UEU-co logo


Previous Page Next Page

Using BitLocker Encryption

Windows BitLocker drive encryption is a new encryption feature that was created during the development cycle that produced Windows Vista and Windows Server 2008. BitLocker encrypts all the data on the volume. It can be used to encrypt all the data on the volume that contains the Windows operating system, including paging files, applications, and data used by applications. Data volumes (volumes other than the Windows volume) can also be protected with BitLocker encryption.

BitLocker does have hardware requirements. To make full use of all BitLocker features, a computer system that has a compatible Trusted Platform Module (TPM) microchip (TPM 1.2) and BIOS (meaning a very recent server system in which you have requested the TPM chip) is required. The TPM chip is where the encryption and decryption keys for BitLocker are stored. (You can do a workaround if you do not have a server with a TPM; see the note at the end of this section.)

By the Way

The TPM chip on a server is a microcontroller that stores keys, passwords, and digital certificates. A number of computer manufacturers sell systems with the TMP chip. The TPM standard is part of the hardware specifications developed by the Trusted Computing Group, which is a nonprofit consortium that develops open standards for hardware-enabled trusting computing and security technologies. For more about the TPM standard and the Trusted Computing Group, see https://www.trustedcomputinggroup.org/faq/TPMFAQ.

BitLocker also requires that there be two volumes (partitions) on the drive that contains the Windows Server 2008 operating system. You must create the volumes before you install Windows Server 2008, and both volumes must be formatted with the NTFS file system. One volume will be for the Windows operating system and BitLocker will encrypt this volume (protecting the OS files and other information such as password files). The second volume (which can be smaller than the Windows OS volume) will serve as the active volume (so that the system boots) and will not be encrypted by BitLocker. The second volume or system volume must be at least 1.5GB (remember, this will be the active partition).

Did you Know?

You can use BitLocker if you do not have a system with a TPM chip. Your system needs to be able to boot to a USB drive, however (from BIOS). The BitLocker key is stored on the USB drive. The Local Group Policy is configured so that you need a TPM, but you can edit the local policy. Run gpedit.msc (Start, Run) and then expand the Local Computer Policy, Computer Configuration, Administrative Templates, and Windows Components nodes. Then select the BitLocker Drive Encryption node. In the Details pane, double-click Control Panel Setup: Enable Advanced Startup Options. On the Control Pane Setup: Enable Advanced Startup Options Properties dialog box, click Enabled (near the top of the dialog box). The Allow BitLocker Without a Compatible TPM check box should also be checked. Close the dialog box and the editor window.

Creating Volumes Before Installing Windows Server 2008

Here is a very important point: You must create these volumes (or partitions if you like) before you install Windows Server 2008 on the server. The easiest way to create these volumes is to boot the system to the Windows Server 2008 installation DVD.

When the Install Windows dialog box opens, click Next. On the next screen, click Repair Your Computer (in the lower left of the Install Windows dialog box; do not click Install Now). The System Recovery Options dialog box opens (ignore it). Click Next and the System Recovery Options dialog box opens a second time (see Figure 13.13).

Figure 13.13. Select the Command Prompt.

On the System Recovery Options dialog box, click the Command Prompt icon. A command prompt window opens.

Use diskpart (type diskpart and press Enter) to create the two volumes, using the following commands:

Figure 13.14 shows the series of diskpart commands used to create two partitions. H is 5GB and is the active partition. C is the larger of the two partitions and will be used as the target for the Windows installation.

Figure 13.14. Use diskpart to create two volumes.

[View full size image]

After using diskpart to create the two volumes, exit diskpart (type exit and then press Enter) and then format the drives, using the format syntax, format c:/y/q/fs:ntfs (where c is the drive letter of the partition). Now you can “bounce” back to the Windows Server 2008 installation. Type exit and then press Enter to exit the command prompt window. Then click the Close button at the top right of the System Restore Options window. This returns you to the Windows Server 2008 installation box and you can continue with the installation of the server OS (to the C: drive you created).

Adding the BitLocker Feature

BitLocker is an optional feature and so is not installed by default. You have to add it to your Windows Server 2008 installation. Follow these steps:

1. In the Initial Configuration Window or the Server Manager (with the Features node selected), click Add Features. The Add Features Wizard opens.

2. Select the BitLocker Drive Encryption feature (see Figure 13.15), and then click Next.

Figure 13.15. Add the BitLocker feature.

[View full size image]

3. On the next wizard page, click Install.

4. After the installation, click Close. You are then prompted that the system must be restarted. Click Yes to restart the system.

After BitLocker is installed as a feature (and the system rebooted), a BitLocker Drive Encryption icon is added to the Windows Control Panel. You use this icon to enable BitLocker on your system.

Enabling the BitLocker Feature

After you have BitLocker installed on the system, you can enable this encryption security feature. Open the Control Panel (Start, Control Panel). Then follow these steps:

1. Double-click BitLocker Drive Encryption in the Control Panel. The BitLocker Drive Encryption window opens (see Figure 13.16).

Figure 13.16. Open the BitLocker Drive Encryption window.

[View full size image]

2. The volumes that will be encrypted by BitLocker are listed in the window. To enable BitLocker, click the Turn On BitLocker link. A warning appears, letting you know that Bitlocker encryption reduces disk throughput; to continue click Continue with BitLocker Drive Encryption.

3. The BitLocker Drive Encryption dialog box opens. You have three options (select one):

  • Use BitLocker Without Additional Keys— No startup key is created.
  • Require PIN at Every Startup— You will need to enter the PIN each time you boot the system.
  • Require Startup USB Key at Every Startup— Use this option if you do not have a compatible TPM on the system.

Select an option (for sake of discussion select the third option).

4. The next screen will differ depending on the option you selected. In the case of the Require Startup USB key (the third option), you are asked to insert a removable USB memory device.

5. After the USB drive is inserted (see Figure 13.17), click Save.

Figure 13.17. The startup key can be saved to a USB drive.

6. On the next screen, you are asked to save the recovery password on a USB drive or in a folder, or to print the password. It makes sense at the very least to save the password in a location (or two) and definitely print out the password. Click Next after saving and printing the recovery password.

By the Way

You cannot save the recovery password to a drive that you will be encrypting with BitLocker. You need to save it to another volume on the server or save it to a USB drive. The volume that you created as the small active partition in the previous section could always be used because the password is only a small text file (1KB). Create a new folder on the volume and then save the password to the folder.

7. The next screen (by default) runs the Bitlocker system check. This makes sure that your keys work before your volume is encrypted. Definitely run the check if you are using BitLocker on a system without a TPM because this check determines whether the system can boot to the USB drive that holds the startup key. Click Continue and then click Restart Now.

8. Windows reboots to the TMP (or USB drive holding the startup key). Windows also encrypts your drive volumes. You are returned to the Windows desktop and the Encryption in Progress status bar appears.

After the volume is encrypted you need to reboot the system. The system uses the TPM or your USB drive to boot the system. Your server’s Windows software volume and any data on this volume is now encrypted. This provides a great deal of protection from hackers who may attempt to steal passwords or compromise your network by hacking into the server. Remember to keep your recovery password in a safe place if you have a problem booting a server that you have configured for BitLocker.

Previous Page Next Page

Leave a Reply

Time limit is exhausted. Please reload the CAPTCHA.


apply_now Pepperstone Group Limited