BitLocker (only included on Ultimate and Enterprise versions of Windows Vista) encrypts the entire Windows volume of the hard drive, including the files from which user names and passwords are extracted. [9] If BitLocker is installed on a machine with a TPM  chip the hard drive cannot be read on another computer. For better protection, an external USB flash drive should be used with the TPM chip, which will ensure the drive cannot be accessed without both the credentials and the flash drive.  The flash drive should always be stored separately from the laptop.

This feature requires a separate partition of at least 1.5 gigabytes to store the system files, which cannot be encrypted. Encryption of the main volume is accomplished using the motherboard’s TPM  chip, if one is present.

In the absence of a TPM chip, BitLocker can still be implemented using the CPU and a key stored on a removable Universal Serial Bus (USB) flash drive. This option requires a change to the Group Policy Objects  to activate, and since most laptops being used today don’t have TPMs, laptop owners should know how to make the change to take advantage of BitLocker.

First, key gpedit.msc into the “Start Search” box that appears when the Start button (which is now a round Windows Vista logo instead), and press enter. Windows Vista will run programs in this manner without using the “Run” button. UAC will ask you if you want to continue (yes) and then will display the Group Policy Object Editor.

Second, double-click “Administrative Templates” under “Local Computer Policy” and “Computer Configuration”. Then double-click on “Windows Components”, “BitLocker Drive Encryption” and “Control Panel Setup: Enable advanced startup options”, whew! (See Figure 2 - BitLocker Drive Setup)

Figure 2 - BitLocker Drive Setup

Next, click the “Enable” radio button on the Enable advanced startup window (see Figure 3 - BitLocker Startup Options). Then make sure the checkbox to the left of “Allow BitLocker without a compatible TPM” is checked and click the “OK” button.

Figure 3 - BitLocker Startup Options

When the next window appears, click “Require Startup USB key at every startup” (see Figure 4 - BitLocker Drive Encryption).

Figure 4 - BitLocker Drive Encryption

Once the TPM chip has been bypassed, type “bitlocker” in the “Start Search” button of the start menu (see Figure 5 - BitLocker Start), and click “BitLocker Drive Encryption” at the top of the menu. Once again, you will be asked to verify the process by UAC.

Figure 5 - BitLocker Start

Select “BitLocker Drive Encryption” and the following window will appear:

Click on “Turn On BitLocker” and BitLocker will then be installed (patience required).

When BitLocker is used with the TPM chip, it will not start Windows if the drive is moved to another machine or TPM settings are changed. If the flash drive is used without a TPM module, the hard drive could be moved to another machine and decrypted if a flash drive containing either the user or the recovery key is taken along with the computer.  This illustrates the importance of removing the flash drive when leaving the machine unattended. Using the “Hot Glue Gun” method of deactivating USB ports renders BitLocker unusable on machines without TPM chips.

The BitLocker default encryption is AES-128-CBC (Advanced Encryption Standard – 128 bit – Cipher Block Chaining) with an additional diffuser, “to protect against ciphertext-manipulation attacks, and is independently keyed from AES-CBC so that it cannot damage the security you get from AES-CBC” [9]. Other encryption schemes are available to administrators through group policies.

BitLocker eliminates at least two methods of mining data from a stolen PC. First, credentials can’t be extracted because the files that contain them are encrypted. Second, the disk can’t be accessed from another machine or operating system because the TPM and/or flash drive is required along with the credentials used to encrypt the disk.   

Back to top

Previous Page   Next Page