Windows 7 builds upon the strong security lineage of Windows Vista and comes
with some enhancements in its hard drive encryption scheme called BitLocker. One
among them is BitLocker to go, which lets users encrypt their portable flash
drives. Setting up BitLocker To Go on a USB drive is very simple. All you need
is to right click on the USB drive in 'My Computer' and select the 'Turn On
BitLocker' command from the menu. This will prompt you to set up a a password
that you will use to unlock the drive, or use the PIN of your smart card. This
means, either you can use a simple password to encrypt your data or you can use
your corporate smart card for decrypting your pen drive.
After you set up a password or use a smart card, BitLocker To Go will prompt
you to store a recovery key to unlock your drive in the event you forget the
password or lose your smart card. As you store the recovery key, you'll be
prompted to begin the encryption process. Press 'Start Encryption' and it will
encrypt the drive. The amount of time that it will take to complete the process
will depend on how large the drive is and also on the available processing
power.
By right clicking on your USB drive and selecting 'Turn on BitLocker' command you can encrypt a removable drive. |
Once the USB drive is encrypted by BitLocker, you will see a lock icon on the drive when you put it to a Windows 7 machine. |
The enhancements
One very significant change in Windows 7 is changing of the default
partitioning scheme of BitLocker. By default, BitLocker needs a separate 1.5 GB
partition which it uses for booting the machine and is not encrypted. Installing
BitLocker in Vista used to be very difficult without creating this partition.
You had to either create that partition by using some utilities or reformat and
reinstall the entire OS again. This was because Vista by default used to create
just one partition for both installing the OS and booting the machine.
With Windows 7, this problem has been taken care of. Win 7 by default creates
whatever partitions are required for BitLocker and you don't need to do any kind
of modification on your partition to deploy it. The interface of BitLocker is
also more simplified now. You just need to right click on your hard drive and
select 'Turn On BitLocker', or use the BitLocker option through the control
panel. But like Windows Vista, if you don't have TPM, BitLocker by default will
throw an error for encrypting your hard drive and will not continue. In case you
are not familiar with, TPM stands for Trusted Platform Module. The benefit you
get with TPM is that you don't have to store the public key anywhere else, like
in a USB drive and connect it every time to access your data. At the same time,
it also ensures that no one can read the data in the disk unless it is accessed
from the same machine, through the same OS and even from the same channel of the
hardware connector connecting the disk with the motherboard.
if you don't have a TPM chip on your system, you can just select this checkbox in Group Policy Editor to enable BitLocker support with USB drives instead of TPM chips. |
Again like Windows Vista, you can bypass the use of TPM in Windows 7 by
changing some settings in the group policy and enabling the use of a USB drive
instead of a TPM chip. However, the interface and options in Windows 7 Group
Policy editor for enabling non-TPM encryption has changed a bit. Here is how you
do it.
First open up the Group Policy Editor by typing 'Edit Group Policy' in the
'Run' window. Go to Administrative Templates>Windows Components>BitLocker Drive
Encryption> Operating System Drives. Double click on 'Required additional
authentication at startup', and click on 'Enable' button in the new window. This
will highlight some options. Select the checkbox which says 'Allow BitLocker
without a compatible TPM' and then click on 'Apply' and close the Group Policy
Editor. Now you will be able to turn on BitLocker even if you don't have a TPM
chip on your machine.
Running this wizard is very simple. All you have to do is to go to BitLocker
Drive Encryption option in the control panel and click on the option which says
'Turn On BitLocker' just next to your drive letter. This will fire up a wizard
which will either detect a TPM chip or will ask you to put in a USB drive in the
machine (only if you have allowed it in the Group Policy, as discussed above)
which will be further used as a key for booting up your machine. Once it
captures all the details, the wizard will reboot your machine to check if it can
read the USB drive while booting or not. If it passes the test it will encrypt
your hard drive.
Next -
AppLocker