Windows 7 : Protecting Your Data from Loss and Theft - Disk Organization for Data Safety, BitLocker Disk Encryption

10/18/2012 4:00:49 AM

Disk Organization for Data Safety

RAID arrays are no longer exotic. Most late-model desktop computers have provision for RAID 0 or RAID 1 arrays, and many systems have four or more SATA host adapters, making RAID 0+1 arrays possible. Which are the safest types of RAID arrays in common use?

RAID 5 provides maximum safety. With RAID 5, which requires the use of three or more hard disks in a single array, you can rebuild the contents of the array even if one drive fails. RAID 5 sets aside space on each drive for the information needed to rebuild the array in case of drive failure. However, RAID 5 is not yet implemented in desktop computers’ onboard host adapters. You must purchase a RAID 5 host adapter and compatible SATA or SCSI hard disks.

RAID 0+1 combines data striping (for performance) and mirroring (for safety). It requires four drives and is supported on many recent desktop computers. It provides a high level of data safety against failures and is inexpensive to implement with SATA or ATA/IDE (PATA) drives.

RAID 1 mirrors the contents of one drive to a second hard disk. It is supported on many desktop systems that are up to several years old, through either a motherboard RAID host adapter chip or the motherboard’s integrated chipset. It is inexpensive to implement with SATA or IDE drives.

RAID 0 stripes data across two drives to improve read/write performance. If either drive fails, the array is wiped out. Thus, RAID 0 actually has no redundancy. It should be used only on drives that do not contain data.

BitLocker Disk Encryption

With the widely reported loss or theft of laptops containing sensitive personal and financial information in the last year, hundreds of thousands of people have been forced to change credit card information and worry about identity theft. Thus, the time is ripe for a new approach to protecting hard disk contents from unauthorized use: BitLocker.

BitLocker, available on Enterprise and Ultimate editions, encrypts the entire system hard disk. Originally known as Secure Startup, BitLocker stops unauthorized access, even if the hard disk is moved to a different computer.

Encrypted Files Can Be at Risk on a Sleeping Computer

It’s been known that a thief can get around BitLocker’s protection if he steals your computer while it’s suspended (sleeping) or powered up. To truly protect your computer, you must completely shut it down when you finish using it (or at least invoke hibernation), and don’t let it out of your sight for at least 10 minutes after shutdown. This time frame is especially important because Princeton University researchers have discovered that memory chips can be frozen with “canned air,” preserving their contents for retrieval, even after the system has been turned off. 

Following these procedures is especially important with laptops because the default action when you close the lid or click the little power button on the Start menu is “suspend.” You must instead click the options arrow and select Shut Down. When you power up the computer, it should display the black BitLocker protection screen. If it goes directly to Windows, your computer was not protected!

For greater protection, you can use the Power Options applet in the Control Panel (available directly in Small Icons or Large Icons view) to change the default actions for closing the lid or pushing the power button to shut down. You should also use file encryption to further protect any sensitive files on your hard drive.

BitLocker System Requirements

BitLocker in Windows Vista requires that your hard disk have a second partition of at least 1.5GB that is used for the BitLocker encryption tools. You must also have a way to provide credentials to permit the system to recognize you as the authorized user, such as a Trusted Platform Module (TPM) microchip and BIOS or, for systems that lack onboard TPM 1.2 support, a USB flash memory drive.

Customers that didn’t deploy Windows Vista with the required two-partition configuration found that enabling BitLocker was entirely too cumbersome. Windows 7 automatically creates the necessary disk partitions during installation and now includes the ability to right-click a drive to enable BitLocker protection. BitLocker also adds a supportive Data Recovery Agent (DRA) for all protected volumes, allowing IT administrators to dictate that all such volumes are appropriately encrypted.

Unable to Use BitLocker

If you are unable to use BitLocker, check the following:

  • Is the hard disk properly partitioned? The hard disk must have a 1.5GB primary partition and a separate system partition for Windows (it can be any size above the minimum requirements for Windows 7). You cannot enable BitLocker on a system with a single hard disk partition.

  • If the system has a TPM chip, is the feature enabled in the system BIOS? If it is, check with the system or motherboard vendor for a BIOS upgrade.

  • If the system does not have a TPM chip, follow the procedure to enable BitLocker in the Group Policy Object Editor.

  • If you get the error message BitLocker could not be enabled. The system firmware failed to enable clearing of system memory on reboot after restarting your system during the BitLocker setup process, it means that BitLocker has determined your system does not clear out memory during the reboot process. Hackers could analyze the contents of memory for the BitLocker encryption key and use it to bypass BitLocker encryption.

    To enable your system to run BitLocker, contact your system vendor for a BIOS upgrade that includes the clearing of system memory upon reboot option. If this option is not available, you cannot run BitLocker on the system.

BitLocker To Go

Windows 7 introduces a subset of the BitLocker Drive Encryption technology with BitLocker To Go, which extends BitLocker Drive Encryption to USB storage devices. Designated USB drives can be passphrase-protected with controllable length and complexity, and IT administrators can set user policies to apply BitLocker To Go protection on removable drives before they are made usable.

Microsoft permits Windows XP SP3, Windows Vista SP1, and Windows Vista SP2 users to read BitLocker To Go devices using the passphrase. Plugging a BitLocker To Go encrypted USB storage device into Windows 2000 or Windows XP SP2 computers shows an inaccessible unformatted volume.

To encrypt your removable USB media with BitLocker To Go, follow these steps:

Open the System and Security category in Control Panel and click BitLocker Drive Encryption.

Locate the desired drive entry and click Turn On BitLocker.

Choose either a password or smartcard to unlock the drive. For simplicity, we recommend using a reasonably long passphrase—something memorable (to you) but not easily guessable (to others). Enter it twice and click Next.

Determine where to store the recovery key. You’re given the option of saving it to a file (recommended) or printing the key (not recommended). We suggest you save the key to a file that will be kept on a separate storage volume from the USB drive and the computer itself. Save the key and then click Next.

The last dialog box gives you a final option to cancel out of this process. Click Start Encrypting and wait for the process to finish, which takes longer for large storage volumes.

Once the USB storage volume is encrypted, you can unlock and utilize it using the passphrase you entered earlier. Every time the USB drive is inserted, the BitLocker Drive Encryption password dialog box appears. Should you forget the passphrase, BitLocker To Go’s recovery key method enables you to access the storage volume. Remember not to leave this recovery key accessible to anyone but yourself, because otherwise the passphrase is ineffective in safeguarding your protected files and data.

Enabling the TPM

The easiest way to use BitLocker is to use your computer’s TPM microchip (if it has one). To determine whether your system supports TPM 1.2 and to learn how to enable this feature in the system BIOS, see your system’s documentation. A lot of 2006 and newer laptops have onboard TPM 1.2, but older laptops (and most desktops) don’t support it.

After you enable TPM in the system BIOS, use the TPM Management Console (tpm.msc) to turn on TPM support in Windows (use the Turn On the TPM Security Hardware dialog box) and set up a TPM password (use the Create the TPM Owner Password dialog box). A TPM password is saved as computer_name.tpm. Thus, if your computer is named WildThing, the password is stored as WildThing.tpm.


Be sure to print your TPM password using the Print option and save it to a location you can access later, such as a CD or DVD.

If your system doesn’t support TPM, you can still use BitLocker. However, to use BitLocker without a TPM, you must use a USB flash memory drive to store your credentials, and it must be plugged into the system to permit the system to boot. You must also enable BitLocker Drive Encryption with the Group Policy Object Editor:

Click Start, All Programs, Accessories, Run.

Type gpedit.msc and click OK to open the Group Policy Editor. Click Continue or provide Administrator-level credentials (if prompted by UAC) to continue.

Open Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives: Require Additional Authentication at Startup.

Select Enabled. Under Options, verify that the option Allow BitLocker Without a Compatible TPM is checked (see Figure 1).

Figure 1. Enabling BitLocker support on a system that does not have a compatible TPM.

Click Apply, then OK.

Close the Group Policy Object Editor.

Encrypting the Drive with BitLocker

To start the encryption process, open the BitLocker Drive Encryption applet in the Control Panel (via either the System and Security category or the BitLocker Drive Encryption entry in Small Icons or Large Icons view) and select Turn on BitLocker next to the appropriate drive entry (if there are several). The BitLocker Drive Encryption Wizard walks you through the paces of setting up necessary drive layout. It starts by establishing space on an existing drive partition or unallocated space on the existing partition. There are really only two quick steps: drive preparation and drive encryption. Upon reboot, the system drive goes through a lengthy encryption process that takes longer for larger drives than for smaller-capacity volumes.

If your system has a TPM, you can choose either to use the TPM chip along with your logon password to access an encrypted BitLocker volume or to assign a PIN that is used along with the TPM. If your system does not have a TPM, you must use a Startup USB key. Make sure you have a USB flash drive available to use for BitLocker key storage. The BitLocker Drive Encryption Wizard provides three options for TPM-enabled systems, and a single option for those without—Require a Startup Key at Every Startup. This is where your Startup USB drive comes into play. You’ll also be asked where to store the recovery key, which can also go to the flash drive. Finally, a BitLocker system check ensures that everything is functioning properly, which requires a restart with the drive key plugged in.

When you create the BitLocker volume, you must create a recovery key password, in case BitLocker enters a locked state. If you lose the password, you can be locked out of your data; be sure to save the password to an accessible location and print it for safekeeping. Note that this is not the same as the TPM management password discussed in the previous section.

If you choose to store the recovery key password on a USB drive or in a folder, it is stored in a plain text file. The name of the file matches the administrative password ID: four hex digits, followed by three groups of two hex digits, followed by six hex digits:


The password recovery key file contains the name of the disk volume, the drive letter, and the date of encryption, as well as the password itself, which is stored as eight groups of six digits each:


Recovery keys can be stored on Active Directory servers for systems that are members of a domain.

After you store and print the recovery key password, BitLocker performs a system check to ensure that the recovery and encryption keys can be read before it begins the encryption process. If you use a USB device to enable BitLocker, insert it when prompted. After the system check is performed successfully, BitLocker restarts your system and encrypts your system drive. During the encryption process, an icon in the notification area appears. Hover your mouse over the icon or double-click it to see encryption progress. You can pause encryption if necessary, but you can use your computer normally while encryption progresses. When you start your system, you must provide the appropriate credentials (entering the PIN when prompted or inserting the USB flash drive before starting the system or when prompted). Otherwise, the system will not boot.

In Windows 7, after BitLocker encrypts the system volume and you restart your system, you can encrypt any other volumes on the system drive. To encrypt additional volumes, open the BitLocker Disk Encryption tool in Control Panel and turn the encryption status from Off to On for other system drives you want to encrypt.

BitLocker Drive Encryption Recovery

If you do not provide the appropriate credentials when you attempt to boot a BitLocker-encrypted volume, you are prompted to press the Enter key to enter into the Windows BitLocker Drive Encryption Password Entry dialog box. The drive label, system drive letter, BitLocker encryption date, and key filename are provided so you can locate the correct recovery key password.

Instead of using the normal 1–9 keys on the keyboard, use F1–F9 for digits 1–9, and F10 for 0. If you use the normal 1–9 keys, the password will not work. As soon as you correctly enter the recovery key password, the system starts normally.

How BitLocker Protects Your Information

During normal use, a BitLocker-encrypted volume appears as a normal drive using the NTFS file system, and you can use EFS or disk compression on individual files and folders as with any normal NTFS volume.


Backups made of a BitLocker-encrypted drive with Windows system image or other backup utilities are not encrypted. Keep them in a safe place.

Once data is transferred from a BitLocker-encrypted drive to any other nonencrypted storage media, it is no longer encrypted.

However, if you attempt to bypass BitLocker security by booting the system from a Windows DVD and using the Recovery Environment, BitLocker Drive Encryption Recovery will prompt you to provide the password from removable media or by entering it. When you provide the password, you can access the volume for repair or data-recovery processes.

If you cancel the recovery process, the Recovery Environment will continue, but you will not be able to access the drive without providing the recovery password.

If you attempt to access the drive from the Recovery Console command prompt, you will see this message: “This volume is locked by BitLocker Drive Encryption. Return to the control panel to unlock volume.”

If you connect a BitLocker-encrypted volume to another computer running Windows and attempt to access its contents, the volume shows up as a drive letter in Windows Explorer with a size of 0MB, no disk label, and no file system.


By default, BitLocker’s AES encryption method uses a 128-bit key and uses the Diffuser algorithm, which protects against ciphertext manipulation key-cracking methods while providing excellent performance. Through the Group Policy Object Editor, you can select other options, including 128-bit without Diffuser, 256-bit with Diffuser, and 256-bit without Diffuser. To select other options, open Computer Components, Administrative Templates, Windows Components, BitLocker Drive Encryption, Configure Encryption Method. Click the Enabled radio button, and select the desired encryption method. Click Apply, then OK.

If you connect a BitLocker-encrypted volume to another computer running Windows XP or other operating systems, the file system is listed as RAW (unformatted). Third-party data-recovery programs are unable to determine the file system or other information about the drive. The drive can be formatted, but its contents cannot be accessed.

BitLocker prevents access to the drive by unauthorized Windows systems, and prevents other OSs from detecting the file system. BitLocker does this by encrypting the drive with a full volume encryption key using AES encryption, and then encrypting that key with a volume master key, also using AES encryption. The volume master key is unlocked when you provide the proper credentials at boot time, and it, in turn, unlocks the full volume encryption key that is used by a file system driver to decrypt the volume. In recovery mode, the recovery password (eight groups of six digits) unlocks the volume.

Differences Between BitLocker and EFS Encryption

Although EFS encryption is familiar to many Windows users because of previous experience with Windows 2000, Windows XP, and Windows Vista, it may be useful to review the differences:

  • In the initial version of Windows Vista, BitLocker secures the entire system volume, but not other volumes (drive letters) on a system, while EFS encryption can be used on any volume formatted with NTFS. However, Windows Vista SP1’s version of BitLocker can secure additional volumes on the system drive at the user’s option.

  • BitLocker uses a TPM chip or a USB flash memory drive to provide credentials, while EFS uses a personal certificate stored as part of the OS to provide credentials.

  • Neither EFS nor BitLocker encryption protects files once they have been copied to another drive. However, when EFS files are transferred via a file migration program, they retain their encryption attributes, and the original user’s EFS certificate must be exported from the source system and imported to the target system to enable encrypted files to be opened on the target system.


    Use the Windows command-line utility robocopy.exe with the /EFSRAW option to migrate EFS-encrypted files from Windows to another system.

  • EFS encryption is retained when files are backed up, but BitLocker volume encryption is not retained on a backup of a BitLocker volume.


    Although Previous Versions can be a lifesaver, it’s no replacement for making backup copies of important files or saving different versions of a file in progress. The last-available previous version might be days or weeks old in some cases, so you might need to reconstruct changes you performed on the current version. In such cases, you may want to use the Open or Copy option, rather than the Restore option, with the most recent previous version.

    If you use a drive other than the system drive for data, be sure to enable restore points (System Protection) on that drive if you want shadow copies. A drive without restore points cannot provide shadow copies. In such cases, only backup copies (if they exist) will be available as previous versions. System Restore uses up to 15% of each NTFS drive of at least 1GB in size for restore points. On systems with limited disk space, Windows 7 removes older restore points, which can also cause shadow copies to be lost. If you upgrade to Windows 7 on a system with limited disk space, all existing restore points will be removed and replaced with a single restore point. 

  • EFS encryption can be used by Windows editions that do not support BitLocker, and on systems that are not compatible with BitLocker.

  • BitLocker encryption cannot protect files on systems in Sleep or Hibernate mode, although EFS encryption can protect files on systems in these modes provided that the user has configured the system to request a strong password when waking up the system.

As you can see, BitLocker and EFS are complementary security features. You can use EFS to protect files on removable hard disks that are not secured with BitLocker, but you can use BitLocker to prevent anyone from using a stolen laptop or desktop computer.

Most View
SQL Server 2012 : Exploring SQL CLR - Visual Studio/SQL Server Integration
Charging Ahead With AMD’s Kaveri (Part 1)
Installing Windows 8 on a new or formatted system (part 2) - Configuring your account
Changing The Typeface Of The Web (Part 3)
Pathos Ethos - Its Sound Is Truly Divine
Asus N56VM - Perfect Balance
2013-Version Dell XPS 13 - Good Performance But Expensive Price (Part 1)
Smart Shopping: Sleighful Of Bargain-Tracking Apps
Active Directory 2008 : Configuring Sites and Subnets (part 2) - Managing Domain Controllers in Sites, Understanding Domain Controller Location
Automate Tasks with Folder Actions
Top 10
Sharepoint 2013 : Farm Management - Disable a Timer Job,Start a Timer Job, Set the Schedule for a Timer Job
Sharepoint 2013 : Farm Management - Display Available Timer Jobs on the Farm, Get a Specific Timer Job, Enable a Timer Job
Sharepoint 2013 : Farm Management - Review Workflow Configuration Settings,Modify Workflow Configuration Settings
Sharepoint 2013 : Farm Management - Review SharePoint Designer Settings, Configure SharePoint Designer Settings
Sharepoint 2013 : Farm Management - Remove a Managed Path, Merge Log Files, End the Current Log File
SQL Server 2012 : Policy Based Management - Evaluating Policies
SQL Server 2012 : Defining Policies (part 3) - Creating Policies
SQL Server 2012 : Defining Policies (part 2) - Conditions
SQL Server 2012 : Defining Policies (part 1) - Management Facets
Microsoft Exchange Server 2010 : Configuring Anti-Spam and Message Filtering Options (part 4) - Preventing Internal Servers from Being Filtered