BitLocker Drive Encryption
Bit locker is a feature used to protect your computer running on windows 7 from offline attacks by encrypting the system volumes. ‘Bit locker To Go’ is a new feature for encrypting removable drives. If you lose your laptop computer, bit locker helps you to protect your data on stolen or lost computer from unauthorized data access. ‘Bit locker To Go’ can be used to protect data on external storage devices such as flash drives. Offline attacks include booting an alternate operating system to recover data from the hard disk of one computer and remove and place the hard disk of one computer to another to recover data stored on that hard disk.
Start-up key: A start up key is a special cryptographically generated file stored on a USB device.
Bit locker Modes:
Bit locker can operate in different authentication modes depending on computer hardware capabilities (Trusted platform module, TPM is required) and desired level of security. We have following bit locker modes:
- TPM only: In this mode user does not provide a password. PIN or start-up keys to boot the computer. User is unaware of the bit locker functioning. It is the least secure authentication mode for bit locker functioning. User becomes aware of this mode when bit locker detects modification in boot environment or if the user tries to remove the hard disk and use it on another computer.
- TPM with Start-up Key: User must provide a USB device containing the start-up key to boot the computer. If you do not provide a device which have start-up key at boot time, the bit locker leads your computer into a bit locker recovery mode. The bit locker in this mode also provides boot environment protection through TPM.
- TPM with PIN: User must enter a ‘Personal Identification Number’ before your computer boot into windows operating system. IF users do not enter the correct PIN at a boot time, then bit locker forces your computer in recovery mode.
- TPM with PIN and start-up key: When users turn on ‘Bit locker in TPM with PIN and start-up key, then user must provide PIN number and a device which host start-up key at the boot time. This is most secure mode for Bit locker.
- Bit locker without TPM: If your computer does not have TPM chips, then the bit locker can be operating in Bit locker without TPM mode. This mode does not provide boot environment protection. This mode provides only hard disk encryption.
Steps to Configure bit locker:
- Click ‘Start’- ‘Control panel’- ‘System and security’. Choose ‘Bit locker drive encryption’ from ‘System and security’ console. The Bit locker drive encryption console appears.
- Click ‘Turn On bit locker’ to encrypt the corresponding drive on the computer.
- Manage Bit locker allows you to change or print the recovery key of the encrypted drive.
- You can ‘Turn off the bit locker’ if you have the encryption key or PIN. It then decrypts the drive and it is no longer protected.
Encrypt a system drive using bit locker:
- Click ‘Start’ – ‘Computer’. Select the drive which you want to encrypt and right click to select ‘Turn on Bit locker’. It opens ‘Bit locker Drive encryption’ wizard.
- After Bit locker initialization, the ‘Bit locker drive encryption’ wizard opens a new screen to choose a way to unlock your drive. You can enter either a password or can use a smart card. Choose the required option and click ‘Next’.
- It opens a wizard to choose way to store your recovery key. You can ‘Save the Recovery Key’ into a file on your computer or you can ‘Print the recovery key’. Select the required option, Click ‘Next’.
- The wizard appears to store the recovery key. Then it displays a message ‘Are you ready to encrypt your drive’. Click ‘Next’. This will start the encryption. After the encryption is complete you will receive a message as ‘Encryption for selected drive is complete’.