Backup and System Protection ensure the availability
of your files, in that they allow you to restore lost or damaged files
by restoring from a backup copy. BitLocker drive encryption isn't about
availability. It's about confidentiality.
If your notebook computer is lost or stolen, that's certainly a bad
thing. But if it contains confidential personal, client, or patient
information, that's even worse. BitLocker drive encryption ensures that
lost or stolen data can't be read by prying eyes.
|
BitLocker differs from the Encrypting File System
(EFS) in that EFS encrypts individual folders and files, whereas
BitLocker encrypts the whole disk.
|
|
BitLocker drive encryption works by encrypting all
the data on a hard drive. With BitLocker drive encryption active, you
can still use the computer normally. All the necessary encryption and
decryption takes place automatically behind the scenes. But a thief
would be unable to access data, passwords, or confidential information
on the drive.
1. BitLocker Hardware Requirements
BitLocker drive encryption uses an encryption key to
encrypt and decrypt data. That key must be stored in a TMP Version 1.2
(Trusted Platform Module) microchip and compatible BIOS. Only newer
computers come with the appropriate hardware preinstalled. You'll also
need a USB flash drive to store a copy of the password.
NOTE
The first time you open the BitLocker task page,
you'll see a message indicating whether you do, or don't, have a TPM
Version 1.2 chip installed. If you're certain that you have such a
chip, but Windows 7 fails to recognize it, check with your computer
manufacturer for instructions on making it available to Windows 7.
|
BitLocker drive encryption is primarily designed for
organizations that have sensitive data stored on notebooks and PCs.
Theft of those data could have a negative impact on the organization,
its customers, or its shareholders. While transparent to the user, the
act of setting up BitLocker would normally be entrusted to IT
professionals within the organization.
If you're not an IT professional, you need to be
aware of the risks involved, especially if you plan to set up BitLocker
on a hard drive that already contains files. First, always back up your
data before re-partitioning a drive. Though many programs on the market
allow you to repartition a disk without losing data, there's always a
risk involved. A backup is your only real insurance. More importantly,
understand that BitLocker is not for the technologically
faint-of-heart. There is no way to undo any bad guesses or mistakes. If
not handled with the utmost care, BitLocker can render your computer
useless and your data unrecoverable. If you're not technologically
inclined, but have a serious need for drive encryption, consider
getting professional support in setting up BitLocker for your system.
|
In addition to a TPM chip, your hard drive must contain at least two volumes (also called partitions). One volume, called the system volume, must be at least 1.5 GB in size. That one contains some startup files and cannot be encrypted. The other volume, called the operating system volume, will contain Windows 7, your installed programs, and user account folders. Both volumes must be formatted with NTFS.
2. Encrypting the volume
When all the necessary hardware is in place, setting up BitLocker drive encryption is a relatively easy task:
Click the Start button, choose Control Panel, click System and Security, and then click BitLocker Drive Encryption.
If
your hardware setup doesn't support BitLocker, you'll see messages to
that effect. You cannot continue without appropriate hardware and disk
partitions.
If all systems are go, click the option to turn on BitLocker.
If
your TMP isn't initialized, a wizard takes you through the steps to
initialize it. Follow the on-screen instructions to complete the
initialization.
When prompted, choose your preferred password storage method, store the password, and click Next.
On the encryption page, select (check) the Run BitLocker system check and click Continue.
Insert the password recovery USB flash drive (or whatever medium you used for password recovery) and click Restart Now.
Follow the on-screen instructions.
The wizard will ensure that all systems are working
and it's safe to encrypt the drive. Just follow the instructions to the
end to complete the procedure.
Make sure you password-protect all user accounts to
prevent unauthorized access to the system. Otherwise a thief can get at
the encrypted data just by logging in to a user account that requires
no password!
3. When the computer won't start
Once BitLocker is enabled, you should be able to
start and log in to the computer normally. BitLocker will only prevent
normal startup if it detects changes that could indicate tampering. For
example, putting the drive in a different computer, or even making BIOS
changes that look like tampering, will cause BitLocker to prevent
bootup. To get past the block, you'll need to supply the appropriate
password.
4. Turning off BitLocker
Should you ever change your mind about using
BitLocker, repeat the steps under "Encrypting the volume" and choose
the option to turn off BitLocker drive encryption.
5. More info on BitLocker
The setup wizard for BitLocker drive
encryption is designed to simplify the process as much as possible for
people using computers with TPM 1.2. Other scenarios are possible.
