Welcome to Brendon Davis

BitLocker – Full (SYSTEM) Drive Encryption

Autor brendon

BitLocker is another of Windows Vista’s new features (in Business Editions only). This supports the ability to encrypt all data on the SYSTEM partition; not to be confused with the ACTIVE – BOOT partition. A separate un-encrypted boot partition of 30MB (1.5GB recommended) is required for the boot files.  The system is very manageable via group policy and for users who do not have a TPM chip, group policy must be used to bypass the TPM check. I like this for two reasons,

• (Dumb) Users with old/ cheep hardware cannot enable encryption using the BitLocker console therefore not loose any data.
• Network Admins can use the local group policy settings to bypass the TPM check because of course they would keep a copy of the decryption key in a safe location.

Be warned, I have found that the BIOS for some older devices do not support prompting for a USB flash drive during boot. As such my wonderful Toshiba Tecra S1 does not support BitLocker. My newer ASUS M/B does and works quite well. Computer boots, select Windows Vista, Prompts for

USB Drive
, insert drive, Vista tells you to remove the drive and it continues booting. Most important thing then is NEVER STORE THE USB DRIVE WITH THE COMPTUER.

Requirements for BitLocker are: 

• A TPM Module
• Small Active partition, I recommend 50MB set as S:\
• Large System partition, 16GB Min for Vista
• USB Thumb drive (optional but I recommend this for power users)
• Pin code (optional, recommended for normal users)

Windows Vista creates a recovery key(string)/ file when drive is initial encrypted which using group policy can be stored on a network location. The other good feature is that a drive can be encrypted but set NOT to prompt for encryption keys. So if a user needs to drop their laptop to a support department, they can de-activate BitLocker without un-encrypting the drive. Failing this, the tech can type in the insanely long recovery key that was backed up with Group Policy. 

Overall, BitLocker is a great thing for safety of data, just don’t implement USB drives or pin numbers on shared devices or else the drive and key will end up attached to the lid of the laptop…. :-S