitative Methods in Project Management
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy