We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Windows Vista Ultimate - BitLocker FAQ

How BitLocker secures Ultimate laptops

On a system without TPM, no additional hardware required: You can opt to have users enter a 48-digit PIN number at boot time, though they may find that process cumbersome and slow. Because this is difficult to memorise, most people will be inclined to write it down - another security breach waiting to happen. In light of all this, it's clear that adding BitLocker to an existing system, with the possible risks of USB drive loss or the inconvenience of a 48-digit PIN, is inferior to using a TPM-enabled system from the outset. Running BitLocker transparently over TPM is the best option but also the most costly to implement, since in many instances it entails buying a new computer.

Whatever method you choose, when setting up BitLocker policies, be sure to enable encryption key recovery through Active Directory. When a BitLocker computer is configured, the administrator can (and should) make a backup of the encryption key into an AD repository. This way, if the key is lost but the data itself is not - for instance, if you're using a USB drive and it goes missing - any needed data can be recovered from the system without declaring the whole thing scorched earth.

Scope of Protection

So, how well does BitLocker succeed in its stated goal of functioning as a 'seamless, secure and easily manageable data protection solution'? It all hinges on the scope of the protection it provides.

On the plus side, BitLocker thoroughly encrypts something that has traditionally not been encryptable in Windows without the aid of third-party software: the operating system itself. An encrypted drive will remain unreadable even if mounted in another computer. This is crucially important with laptops, since it's trivially easy for an attacker to gain physical access to a system and remove the hard drive.

However, BitLocker doesn't by default encrypt anything other than the boot drive. It is possible to encrypt drives other than the boot drive with BitLocker, but this is not something that can be done automatically through BitLocker's configuration GUI (at least not yet). Microsoft does not yet support encrypting data volumes with BitLocker either.

Conclusion

Encryption is difficult to implement properly, no matter what the product, and Microsoft deserves kudos for making it possible to do this in such a tightly integrated way in Windows Vista.

There's no question that when properly implemented and deployed, BitLocker can add a considerable layer of security to a computer. Just be aware that this security comes at a cost - including the price of an edition of Windows Vista that supports BitLocker, the proper hardware to fully implement it, and, most important, the effort on the part of both IT and the end user to ensure that it has all been implemented correctly.


IDG UK Sites

5 reasons not to wait for the Apple Watch: Why you shouldn't buy the iWatch

IDG UK Sites

Why local multiplayer gaming is rapidly vanishing: we look at the demise of split-screen and LAN...

IDG UK Sites

How Emotional Debt is damaging digital design

IDG UK Sites

How to update your iPhone or iPad to iOS 8: including how to install iOS 8 if you don't have room