BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Windows 7 (and Vista and Server 2008). On my recent travels, I knew there would be times when I would need to leave my laptop unattended (like in a hotel or baggage dropoff area) and I wanted to ensure that my data would be safe if the laptop was stolen or lost.
The solution – use BitLocker Drive Encryption in conjunction with Windows 7 and a USB key – put simply – if the USB key is not plugged into the laptop, Windows will not start and the entire drive is encrypted. This means that if I need to leave my laptop in a hotel, I can take the USB key with me and know that if my laptop is stolen, although highly inconvienient, my data will be safe and the thief cannot use my laptop.
So how do we do it?
First, ensure that you have either Enterprise or Ultimate versions of Windows 7 and a USB stick (any size will do, the BitLocker keys are very small files). You will also need a BIOS that supports USB devices during bootup – this will be common on any machine that is less than 4 or 5 years old. The USB stick that you use does not need to be dedicated to hosting the BitLocker keys, it can also be used for normal document storage or for ReadyBoost.
Next you need to open the Local Group Policy Editor (gpedit.msc). Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Open ‘Require additional authentication at startup’:
Set this to ‘Enabled’ and ensure the Options section has ‘Allow BitLocker without a compatible TPM’ ticked:
At this point I would recommend you run the ‘gpupdate /force’ command and restart your computer. Once restarted, ensure your USB stick is inserted into the computer, then head to ‘My Computer’. Right click on your system hard drive (usually C:) to encrypt and select ‘Turn on BitLocker’ (alternatively this can be done from the Control Panel):
Select ‘Require a Startup key at every startup’ as shown below:
Select the USB drive that you had previously inserted:
Select the ‘Save the recovery key to a USB flash drive’ option:
It is recommended to run the BitLocker system check on the next page. Your hard drive will now start to encrypt and you can continue working on the computer during this process. It may prompt you to restart and it will give you a progress bar as shown below. The encyption can take up to a few hours, it will depend on the size of the disk volume. As a rough guide, I would say a 30GB volume takes around 30 minutes.
Once the process is complete, as you can see below, if the USB stick is plugged in, the machine will start successfully. At this point you can remove the USB stick or leave it in and configure it for extra storage or with ReadyBoost as I do.
If you attempt to start the machine without the USB stick inserted, you will be the below error message and Windows will not load (just as you want!).
If you look at the new files on your USB stick, you will see 2 files as shown below. These are the ‘key’ files that the system will look for when booting up (actually one is the recovery file, the other is the actually key file). I would highly recommend that you copy these files to another location incase you lose your USB stick. These 2 files can simply be copied like any other files. I would recommend to copy these to another USB stick (you can then boot up with either of the sticks plugged in) and save a copy elsewhere, like your email or give to a friend.
That is it! You can now be comfortable that your system will be encrypted and unusable if it is stolen. The important thing is to keep the USB sticks safe! Always store the USB stick and the laptop separately, otherwise this whole exercise is pointless!!