Windows 7 Security & Bitlocker Drive Encryption

Having got my hands on Windows 7 at last, one of the important things I wanted to do was secure my data using Bitlocker Drive Encryption. After losing 2 laptops to a burglar with large amounts of personal data on them, I am being a little more careful from here on, so that the physical loss of the laptop will be the worst possible outcome, and ID theft or misuse of my data (e.g. raiding my pitiful bank accounts!) won’t be a concern. Bitlocker is only available on Ultimate and Enterprise editions – this I think is an uncalled for feature restriction – to enhance its reputation for security, Microsoft would be better off opening this up to all editions of Windows 7. Users of other editions will have to use Folder Level encryption, which I’ll cover towards the end.

Bitlocker Drive Encryption encrypts the entire disk transparently. What “Transparent” really means to me and you is that if you copy a file from a Bitlocker Encrypted disk to an unencrypted disk, that file is readable by any machine. However should someone try to read the encrypted disk directly they wouldn’t see anything except encrypted garbage. So if your disks are Bitlocker Encrypted, unless someone has the Recovery Key, your drives and data are unreadable.

How do I enable Bitlocker?

So how does this work in practice? Well, a lot depends on whether your computer has a TPM 1.2 chip on the motherboard. If you do, you can simply open the  Bitlocker control panel (just type Bitlocker in the search bar) and enable Bitlocker. The TPM chip manages the storage of the Bitlocker keys – and Windows 7 will stop the process if you don’t have a key. You set a PIN and after that your computer won’t boot without a PIN, and if someone tries to remove the drives to read them – well, they can get the drives out but reading theier content is impossible.

If you don’t have a TPM chip, you can put the Bitlocker key on a USB Key. To do this requires a bit of a workaround as by default Bitlocker will only work if you have a TPM chip installed, and the wizard will block progress if you don’t. Fortunately the nice folks over at have posted a guide on How to Turn BitLocker On or Off without a TPM for Windows 7. It involves going into the Group Policy Editor (some sort of security thing) but is incredibly simple to do. Again, not 100% sure why Microsoft decided to make this a bit awkward to set up, so hopefully this will change in the future.

You can then apply Bitlocker and store the key on a USB drive. From now on your computer will only boot if you have the USB Key plugged in (you can – and should – remove it after the computer has booted). This is a minor inconvenience and you have to remember to keep the USB key seperate from the machine – otherwise if someone steals your computer and you’ve left the USB key in, your encryption efforts are wasted.

How do I prevent me locking myself out with Bitlocker?

This applies to those of us using USB Keys, but the advice is simple:

  • Keep multiple copies of the Bitlocker recovery keys somewhere accessible and safe – such as on a external HDD, Live Mesh, a webmail account…
  • Create multiple USB keys – from the Bitlocker control panel you can load the startup key on as many USB keys as you like. I have 3 copies so if a USB drive fails, or goes walkies, I don’t have to worry about not being able to use my computer. You can also store multiple computers bitlocker keys on one USB key.

I don’t have Ultimate / Enterprise – what are my options?

Well, option 1 is to upgrade using Windows Anytime. But assuming you don’t want to, the other option is Folder Level encryption. All you need to do is pick a folder, right click, select Properties and under the Advanced options choose to Encrypt the folder. If this is the first time you are encrypting something on your machine it will prompt you to back up the security certificate – as with the Bitlocker recovery keys I strongly recommend making multiple copies in multiple safe locations . Your folder will then encrypt and turn green so they are easy to spot. They aren’t angry, like the Hulk :)

Now this isn’t transparent – if you move a file from your encrypted folder to another location it remains encrypted and unreadable without the security certificate. But if someone stole your PC, unless you have autologin set, those files are unreadable, which for the purposes of this discussion is what we intended

So, am I safe and secure now?

Well, maybe, as long as you have done a few other basic things:

  1. Require a password on startup
  2. Have a screensaver that requires a password to unlock
  3. Backed up recovery keys
  4. Backed up your data
  5. Backed up your data
  6. Backed up your data

Good luck, and keep your data safe!

Read More

Windows 7 first impressions + BI Monkey news

My posting rate has taken a little dip of late so I thought i’d better explain myself :)

A BI Monkey update

The BI Monkey has been a little short of access to computers for a while, as burglary took his laptop, being on holiday in Japan and Hong Kong distracted him and just to add some extra confusion into the mix, I switched consultancies towards someone a bit more Microsoft focused. However I am almost back in the saddle, having finally got SQL2008 up and running on 64-bit Windows 7. Once i’ve dealt with the vast amounts of admin that seem to accompany joining my new company, i’ll carry on with my quest to cover every component in depth. However I may end up delivering all my new samples on a 64-bit architecture – though i’m still looking at setting up a virtual PC to stick with 32-bit SQL2005 for creating my demo files.

None of this seems to have slowed down the growth of the site, though it is starting to calm down – had it’s first 5,000 hit day earlier this month and will easily top 100,000 hits this month. This makes me very happy! Now, if only the Google ad revenue would come pouring in!

Windows 7 first impressions

My new work machine is loaded with Windows 7 Enterprise, and I have to say, i’m impressed. I wasn’t much of a Vista hater so perhaps I am an easier sell, but there are a few features that really stand out for me:

  • Taskbar – the new smaller icons are nice and the way you can manage multiple windows from a single icon is very slick
  • Libraries – Being able to collect several disparate folders under a single master folder makes managing files much easier
  • Snap – a simple but easy way of pulling windows to cover half the screen for side by side review is handy
  • Speech – I was a fan in Vista, and whilst not much has changed, it does seem better behaved – so will be dictating more in future

The introductory videos here are a great and easy introduction to these features, and I reccommend all new 7 users take a peek.

Read More