A best practice guide on how to configure BitLocker (Part 1)

by Martin Kiaer [Published on 3 Jan. 2007 / Last Updated on 3 Jan. 2007]

How to configure BitLocker and how to get BitLocker to rock in Windows Vista using best-practice methods.

If you would like to read the next part in this article series please go to A best practice guide on how to configure BitLocker (Part 2).

Introduction

Windows Vista is here, and with Vista we get a lot of new exciting security features. One of the most exciting security features in Vista is Windows BitLocker drive encryption. BitLocker is a full-volume encryption tool that supports custom protection and authentication methods. However the user and support experience can be a mixed blessing, depending on which protection and authentication methods you choose. In this article we’ll walk you through a best-practice step-by-step approach on how to install and configure BitLocker in Windows Vista.

BitLocker hardware and software requirements

With BitLocker you basically have two different ways to protect the crypto key (a.k.a. Volume Encryption Key).

  • A TPM chip
  • Using a clear key, which is simply a normal password protection method

The crypto key is used to encrypt a volume, but it is just as important that the crypto key is protected as well. If a malicious user deletes the crypto key or it is accidentally deleted, then you better have a good key recovery setup, assuming you want access to your data again (We’ll cover the key recovery part in more details in Part 2). On the positive side, deleting the crypto key on purpose, in a controlled environment, is a great way to decommission and quickly recycle a computer without having to worry about what was installed previously on the encrypted volume.

Before you can install and use BitLocker, you should ensure that the following requirements are met:

  • TPM chip (Trusted Platform module) version 1.2 is available (only a requirement if you want to use BitLocker with a TPM chip)
  • The system BIOS is TCG (Trusted Computing Group) version 1.2 compliant (again, this is only a requirement if you want to use BitLocker with a TPM chip)
  • The system BIOS supports both reading and writing small files on a USB flash drive in the pre-operating system environment
  • The computer must have a least two volumes, before BitLocker can be used:
    • The first volume is the System Volume
      This volume must be NTFS formatted and should differ from the Operating System Volume. The System Volume must not be encrypted, since it contains hardware-specific files that are needed to load Windows after pre-boot authentication.
    • The second volume is the Operating System (OS) Volume
      This volume must be NTFS formatted and contains the Vista operating system and its support files. All data on the OS Volume is protected by BitLocker
  • It should be noted that BitLocker is only included and supported in Windows Vista Enterprise, Windows Vista Ultimate, and Windows “Longhorn” Server

Let us configure BitLocker, by taking you through each of the requirements and spice it up with some useful tricks and hints on the way.

Prepare the system BIOS

A TPM chip is not required, but is highly recommended when using BitLocker. There are actually a couple of reasons for this:

  • Since Microsoft is one of the big supporters of the Trusted Computing Platform initiative, they’ve build a lot of Vista security features (including BitLocker) around this chip, which can also be configured from an Active Directory based infrastructure using Group Policies.
  • BitLocker is extremely weak when it comes to pre-boot authentication options, compared to 3rd party hard disk encryption tools. The best and most secure method when using BitLocker is a TPM + pin code enabled configuration.

A TPM chip is basically a smart card that is molded to the motherboard of the computer. The TPM chip is capable of performing cryptographic functions. It can create, store and manage keys and also perform digital signature operations, and best of all, protect itself against attacks.

Hopefully by now, you should be convinced that using BitLocker together with a TPM chip is a good thing. But before you can take advantage of your TPM chip in Vista, you need to make sure that it is TCG version 1.2 compliant. Most of the newer TPM chips can be firmware upgraded, so that they’re compatible with Vista. However this also means that your BIOS needs an upgrade. If you’re not sure whether your computer fulfills the TPM requirements, you should go visit your computer manufactures website for more information.

On most systems, all you need to do is enter the BIOS setup and enable the TPM chip (usually identified in the BIOS as a “Security Chip”). Once you have done that, you’re ready to move on to the next section.

Prepare the hard disk

If you have purchased a computer recently that is Vista Ready and/or has Vista pre-installed, then you’ll notice that the hard drive has at least two different volumes. Basically what it means is that the volumes on the computer have been prepared to support BitLocker, and you can simply move on to the next section.

If you don’t have the volumes prepared from your hardware vendor or simply want to re-install Vista and also prepare it for BitLocker, then you need to prepare the volumes required by BitLocker, mentioned earlier. This should be done during the Vista installation process.

This can be easily done using Windows PE 2.0 which is included with your Vista DVD and a small simple script which we have included in this article. This process is actually easier than you think. Here’s what you need to do:

Copy the following script to a USB key:

bde-part.txt (used to partition the hard disk):

select disk 0
clean
create partition primary size=1500
assign letter=S
active
format fs=ntfs quick
create partition primary
assign letter=C
format fs=ntfs quick
list volume
exit

Important: The “clean” command in the bde-part.txt script will wipe all your existing partitions on disk 0 (your primary drive) including the repair/installation partitions that may have been preconfigured by your computer manufacture, so use this command with care or omit it from the script. Instead of the clean command, you can use the diskpart select volume=<drive letter> and thereafter the diskpart delete volume if you want more granular control of which volumes you want to delete. 

Once you have copied the script to a USB key, it is time to make use of it.

  1. Insert the USB key and start the computer from the Windows Vista product DVD
  2. In the initial Install Windows screen, choose your Installation language, Time and currency format, and Keyboard layout, and then click Next
  3. In the next Install Windows screen, click System Recovery Options, located in the lower left corner of the screen
  4. In the System Recovery Options dialog box, choose your keyboard layout, and then click Next
  5. In the next System Recovery Options dialog box, make sure no operating system is selected. To do this, click in the empty area of the Operating System list, below any listed entries. Then click Next
  6. In the next System Recovery Options dialog box, click Command Prompt (see figure 1)


Figure 1

  1. Allocate the drive letter assigned to your USB key by entering the following commands one-by-one:

    diskpart
    list volumes
    exit

    Make a note of the drive letter assigned to the USB key.
  1. Prepare the volumes by entering the following command:

    diskpart /s <USB drive letter>:\bde-part.txt

    where <USB drive letter> should be replaced with the drive letter allocated to your USB key.

    Once you have completed the above steps, you should exit the command prompt window and return to the installation program and complete the Vista installation.

    Prepare the TPM chip

    Before we can use the TPM chip, we need to prepare it. This means that we need to ensure the following:

    • Ensure that the correct TPM driver is installed in Vista
    • Initialize the TPM chip
    • Take ownership of the TPM chip

    Note: If you don’t want to use a TPM chip with BitLocker, then you can skip this section and move on to the next section.

    There are several reasons why Microsoft depends on a TPM chip that is version 1.2 TCG compliant, but two of the primary reasons, besides added security features, are compatibility and stability. Microsoft delivers this through a generic TPM Vista driver. The rule of thumb is that you should only use Microsoft’s TPM driver if you want to use BitLocker with a TPM chip.

    Verify that you are using the right driver for your TPM chip (assuming your computer supports it) by entering the Device Manager. In the category called Security Devices, you should see Microsoft’s TPM driver, called “Trusted Platform Module 1.2”. If you want to verify the driver version, simply right-click the Trusted Platform Module 1.2 device and select Properties and then click the Driver tab, as illustrated in Figure 2.


    Figure 2

    If for some reason or another, you’re using a different TPM driver, then you can upgrade the driver to the before-mentioned Microsoft TPM driver, which you’ll find on the Vista DVD.

    Once you have verified that the right TPM driver is loaded, it’s time to initialize the TPM chip. This can be done in two different ways, either by using the TPM MMC (simply type tpm.mcs) or configure it from the command line. In this article we’ll show you how this is done from the command line using the command line utility manage-bde.wsf which is a WMI based script.

    1. From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
    2. Enter the following command:

      cscript manage-bde.wsf –tpm –takeownership -<password>

      where <password>  should be replaced with your own choice of password

      Treat this password as your TPM master password.
    3. The TPM chip is now ready for use (see Figure 3).


    Figure 3

    Encrypt the volumes

    Up until now, we have gone through all the preliminary steps that are needed, before we can actually start encrypting volumes. Some of the steps explained so far, may already have been prepared directly by the manufacture of your computer, or not applicable if your computer doesn’t have a version 1.2 TPM compliant chip. Let’s move on and encrypt some data. This can be done in two different ways, either by using the BitLocker Control Panel GUI or done from the command line. In this article we’ll show you how this is done from the command line for various reasons:

    1. The BitLocker Control Panel GUI is only supported on machines with a compliant TPM chip. This means that if you want to take advantage of BitLocker without using a TPM chip, then your only option is the BitLocker command line utility (manage-bde.wsf)
    2. Another reason is, that officially, BitLocker in Vista only supports encryption of the OS Volume (which is normally the C: drive). However with the command line utility, you have the option to encrypt data volumes as well, a feature that is only officially supported in Longhorn Server
    3. The command line utility can be used to centrally encrypt client computers in an Active Directory environment, which we’ll take a closer look at in Part 2 of this article series.

    How the volumes can be encrypted

    • From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
    • Enter the following command: cscript manage-bde.wsf –on /?
    • This will show you the different pre-boot authentication and key recovery options you have with BitLocker. In this article we’ll show you how to encrypt a volume with TPM support, a volume without TPM support and finally a volume other than the C: drive

    BitLocker encryption with TPM support

    1. From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
    2. Enter the following command:

      cscript manage-bde.wsf –on –recoverypassword C:


    Figure 4

    1. Follow the instructions on the screen to start the encryption process (see figure 4)

    BitLocker encryption without TPM support:

    1. From the Vista Start Menu, locate the Command Prompt shortcut. Right-click the icon and select Run as administrator
    2. Enter the following command:

      cscript manage-bde.wsf  –on –startupkey <USB drive>:-recoverypassword –recoverykey <recovery drive>:

      <USB drive> is the drive letter assigned to the USB key that is used instead of the TPM chip. Remember to include the colon with the drive letter

      <recovery drive> can be either a hard drive, a USB key or a network drive. Again, remember to include the colon with the drive letter

    BitLocker encryption of data volumes

    The procedure is the same as the two previous examples. Just replace the drive letter with the drive you want to encrypt. The feature does however come with a couple of caveats if you’re not careful.

    • The first one is that this will only work if you have encrypted the OS Volume with the manage-bde command line utililty as well
    • The second caveat is that after the data volume is encrypted, you will not be able to access the data after you reboot the computer, unless you automatically unlock the data volume. Here’s how you can avoid this problem:
    1. We’ll assume you have encrypted the Data Volume using one of our examples in this article or your own preferences
    2. Before you restart the computer, enter the following command:

      cscript manage-bde.wsf –autounlock –enable <data drive>:

      <data drive> is the drive letter assigned to the Data Volume. Remember to include the colon with the data drive letter

    The above command will generate an external key protector on the data volume and store the crypto key on the OS Volume (normally the C: drive) which we encrypted earlier. That way the crypto key for the data volume is protected by the crypto key for the OS Volume, but still automatically loaded during the boot phase.

    Conclusion

    In this article we have shown you a different way to enable BitLocker in Vista, compared to Microsoft’s step-by-step articles. We wanted to show you that BitLocker is capable of much more than what you can do from the GUI. In Part 2 of this article series, we’ll take a closer look at how you can configure and manage BitLocker from a central Active Directory environment and how you best manage BitLocker in terms of key recovery.

    External Links

    Windows Vista BitLocker Client Platform Requirements

    Specs and Whitepapers

    Trusted Computing Group (TCG) Website

    Microsoft’s BitLocker Blog

    If you would like to read the next part in this article series please go to A best practice guide on how to configure BitLocker (Part 2).

    Advertisement

    Featured Links