October 2006 - Posts
Had a chance this weekend to play around with the new BitLocker functionality in Windows Vista. For those that haven't been following, BitLocker (originally called "secure startup"), uses a Trusted Platform Module (TPM) to encrypt your operating system drive and protect it from offline attacks. Which is great, if you have a TPM module, but my Ferrari doesn't have one, so I figured I was out of luck. Well, it turns out MS took this a step further, and if you don't have a TPM, you can still use BitLocker. There a local Group Policy you can set to allow you to use a USB Key instead of the TPM module. To enable this Group Policy:
- Open the Group Policy Editor (gpedit.msc)
- Navigate to Local Computer Policy->Administrative Templates -> Windows Components -> BitLocker Drive Encryption
- Double click "Control Panel Settings: Enable Advanced Setup Options Policy.
- Select Enable, and check Allow BitLocker without a compatible TPM.
- Exit from Group Policy Editor.
Now, you can open the Control Panel BitLocker application and configure BitLocker just like those with a hardware TPM module.
So, what do you get with BitLocker? Well, for a start, a whole lot more confidence that no one is going to be getting at your data if your laptop is stolen! BitLocker only protects your system drive, however, so if you're used to storing your data on a separate partition, that's easy enough to handle using Encrypting File System. EFS has its limitations, though, and is subject to an offline attack. IF the attacker can get at your system drive. By using BitLocker on your system drive, you've shut them down from that attack vector.
The things I like about BitLocker are how easy it is to use, how safe it is, and how easy it is to recover if your drive becomes locked. One of the ongoing challenges of any encryption scheme is how to make it both extremely safe, and yet easy to recover in the event of something unexpected. BitLocker has you save the recovery key to one (or more!) of three places:
- a second USB key
- a file you can store on your company's domain controller or other remote location
- a print out with the 48 digit key
Recovery with a USB key is simply a matter of putting the recovery key in. With the print out or the file, you enter the 48 digits using the function keys on your keyboard. (warning: there are no accessibility features available in recovery mode.)
Total encryption time on a mid-range Aero capable laptop took at least an hour. But afterwords, I can't notice a difference in performance, though I'm sure that there's a slight degradation.
So, when does this go on the Ferrari? Just as soon as we get the RTM build and I know I won't be re-installing again any time soon.
Update: See Steve Riley's blog post on the BitLocker CLI.
OK, folks, if you love 64-bit, and want to work on a really dynamite new server suite from Microsoft, here's your chance. Microsoft is making the beta for their new Centro product available to those who are interested. For all the details, including the connect code you'll need to sign up, see Kevin Beares' Blog. But be warned - this takes some serious hardware - it's a three server suite, all x64 based, but the end result is going to be really, really, exciting, I think.
And yes, I'll be writing a book on it. Watch for a release date at or very near the release of the product.
Charlie.
If any of you are interested in my views on RC1 and the overall beta experience, I'll be doing a Microsoft LiveMeeting Webcast next week. In it, I intend to talk about betas in a general way, and then focus on my experiences with RC1 and RC2, and what I think about the new features. Or some of them - it's only a 35-40 minute webcast after all. (Plus the time at the end for questions, of course.) I hope to see you there: Windows Vista Beta Experience Webcast
Time to sign up for the beta of Virtual PC 2007, which is now showing you the Microsoft Connect site. Scroll down to the Programs section, and you'll find Virtual PC 2007 Beta. Click Apply, and you're automatically accepted into the beta. Word is that the download of Beta 1 will be available very shortly.
Major changes in this version include:
- Support for x64 (Hosts only)
- Support for hardware virtualization
- Vista support as both host and guest
- Business, Enterprise and Ultimate Editions only
- No Aero Glass for guests
Charlie.
Update: The download is now available. One each for x64 and x86. Enjoy.
OK, I admit, I'm a hopeless toy junkie. But sometimes, something comes across my desk that I think is so simple and obvious, I wonder why no one ever did it before. The new USB to IDE/SATA Bridge Adapter from Granite Digital is one of those things. For $40, all in, you get a well designed, high speed, bridge that lets you connect any IDE or SATA drive you happen to have lying around to any computer. Without opening up anything, and without worrying about one of those chintzy cases causing thermal drive failure.
Now I admit, I'm not surprised that Granite Digital did this. They have a long standing reputation, well deserved, for quality components. I first ran across them in the late 80's or early 90's, when I was trying to build SCSI systems so that I could dual boot between DOS and UNIX. These days we're spoiled, with SCSI devices that have built in active termination being the norm. In those days, you actually had to plug in the 3 resistor packs on the drive that was going to be the last one in the chain. And the chances of a cable being bad, or the spacing on the cables being wrong, etc., were quite high. After spending literally hours at my local system builder, swapping cards and drives and cables in and out, trying to get something, ANYTHING, to work, Finally, the owner of the shop said "you know, you should talk to Granite Digital. They can fix this." Well, he was right. They did. Turned out to be iffy cables and even iffier termination. No problem. New cables from them, and an active terminator (if they didn't invent active termination, they were certainly the very first I ever saw of it) and we were in business. There was absolutely nothing wrong with the card and drives I'd chosen, just a noise SCSI buss. Since that day, the only times I've ever had problems with a SCSI system were when I wasn't using their stuff.
So, back to this little bridge thing. It's basically two components - a dual-headed, dual-switched, power supply that has a SATA power head and a standard 4 prong internal device head on it. Chose the one you need, and plug it in to your drive and switch on the power. (For a notebook IDE, you don't use a separate power connector, it's built in to the main Notebook IDE connector.) The other component is the actual bridge device itself. This has connectors for IDE and and notebook sized IDE, plus a cable that has a standard SATA connector on it. Plus, of course, a cable with a USB connector on it. So, plug the appropriate connector in to your HD, and plug the USB into your PC or laptop, and there you are. No drivers required, it works just fine in XP, XP x64, and Vista x64.
All this in a nicely made little package that will now go with me on every service call. Plug it in, using any old spare HD you've got lying around, and you've got a quick, safe backup device BEFORE you start working on it. Or, need a lot of room to hold VHDs when you're doing a class or presentation? No problem, even when my Acer Ferrari has no spare room on it. Just load all your VMs onto a HD and carry it with you.
Charlie.
I've heard a lot of crap about the new requirements for kernel mode drivers in 64-bit Vista, and why it's a terrible imposition that they be signed. But finally, a breath of fresh air on the subject. And this from a MS employee whom I respect. Rocky is posting as himself, not as an official MS position, but I strongly urge you to read his latest blog post on Securing the Vista Kernel. Thanks, Rocky!
Charlie.