How to Encrypt your Windows 7 SDS Machine with Bitlocker

Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
How to Encrypt your Windows 7 SDS Machine
with Bitlocker
************************************ IMPORTANT *******************************************
Before encrypting your SDS Windows 7 Machine it is highly recommended
that a Full System Backup is taken beforehand. It is also essential that the
BitLocker Recovery Key is saved to a safe and secure location. If you lose your
recovery key and BitLocker ‘Locks’ there is no way to unlock the system
without the recovery key.
************************************************************************************************
1
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
How to Encrypt your Windows 7 SDS Machine with Bitlocker
Introduction:
BitLocker Drive Encryption is a full disk encryption feature included with the
Windows 7 desktop operating system. It is designed to protect data by providing
encryption for entire volumes. BitLocker helps prevent a thief who boots another
operating system or runs a software hacking tool from breaking Windows 7 file and
system protections or performing offline viewing of the files stored on the
safeguarded drive.
Prerequisites:
- SDS Windows 7 OS.
- Trusted Platform Module (TPM) version 1.2
- A Trusted Computing Group (TCG)-compliant BIOS.
- The BIOS must be set to start first from the hard disk.
- The BIOS must be able to read from a USB flash drive during startup.
- Enable the "USB-FDD Legacy Emulation" BIOS Setting if available.
- A USB Flash Drive.
- The user needs Local Administrator rights to enable Bit locker.
- Bitlocker is disabled by default by Group Policy. In order to allow the machine to be
encrypted the PC Needs to be added to the ‘SSPCS-Bitlocker Group’ in Active
Directory. Contact the IT Service Desk on Ext 222333 who can raise a ticket for this
to be actioned.
Encrypting your Windows 7 SDS Machine
1 – Log on to the PC with an account that has Local Administrator rights.
2 – Open the Control Panel and locate the ‘Bitlocker Drive Encryption’ Icon. Launch
the program.
2
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
3 – The ‘Bitlocker Drive Encryption’ window will appear. Turn on Bitlocker for Drive C.
(Note that Bitlocker is disabled by default by Group Policy. In order to allow the machine to be
encrypted the PC Needs to be added to the ‘SSPCS-Bitlocker Group’ in Active Directory. Contact the
IT Service Desk on Ext 222333 who can raise a ticket for this to be actioned)
4 – On the Bitlocker startup preferences windows click on ‘Require a PIN at every
startup’. Note that the other preferences are greyed out by Group Policy restrictions.
3
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
5 – Choose a startup PIN. The PIN must be between 8 and 20 characters in length.
Once the PIN has been entered click on ‘Set PIN’.
4
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
6 – Once the PIN has been set Insert Your Flash Drive and then click on ‘Save the
recovery key to a USB flash drive’. If you do not see the window below do not
continue with the Encryption Process as you won’t be able to generate a
recovery key. Cancel out of the Encryption Process and contact IT Services for
assistance. If there is a problem with your TPM configuration then this window
may not be displayed.
7 – Select the USB device that you have just inserted and click on ‘Save’.
It’s a good idea to check that the ‘Recovery Key’ has been saved to the USB device.
You will need to locate the USB drive and look for a BEK file in the root of the drive.
The recovery key will look something like:
9CC7E3D4-634D-4915-B352-E47D05EAC7ED.BEK
5
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
This is a hidden file so if you can’t see it the root of your USB drive you will need to
untick the ‘Hide protected operating system files (Recommended)’ setting from the
Windows 7 Folder Options.
Once this is done you should be able to see your key.
8 – You will now be taken back to the previous window. Click on ‘Next’.
6
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
9 – Leave the ‘Run BitLocker System Check’ ticked and click on ‘Continue’.
10 – Make sure the USB device with the recovery key is still inserted and
select ‘Restart Now’. The PC will automatically reboot.
7
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
11 – As soon as the machine boots backup you will be prompted to supply your PIN.
Press enter once you have done this. The PC will continue to boot into Windows.
12 – Log back into Windows. Once the desktop has loaded up you should see a
information box pop up in the system tray informing you that Encryption is in
Progress.
8
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
13 – If you click on this Bitlocker System Tray Icon the window below will open up
and display the encryption progress.
BitLocker encryption occurs in the background while you continue to work,
and the system remains usable, but encryption times vary depending on the type of
drive that is being encrypted, the size of the drive, and the speed of the drive. If you
are encrypting very large drives, you may want to set encryption to occur during
times when you will not be using the drive.
If you open up ‘Bitlocker Drive Encryption’ from the Control Panel you will see
that the C:\ drive displays the ‘Encrypting’ status. The hard drive light on the machine
will also be rapidly flashing on then off.
9
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
14 – Once the Encryption process has completed the system tray icon will display:
If you open up ‘Bitlocker Drive Encryption’ from the Control Panel you will see that
the C:\ drive displays the encrypted drive as seen below.
15 - You have successfully encrypted the C:\ drive with Bitlocker.
10
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
16 - If the computer is turned off or goes into hibernation, the BitLocker encryption
and decryption process will resume where it stopped the next time Windows starts.
This is true even if the power is suddenly unavailable.
Turning Off Bitlocker
BitLocker can be turned off in two ways: by suspending BitLocker or by
decrypting the drive. When you suspend BitLocker, your drive is still encrypted but
your computer uses a plain text decryption key that is stored on the drive to read the
information. When you decrypt the drive, everything on your drive is decrypted.
Suspending BitLocker Drive Encryption is a temporary method for removing
BitLocker protection without decrypting the drive Windows is installed on (the
operating system drive). Suspend BitLocker if you need to update the computer’s
basic input/output system (BIOS) or startup files; this will help prevent BitLocker from
locking the drive and can help avoid a lengthy decryption process. When the update
is complete and you have restarted the computer, you can click Resume Protection.
You can only suspend BitLocker on operating system drives. If you want to
turn off Bitlocker on a fixed data drive (such as an internal hard drive) or a removable
data drive (such as an external hard drive or a USB flash drive), you must decrypt
the drive. Decrypting an operating system drive means that BitLocker protection is
removed from the computer, which can be time-consuming.
To temporarily suspend BitLocker, click Suspend Protection, and then click
Yes. To turn off BitLocker and decrypt the drive, click Turn Off BitLocker, and then
click Decrypt Drive.
How to Suspend Bitlocker Protection on Drive C:\
1 – From the Bitlocker Drive Encryption Options in the control panel click on
‘Suspend Protection’.
11
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
2 - The window below will appear. Click on ‘Yes’.
3 – An information window will appear in the system tray stating “Protection is
suspended. Protection of C:\ by Bitlocker Drive Encryption is suspended. Click to
resume protection”. The window below will display ‘Resume Protection’ instead of
‘Suspend Protection’.
12
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
How to Resume Bitlocker Protection on Drive C:\
1 – From the Bitlocker Drive Encryption Options in the control panel click on
‘Resume Protection’. In a few seconds Bitlocker will be active and the window below
will change from ‘Resume Protection’ to ‘Suspend Protection’.
Decrypting the Entire Drive
1 - To completely turn off Bitlocker click ‘Turn Off Bitlocker’. This decryption process
will take hours to complete.
13
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
2 – The window below will appear. Select ‘Decrypt’ drive.
3 – Decryption will commence and the progress will begin.
4 – From the Bitlocker Drive Encryption Options in the control panel it will show the
C:\ Drive Decrypting.
14
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
How to Encrypt your USB Flash Devices with ‘BitLocker To Go’
Introduction
Windows 7 now has the ability to encrypt USB external media. This feature is
called Bitlocker To Go and is only available on the enterprise version of the
Operating System.
Encrypting with Bitlocker To Go
This is a guide on how to configure and use ‘Bitlocker To Go’.
Firstly insert the USB device that needs encrypting and then launch BitLocker
Drive Encryption from the Windows 7 Control Panel. Locate the USB drive you want
to encrypt and click on ‘Turn On Bitlocker’.
As soon as Bitlocker To Go has been activated, it will begin initialising the
USB device. This process is non-destructive; therefore data already on the drive will
not be affected. Once the initialisation process is complete, BitLocker To Go will
prompt you to set up a password that you will use to unlock the drive.
15
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
After you set up a password, BitLocker To Go will prompt you to store a
recovery key. It is advised that you store the recovery key file somewhere safe
and not with the USB device. You can use the recovery key to unlock your drive in
the event that you forget the password.
When you have created a password and saved your recovery key file,
Bitlocker To Go will prompt you begin the encryption process. During the encryption
process, you'll see a standard progress monitor. The amount of time that it will take
to complete the process will depend on how large the drive is. There is a Pause
button which will allow you to temporarily halt the process should you need to
perform another task.
16
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
Once the encryption is complete, BitLocker To Go displays a confirmation
dialogue box and changes the icon associated with the encrypted drive (as seen
below).
After the USB drive has been encrypted you can perform various
management functions by clicking on ‘Manage BitLocker’. The options can be seen
below:
17
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
Using ‘Bitlocker To Go’ Encrypted Drives in Windows 7
When you later insert the BitLocker To Go encrypted drive in the Windows 7
system, you will immediately be prompted to enter the password.
The show password option will display the password while you type,
this is not secure and is not recommended. The automatically unlock on this
computer from now on will store the password in the Windows 7 password
cache. Note you must tick the option to “Automatically unlock on this
computer from now on”. Since we use FIPS standards Bitlocker To Go
will only work in read only mode if you try and unlock with a password.
The only way around this is to save the password to the computer. Once
this is done you will have full read \ write to the USB encrypted drive.
Once you click Unlock, you'll see an AutoPlay dialogue box that
prompts you to view the files. When you click the Open folder to view files
button, you will be able to access the drive and its contents as you normally
would.
18
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
Using Bitlocker To Go encrypted drive in Windows XP / Vista
When you insert the ‘BitLocker To Go’ encrypted drive in a Windows XP or
Vista system, you will see an AutoPlay dialog box that prompts you to install the
‘BitLocker To Go Reader’. When you click this button, it will take just a moment to
install and run the Reader.
You'll then see the BitLocker To Go Reader dialogue box, which will prompt
you to enter your password.
19
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
After you type the password and click the Unlock button, you'll see the
BitLocker To Go Reader window, which essentially looks like Windows Explorer.
If you attempt to open any file by double-clicking it in the BitLocker To Go
Reader window, you'll immediately be prompted to copy the file to the desktop.
20
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
If you attempt to copy a file from the computer to the BitLocker To Go Reader
window, you'll immediately see the error message You can only read and copy
files from the BitLocker To Go Reader:
Bitlocker To Go encrypted device is in Read Only mode when used on
Windows XP or Vista
Frequently Asked Questions
What is a BitLocker Drive Encryption PIN?
When you use BitLocker Drive Encryption to encrypt the drive that Windows is
installed on you can use a personal identification number (PIN) to start your
computer for added security. If you use a PIN, you'll need to remember it and type it
each time you start the computer. The PIN can be any alphanumeric combination
that you choose from 8 to 20 characters in length. The PIN is stored on your
computer. After you create the PIN, you can use Manage BitLocker to change the
PIN.
What is a BitLocker Recovery Key?
A BitLocker recovery key is a special key that you can create when you turn
on Bitlocker Drive Encryption for the first time on each drive that you encrypt. You
can use the recovery key to gain access to your computer if the drive that Windows
is installed on (the operating system drive) is encrypted using BitLocker Drive
Encryption and BitLocker detects a condition that prevents it from unlocking the drive
when the computer is starting up. Store the recovery key separate from your
computer. After you create a recovery key, you can use Manage BitLocker to make
additional copies. If you lose your recovery key and Bitlocker locks the drive
you will never be able to boot up the PC. It’s critical that the Recovery Key is
kept in a safe place.
How can I tell whether my computer has a TPM version 1.2?
Click Start, click Control Panel, click System and Security, click BitLocker
Drive Encryption, and then click Turn On BitLocker. If your computer does not have a
TPM version 1.2 or the BIOS is not compatible with the TPM, you will receive the
following error message: “A compatible Trusted Platform Module (TPM) Security
21
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
Device must be present on this computer, but a TPM was not found. Please contact
your system administrator to enable BitLocker”.
What happens if the computer is turned off during Encryption or Decryption?
If the computer is turned off or goes into hibernation, the BitLocker encryption
and decryption process will resume where it stopped the next time Windows starts.
This is true even if the power is suddenly unavailable.
Why does it appear that most of the free space in my drive is used when
BitLocker is converting the drive?
BitLocker cannot ignore free space when the drive is being encrypted
because unallocated disk space commonly contains data remnants.
What system changes would cause the integrity check on my operating
system drive to fail?
The following types of system changes can cause an integrity check failure
and prevent the TPM from releasing the BitLocker key to decrypt the protected
operating system drive:
-
Moving the BitLocker-protected drive into a new computer.
Installing a new motherboard with a new TPM.
Turning off, disabling, or clearing the TPM.
Changing any boot configuration settings.
Changing the BIOS, master boot record, boot sector, boot manager, option
ROM, or other early boot components or boot configuration data. This
functionality is by design; BitLocker treats unauthorized modification of any of
the early boot components as a potential attack and will place the system into
recovery mode. Authorized administrators can update boot components
without entering recovery mode by disabling BitLocker beforehand.
What causes BitLocker to start into recovery mode when attempting to start
the operating system drive?
The following list provides examples of specific events that will cause
BitLocker to enter recovery mode when attempting to start the operating system
drive:
-
Changing any boot configuration data settings.
Changing the BIOS boot order to boot another drive in advance of the hard
drive.
Having the CD or DVD drive before the hard drive in the BIOS boot order and
then inserting or removing a CD or DVD.
22
Document:
Author:
-
-
Windows 7 BitLocker for SDS
Charles Last
Failing to boot from a network drive before booting from the hard drive.
Docking or undocking a portable computer. In some instances (depending on
the computer manufacturer and the BIOS), the docking condition of the
portable computer is part of the system measurement and must be consistent
to validate the system status and unlock BitLocker. This means that if a
portable computer is connected to its docking station when BitLocker is turned
on, then it might also need to be connected to the docking station when it is
unlocked. Conversely, if a portable computer is not connected to its docking
station when BitLocker is turned on, then it might need to be disconnected
from the docking station when it is unlocked.
Changes to the NTFS partition table on the disk including creating, deleting,
or resizing a primary partition.
Entering the personal identification number (PIN) incorrectly too many times
so that the anti-hammering logic of the TPM is activated.
Turning off the BIOS support for reading the USB device in the pre-boot
environment if you are using USB-based keys instead of a TPM.
Turning off, disabling, deactivating, or clearing the TPM.
What causes BitLocker to start into recovery mode when attempting to start
the operating system drive? (Cont)
-
-
-
-
Upgrading critical early startup components, such as a BIOS upgrade,
causing the BIOS measurements to change.
Forgetting the PIN when PIN authentication has been enabled.
Updating option ROM firmware.
Upgrading TPM firmware.
Adding or removing hardware. For example, inserting a new card in the
computer, including some PCMIA wireless cards.
Removing, inserting, or completely depleting the charge on a smart battery on
a portable computer.
Changes to the master boot record on the disk.
Changes to the boot manager on the disk.
Hiding the TPM from the operating system. Some BIOS settings can be used
to prevent the enumeration of the TPM to the operating system. When
implemented, this option can make the TPM hidden from the operating
system. When the TPM is hidden, BIOS secure startup is disabled, and the
TPM does not respond to commands from any software.
Using a different keyboard that does not correctly enter the PIN or whose
keyboard map does not match the keyboard map assumed by the pre-boot
environment. This can prevent the entry of enhanced PINs.
Modifying the Platform Configuration Registers (PCRs) used by the TPM
validation profile. For example, including PCR[1] would result in most changes
to BIOS settings, causing BitLocker to enter recovery mode.
Moving the BitLocker-protected drive into a new computer.
Upgrading the motherboard to a new one with a new TPM.
Failing the TPM self test.
Disabling the code integrity check or enabling test signing on Windows Boot
Manager (Bootmgr).
Pressing the F8 or F10 key during the boot process.
23
Document:
Author:
-
Windows 7 BitLocker for SDS
Charles Last
Adding or removing add-in cards (such as video or network cards), or
upgrading firmware on add-in cards.
Using a BIOS hot key during the boot process to change the boot order to
something other than the hard drive.
Can I access my BitLocker-protected drive if I insert the hard disk into a
different computer?
Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive
Encryption Control Panel item just as you would any other data drive by using a
password or smart card. If the data drive was configured for automatic unlock only,
you will have to unlock it by using the recovery key. If it is an operating system drive
mounted on another computer running Windows 7, the encrypted hard disk can be
unlocked by a data recovery agent if one was configured or it can be unlocked by
using the recovery key.
If I lose my recovery information, will the BitLocker-protected data be
unrecoverable?
BitLocker is designed to make the encrypted drive unrecoverable without the
required authentication. When in recovery mode, the user needs the recovery
password or recovery key to unlock the encrypted drive. Therefore, we highly
recommend that you store the recovery information in a safe location.
Can I generate multiple PIN combinations?
In Windows 7, it is not possible to generate multiple PIN combinations.
Why is the system check failing when I am encrypting my operating system
drive?
The system check is designed to ensure your computer's BIOS is compatible with
BitLocker and that the TPM is working correctly. The system check can fail for
several reasons:
-
The computer's BIOS cannot read USB flash drives.
The computer's BIOS or boot menu does not have reading USB flash drives
enabled.
There are multiple USB flash drives inserted into the computer.
The PIN was not entered correctly.
The computer's BIOS only supports using the function keys (F1–F10) to enter
numerals in the pre-boot environment.
The startup key was removed before the computer finished rebooting.
The TPM has malfunctioned and fails to unseal the keys.
24
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
Language Packs
When installing a language pack, an additional option in the language pack
installation wizard asks if the user wants to apply language settings to All users and
system accounts. If this option is selected, it will change the local computer BCD
settings (if the user-only option is selected, BCD settings are not changed). This
change will result in a modification of a BCD setting to the new locale value. If you
are using a TPM with BitLocker, this is interpreted as a boot attack on reboot and the
computer will require that the user enters the recovery password or recovery key to
start the computer.
We recommend that you suspend BitLocker before changing locales or
installing a language pack, just as you would before making any major computer
configuration change, such as updating the BIOS.
Known Issues with Specific Hardware
Portege R700:
On the Portege R700, Gavin Chappell found that enabling the "USB-FDD Legacy
Emulation" option made the Bitlocker Encryption Process work properly.
Before this was done the encryption process would fail with:
“With this option enabled, when I reboot the system for the Bitlocker system
checks I get prompted for my startup PIN, once entered I get into Windows and the
encryption starts. Note that the laptop can still boot from USB media (i.e. an SCCM
memory stick) with this option disabled so this setting needs to be checked explicitly
25
Document:
Author:
Windows 7 BitLocker for SDS
Charles Last
as well as the "BIOS must be able to read from a USB flash drive during startup"
item you already list.”
Desktops with the DQ35JO Motherboard:
Again Gavin Chappell discovered that Desktop’s machines with the DQ35JO
motherboard were not Bitlocker compatible.
26