BitLocker – Implementation (Part 2 of 3)

It has been a while since I wrote the first part, much longer then I planned but as
the saying goes: Man plans,God smiles…

In the first part of the series I have described what is Bitlocker and how it works,
now it’s time to get your hands dirty and implement it. As with any process, planning/preparing
will increases the chances of success and in the case of Bitlocker it doesn’t really
matter wether you plan to implement it on one system or one thousand systems some
planning is necessary.

Planning/preparing the process

The preparations for Bitlocker implementation concentrate on two major areas:

  1. Choosing the the protector- in my previous post I have pointed out that there are
    two types of protectors (I wouldn’t count the recovery key/password as standard protectors).
    Before you begin the process you should choose the protector you plan to use.
    The decision is dependent on what your system(s) supports.
  2. Facilitating recovery– If your protector is lost or damaged you should be ready to provide
    a recovery process, if you can’t you will be stuck with a very large and useless brick…
    Recovery can be provided by either saving the text file (which stores the 48 character
    recovery key) or storing the same information in Active Directory. An additional option is to
    carry an additional key with you.

I will describe all options and their use later in this post.

Starting the process – Creating a new boot volume

The process for creating a new boot volume can be executed manually or with a tool provided by Microsoft
(found in Vista Ultimate). The description and methods of obtaining the tool can be found at:

  1. Start the ‘Bitlocker Drive Preparation Tool’


  2. Accept the license


  3. Note the warnings described by the wizard. The last one is especially important, do not store any data
    on the newly created partition as it will not be encrypted. Press ‘Continue’.


  4. At this stage the wizard starts the actual work by shrinking drive C, creating a new volume (S: unless already
    in use in which case it will use the next available letter-Thanks Eli!), copying the necessary files and turning it
    into the active drive.

    image image image

  5. At this stage you will be requested to restart the system.

Starting the process – Configuring the local GPO

Unless you are in an enterprise environment you need to configure your local GPO settings to enable the usage
of BitLocker and to customize it.

  1. Start>Run>gpedit.msc [acknowledge the UAC prompt]
  2. Go to: Computer Configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption


  3. Even though it may seem a bit daunting (and not to mention that each of the options has significant impact on the
    way BitLocker is implemented) the options are relatively straight forward:
    1. Turn on BitLocker backup to Active Directory Domain Services– As the name implies, this option
      controls wether a backup to AD should be made, wether it is mandatory and what should be backed
      up (48 digit key and/or key packages-that will enable the creation of keys later on).
    2. Control Panel Setup:Configure recovery folder- allows you to set the default path provided by the
      wizard when saving the recovery password.
    3. Control Panel Setup:Configure recovery options- enables you to specify the recovery key type. Note
      that since Bitlocker must have a recovery method if you disallow both key types (48 and 256) then AD
      recovery must be enabled (if not a policy error occurs).
    4. Control Panel Setup:Enable advanced startup options-Now this one is important. To enable Bitlocker
      this setting must be enabled as it determines which protector will be used and how:
      1. Allow BitLocker without a compatible TPM – if your system does not have a supported TPM (1.2).
      2. If the computer does have a TPM then you can set the mechanism needed to access the information
        stored on the TPM (either a PIN code or a key, you can’t have both).
    5. Configure Encryption Method – self explanatory
    6. Prevent memory overwrite on restart- If enabled, it will overwrite memory before restarting. This
      destroys the key stored in RAM to access encrypted material or in other words increases safety at the
      cost of performance.
    7. Configure TPM platform validation profile- one major advantage of using a system with TPM is
      the added security a Trusted Platform Module provides. This added security comes in the form of 
      verification of boot time parameters, if those parameters changed the TPM will not allow access to the
      encryption keys and the system will enter recovery mode.

Starting the process – Enabling BitLocker

Up to this point no encryption mechanisms have been enabled. Your system has been changed, yet the changes did
not enable or apply any encryption to the system,so lets get to it:

  1. Once the settings have been configured we can finally start the encryption process. This is done by starting the
    BitLocker Drive Encryption tool.


  2. Choose ‘Turn On BitLocker’. The screenshots have been taken from a system that has a compatible
    If your system doesn’t have one, the steps will be a bit different but the concept will be the same.


  3. If you haven’t turned the TPM on yet you will receive a warning message about it- Vista turns it on but it still
    needs some interaction from you- Shutdown the system and turn it on.


  4. After restarting, on the system I used (Lenovo X61) I received a message requesting me to acknowledge the
    request to turn the TPM on.


  5. After acknowledging the request, I logged into the system and I could finally start the encryption process.


  6. Ownership of the TPM is taken.


  7. At this stage (if you configured the system to use a PIN to protect the TPM) you will be asked for that PIN.
    If you chose to use a key you will be asked to use a removable storage device to store the key.

    3.5 3.6

  8. As you may remember, BitLocker needs a recovery mechanism. This is where you configure it.
    Note that you can create additional keys later one but you need to create at least one at this stage
    to continue.
    4 56
  9. Once the recovery key is saved, the encryption can start…well almost. After creating the recovery
    key I would advise that you make sure that it is tested by marking the checkbox for ‘Run BitLocker
    System Check’. This will restart your system and the recovery key you created will be tested.
    If the test fails, encryption will not commence.

    7 8 image

  10. After the system starts up, you finally get to the promised land…or encryption.
    9 10

A few Observations about the process

  • The encryption process can be paused and continued at a later stage by different users of the same system.
    The process will continue over restarts form the point it left off, and the decryption key will be required after
    every restart and hibernation.
  • During the encryption process, the free space on the volume being encrypted drops dramatically to approximately
    6 GB. This happens due to the way BitLocker balances between security and performance while encrypting a volume. Free
    space on a hard drive is rarely empty, when you delete data on a volume you do not destroy the data, you simply
    hide it from plain view. In other words, free disk space may still hold valuable data and it too needs to be encrypted
    or destroyed. When deciding on a method (encrypting or destroying the data) encrypting the data stored in free space
    seems to be a waste of time and performance so the logical solution is destroying the data. This is achieved by creating
    a huge file (called the wipe file) that covers all free space, except 6GB (to avoid full disk messages) which are encrypted.
  • The process bar (percentage) doesn’t seem to reflect the time left-so don’t base your time calculations on it. It seems to
    start out at a slower pace and the pick up.

Managing BitLocker

Once BitLocker is applied there is not much to do, it’s simply there.Nevertheless, there are a few additional tasks that
you should be aware of and both are reachable by starting the ‘BitLocker Drive Encryption Tool’:

  1. Save additional copies of the Recovery key

    11 12 4

  2. Reset the TPM PIN
  3. Encrypt additional volumes- once the first volume (typically C:) is encrypted, additional volumes (except S:)
    can be encrypted.
  4. Turn off BitLocker- You may want to turn off BitLocker for two main reasons:
    1. Remove BitLocker from the system – This can be done by choosing ‘Turn Off Bitlocker’
      and then ‘Decrypt the drive’. This is a lengthy process as the drive needs to be fully decrypted.
    2. Disable Bitlocker for driver installations and BIOS updates – In some cases you might be instructed to
      help in facilitating BIOS updates or driver installations by disabling BitLocker. When you disable BitLocker
      you do not remove the encryption, you simply put it on hold…the key needed to decrypt the data is freely
      available to the OS.


Managing BitLocker – Recovery

Recovery mode can be triggered by several factors:

  1. If you use TPM and the boot environment has been tampered with (automatically)
  2. You lost your TPM PIN or key (manually)
  3. On a TPM protected system, the system board needs to be replaced
  4. On a TPM protected system, the disk is moved to a different system

If recovery mode is triggered you will need to use either the recovery key you have created or the recovery
password that is stored with the recovery key you created. Basically they are both protectors in different
forms, one provides the key by a file saved on removable storage while the other provides the key by
entering a 48 digit long password. Both can be used by you if you have access to the removable storage
while the password can be used by a helpdesk representative helping you remotely.

Lets take a closer look at these protectors:


  1. BEK (Backup Encryption Key?) file – This is an unreadable (to human eyes) file that stores the key needed
    by BitLocker to decrypt the volume in question.
  2. TXT (Text) file – Holds the 48 digit password which is the key to the volume.

To use these recovery options, you should choose recovery mode (or reach it automatically) when your system
by pressing ESC


Note that once you reach recovery you are requested to provide the key (note the file name in the screenshot). If
you do not have the key with you you can press Enter which will provide you with the user interface needed to
enter the 48 digit password:


Note that after booting through recovery mode you can continue working normally. As I mentioned in the first post
of this series, recovery mode is not different from a standard boot mode. Recovery mode simply uses different
protectors to provide the decryption.

Even though you can continue working normally using recovery mode to boot every time you should recreate your
original method of booting the system,either by creating a new key (on a removable storage device) or on your
TPM(which may be a bit more complicated then it seems,more about this in part three).


2nd part conclusions

In this part of the series I tried to describe the hands on process of configuring BitLocker and using it, we are not
done though. In part three, I plan to show you how to use the command line interface to control BitLocker
and a few additional tips and tricks.

As usual,any feedback/corrections are welcome.

3 thoughts on “BitLocker – Implementation (Part 2 of 3)

Leave a Reply

Your email address will not be published. Required fields are marked *