This guide is an update to my earlier post on Bitlocker in Windows Vista.
BitLocker Drive Encryption is an integral security feature in the Windows Vista and Windows 7 operating systems that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against “offline attacks,” attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately.
This guide demonstrates how to configure a basic installation of Bitlocker with a TPM Enabled machine and assumes you are performing a clean build on a new machine using a network based WDS build.
Important things to remember before you begin
- Bitlocker is particularly recommended to users of Laptops within the University.
- Backups are more important than ever on encrypted disks as recovery will be all but impossible if the disks hardware fails.
- Changing a systems hardware will cause the TPM to react and have the system lock down. This can easily be fixed by using the Bitlocker recovery key but only if you still have it!
A Machine with a TPM chip
Windows 7 Installation media (DVD or WDS install)
1. Build the machine as normal. Unlike Windows Vista, Windows 7 automatically creates (and hides) the tiny system parition required for drives encrypted with Bitlocker to boot.
2. Once the machine has finished building restart and enable your TPM in the BIOS if it is not already. There does not seem to be any convention on how the TPM is referred to but with HP machines it is so as the ‘Embedded Security Device’
3. Logon to Windows and navigate to Control Panel\All Control Panel Items\BitLocker Drive Encryption.
4. Select the drive you want to Encrypt.
5. Choose a method of saving your recovery key.
6. Check the ‘Run BitLocker system check’ option.
7. Finally restart the machine. After logon you will see a notification that the drive is being Encrypted.