In Windows Vista, you had the BitLocker Drive Encryption feature that allowed you to encrypt the content of entire volumes. In Windows 7, Microsoft has extended this feature to include removable hard disks and thumb drives. This new feature is known as BitLocker To Go.
Note
The encryption performed by BitLocker is transparent to the user—you will use the drive normally and Windows 7 will automatically encrypt the data on the fly when you write to the drive. Likewise, Windows will decrypt the data on the fly when you read from the drive.
The BitLocker Drive Encryption feature in Windows 7 (also available in Windows Vista) allows you to encrypt your hard drives so that it is safe from unauthorized access. Using BitLocker, all data written to a hard drive stays encrypted when it is stored on the drive. When the OS reads the data, it is automatically decrypted. However, if a BitLocker-encrypted drive is removed from a computer, its content will not be accessible unless the correct password is provided. This way, BitLocker helps protect the integrity and security of your data.
Note
Unlike the Encrypting File System (EFS), which allows you to selectively encrypt files, BitLocker encrypts the entire drive.
There are two types of hard drives you can encrypt using BitLocker:
- Operating system drive
This is the drive where Windows 7 is installed in.
- Data drive(s)
This includes internal data drives attached to your computer.
Note
BitLocker is available only in the Enterprise and Ultimate editions of Windows 7.
To encrypt the operating system drive using BitLocker, right-click the C: drive and select “Turn on BitLocker...” (see Figure 4-16).
Note
Alternatively, you can manage BitLocker on all your drives via the BitLocker Drive Encryption application (see Figure 4-17) in the Control Panel.
In order to use BitLocker to encrypt your hard drive containing your operating system, your computer needs to have the Trusted Platform Module (TPM) chip. BitLocker uses the TPM chip to store the keys that are used to decrypt your encrypted drive during bootup time. Alternatively, if your computer does not have the TPM chip, you can store the encryption key on a USB thumb drive. In this case, you need to insert your USB drive into your computer during bootup time.
Note
Using BitLocker to encrypt your operating system drive also requires two partitions on the hard drive—one system partition (hidden boot partition) and one operating system partition. Fortunately, Windows 7 automatically creates these two partitions during the installation process.
For encrypting data drives, BitLocker requires the drive to be formatted using either the exFAT, FAT16, FAT32, or NTFS filesystems.
BitLocker To Go is an extension of the BitLocker application that provides encryption support for removable hard disks and thumb drives.
Note
BitLocker To Go is available only in the Enterprise and Ultimate editions of Windows 7.
To turn on BitLocker To Go, simply insert your thumb drive into your computer, right-click the drive icon in Computer (see Figure 4-18) and select “Turn on BitLocker...”.
Now you need to choose a way for the drive to be unlocked when it has been encrypted—using a password or a smartcard. The easiest way would be to choose a password; if you choose this option, supply a password. Click Next to proceed.
In the next step, you have a choice to store your recovery key to a file or print it out. The recovery key is used to temporarily unlock a BitLocker-encrypted drive in the event that you forgot the password. Choose the desired option and click Next.
You are now ready to encrypt your drive. Click the Start Encrypting button to begin the encryption.
Windows will now start to encrypt your drive. It will take some time, especially if you have a large-capacity thumb drive. When the encryption is done, a lock will appear on the drive icon (see Figure 4-19).
From now on, whenever you insert your thumb drive into your computer, you will be prompted to enter the password to unlock the drive. Enter the password and click the Unlock button to unlock the drive.
If you insert a thumb drive encrypted with BitLocker To Go into a Windows XP computer, you will be prompted to enter the key to unlock the drive.
If you forgot your password, click the “I forgot my password” link. You will be prompted to enter the recovery key that you saved/printed earlier. Enter the recovery key and you will be granted temporary access to the drive before you change its password.
You also have the option to automatically unlock the drive on the current computer. If you choose this option, you will not be prompted to unlock the drive every time you insert the thumb drive into the current computer. You should choose this option only if you are sure that your computer is secure and that it is not easily accessible to other people.
You can change the BitLocker feature of a drive by right-clicking the drive icon in Computer and selecting Manage BitLocker. Figure 4-20 shows the options available.
Get Windows 7: Up and Running now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.