Vista BitLocker Drive Encryption

Had a chance this weekend to play around with the new BitLocker functionality in Windows Vista. For those that haven't been following, BitLocker (originally called "secure startup"), uses a Trusted Platform Module (TPM) to encrypt your operating system drive and protect it from offline attacks. Which is great, if you have a TPM module, but my Ferrari doesn't have one, so I figured I was out of luck. Well, it turns out MS took this a step further, and if you don't have a TPM, you can still use BitLocker. There a local Group Policy you can set to allow you to use a USB Key instead of the TPM module. To enable this Group Policy:

1. Open the Group Policy Editor (gpedit.msc)
2. Navigate to Local Computer Policy->Administrative Templates -> Windows Components -> BitLocker Drive Encryption
3. Double click "Control Panel Settings: Enable Advanced Setup Options Policy.
4. Select Enable, and check Allow BitLocker without a compatible TPM.
5. Exit from Group Policy Editor.

Now, you can open the Control Panel BitLocker application and configure BitLocker just like those with a hardware TPM module.

So, what do you get with BitLocker? Well, for a start, a whole lot more confidence that no one is going to be getting at your data if your laptop is stolen! BitLocker only protects your system drive, however, so if you're used to storing your data on a separate partition, that's easy enough to handle using Encrypting File System. EFS has its limitations, though, and is subject to an offline attack. IF the attacker can get at your system drive. By using BitLocker on your system drive, you've shut them down from that attack vector.

The things I like about BitLocker are how easy it is to use, how safe it is, and how easy it is to recover if your drive becomes locked. One of the ongoing challenges of any encryption scheme is how to make it both extremely safe, and yet easy to recover in the event of something unexpected. BitLocker has you save the recovery key to one (or more!) of three places:

• a second USB key
• a file you can store on your company's domain controller or other remote location
• a print out with the 48 digit key

Recovery with a USB key is simply a matter of putting the recovery key in. With the print out or the file, you enter the 48 digits using the function keys on your keyboard. (warning: there are no accessibility features available in recovery mode.)

Total encryption time on a mid-range Aero capable laptop took at least an hour. But afterwords, I can't notice a difference in performance, though I'm sure that there's a slight degradation.

So, when does this go on the Ferrari? Just as soon as we get the RTM build and I know I won't be re-installing again any time soon.

Update: See Steve Riley's blog post on the BitLocker CLI.