It has been a while since I wrote the first part, much longer then I planned but as
the saying goes: Man plans,God smiles…
In the first part of the series I have described what is Bitlocker and how it works,
now it’s time to get your hands dirty and implement it. As with any process, planning/preparing
will increases the chances of success and in the case of Bitlocker it doesn’t really
matter wether you plan to implement it on one system or one thousand systems some
planning is necessary.
Planning/preparing the process
The preparations for Bitlocker implementation concentrate on two major areas:
- Choosing the the protector- in my previous post I have pointed out that there are
two types of protectors (I wouldn’t count the recovery key/password as standard protectors).
Before you begin the process you should choose the protector you plan to use.
The decision is dependent on what your system(s) supports.
- Facilitating recovery– If your protector is lost or damaged you should be ready to provide
a recovery process, if you can’t you will be stuck with a very large and useless brick…
Recovery can be provided by either saving the text file (which stores the 48 character
recovery key) or storing the same information in Active Directory. An additional option is to
carry an additional key with you.
I will describe all options and their use later in this post.
Starting the process – Creating a new boot volume
The process for creating a new boot volume can be executed manually or with a tool provided by Microsoft
(found in Vista Ultimate). The description and methods of obtaining the tool can be found at:
- Start the ‘Bitlocker Drive Preparation Tool’
- Accept the license
- Note the warnings described by the wizard. The last one is especially important, do not store any data
on the newly created partition as it will not be encrypted. Press ‘Continue’.
- At this stage the wizard starts the actual work by shrinking drive C, creating a new volume (S: unless already
in use in which case it will use the next available letter-Thanks Eli!), copying the necessary files and turning it
into the active drive.
- At this stage you will be requested to restart the system.
Starting the process – Configuring the local GPO
Unless you are in an enterprise environment you need to configure your local GPO settings to enable the usage
of BitLocker and to customize it.
- Start>Run>gpedit.msc [acknowledge the UAC prompt]
- Go to: Computer Configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption
- Even though it may seem a bit daunting (and not to mention that each of the options has significant impact on the
way BitLocker is implemented) the options are relatively straight forward:
- Turn on BitLocker backup to Active Directory Domain Services– As the name implies, this option
controls wether a backup to AD should be made, wether it is mandatory and what should be backed
up (48 digit key and/or key packages-that will enable the creation of keys later on).
- Control Panel Setup:Configure recovery folder- allows you to set the default path provided by the
wizard when saving the recovery password.
- Control Panel Setup:Configure recovery options- enables you to specify the recovery key type. Note
that since Bitlocker must have a recovery method if you disallow both key types (48 and 256) then AD
recovery must be enabled (if not a policy error occurs).
- Control Panel Setup:Enable advanced startup options-Now this one is important. To enable Bitlocker
this setting must be enabled as it determines which protector will be used and how:
- Allow BitLocker without a compatible TPM – if your system does not have a supported TPM (1.2).
- If the computer does have a TPM then you can set the mechanism needed to access the information
stored on the TPM (either a PIN code or a key, you can’t have both).
- Configure Encryption Method – self explanatory
- Prevent memory overwrite on restart- If enabled, it will overwrite memory before restarting. This
destroys the key stored in RAM to access encrypted material or in other words increases safety at the
cost of performance.
- Configure TPM platform validation profile- one major advantage of using a system with TPM is
the added security a Trusted Platform Module provides. This added security comes in the form of
verification of boot time parameters, if those parameters changed the TPM will not allow access to the
encryption keys and the system will enter recovery mode.
Starting the process – Enabling BitLocker
Up to this point no encryption mechanisms have been enabled. Your system has been changed, yet the changes did
not enable or apply any encryption to the system,so lets get to it:
- Once the settings have been configured we can finally start the encryption process. This is done by starting the
BitLocker Drive Encryption tool.
- Choose ‘Turn On BitLocker’. The screenshots have been taken from a system that has a compatible
TPM. If your system doesn’t have one, the steps will be a bit different but the concept will be the same.
- If you haven’t turned the TPM on yet you will receive a warning message about it- Vista turns it on but it still
needs some interaction from you- Shutdown the system and turn it on.
- After restarting, on the system I used (Lenovo X61) I received a message requesting me to acknowledge the
request to turn the TPM on.
- After acknowledging the request, I logged into the system and I could finally start the encryption process.
- Ownership of the TPM is taken.
- At this stage (if you configured the system to use a PIN to protect the TPM) you will be asked for that PIN.
If you chose to use a key you will be asked to use a removable storage device to store the key.
- As you may remember, BitLocker needs a recovery mechanism. This is where you configure it.
Note that you can create additional keys later one but you need to create at least one at this stage
- Once the recovery key is saved, the encryption can start…well almost. After creating the recovery
key I would advise that you make sure that it is tested by marking the checkbox for ‘Run BitLocker
System Check’. This will restart your system and the recovery key you created will be tested.
If the test fails, encryption will not commence.
- After the system starts up, you finally get to the promised land…or encryption.
A few Observations about the process
- The encryption process can be paused and continued at a later stage by different users of the same system.
The process will continue over restarts form the point it left off, and the decryption key will be required after
every restart and hibernation.
- During the encryption process, the free space on the volume being encrypted drops dramatically to approximately
6 GB. This happens due to the way BitLocker balances between security and performance while encrypting a volume. Free
space on a hard drive is rarely empty, when you delete data on a volume you do not destroy the data, you simply
hide it from plain view. In other words, free disk space may still hold valuable data and it too needs to be encrypted
or destroyed. When deciding on a method (encrypting or destroying the data) encrypting the data stored in free space
seems to be a waste of time and performance so the logical solution is destroying the data. This is achieved by creating
a huge file (called the wipe file) that covers all free space, except 6GB (to avoid full disk messages) which are encrypted.
- The process bar (percentage) doesn’t seem to reflect the time left-so don’t base your time calculations on it. It seems to
start out at a slower pace and the pick up.
Once BitLocker is applied there is not much to do, it’s simply there.Nevertheless, there are a few additional tasks that
you should be aware of and both are reachable by starting the ‘BitLocker Drive Encryption Tool’:
- Save additional copies of the Recovery key
- Reset the TPM PIN
- Encrypt additional volumes- once the first volume (typically C:) is encrypted, additional volumes (except S:)
can be encrypted.
- Turn off BitLocker- You may want to turn off BitLocker for two main reasons:
- Remove BitLocker from the system – This can be done by choosing ‘Turn Off Bitlocker’
and then ‘Decrypt the drive’. This is a lengthy process as the drive needs to be fully decrypted.
- Disable Bitlocker for driver installations and BIOS updates – In some cases you might be instructed to
help in facilitating BIOS updates or driver installations by disabling BitLocker. When you disable BitLocker
you do not remove the encryption, you simply put it on hold…the key needed to decrypt the data is freely
available to the OS.
Managing BitLocker – Recovery
Recovery mode can be triggered by several factors:
- If you use TPM and the boot environment has been tampered with (automatically)
- You lost your TPM PIN or key (manually)
- On a TPM protected system, the system board needs to be replaced
- On a TPM protected system, the disk is moved to a different system
If recovery mode is triggered you will need to use either the recovery key you have created or the recovery
password that is stored with the recovery key you created. Basically they are both protectors in different
forms, one provides the key by a file saved on removable storage while the other provides the key by
entering a 48 digit long password. Both can be used by you if you have access to the removable storage
while the password can be used by a helpdesk representative helping you remotely.
Lets take a closer look at these protectors:
- BEK (Backup Encryption Key?) file – This is an unreadable (to human eyes) file that stores the key needed
by BitLocker to decrypt the volume in question.
- TXT (Text) file – Holds the 48 digit password which is the key to the volume.
To use these recovery options, you should choose recovery mode (or reach it automatically) when your system
by pressing ESC
Note that once you reach recovery you are requested to provide the key (note the file name in the screenshot). If
you do not have the key with you you can press Enter which will provide you with the user interface needed to
enter the 48 digit password:
Note that after booting through recovery mode you can continue working normally. As I mentioned in the first post
of this series, recovery mode is not different from a standard boot mode. Recovery mode simply uses different
protectors to provide the decryption.
Even though you can continue working normally using recovery mode to boot every time you should recreate your
original method of booting the system,either by creating a new key (on a removable storage device) or on your
TPM(which may be a bit more complicated then it seems,more about this in part three).
2nd part conclusions
In this part of the series I tried to describe the hands on process of configuring BitLocker and using it, we are not
done though. In part three, I plan to show you how to use the command line interface to control BitLocker
and a few additional tips and tricks.
As usual,any feedback/corrections are welcome.