BitLocker is an on-disk encryption system that encrypts the computer's boot drive, making the system data on it unreadable to unauthorised users - someone who's just made off with your laptop at the airport, for example. Without a boot key - either a manually entered PIN, a USB flash drive or a secure module on the PC itself - everything on a BitLocker-encrypted drive is indistinguishable from random data.

In the face of any number of news stories about government agencies and businesses losing laptops and the data on them, Microsoft has tried hard to convince users that BitLocker is the best means of preventing data loss through theft or espionage. A lost BitLocker-protected computer, Microsoft argues, can be safely written off without concern that the data on it could be compromised; and, as we are all well aware, the cost of a lost laptop is minor compared with the cost of losing the data on it.

Getting the Goods

Those considering BitLocker for their laptops can only get the technology on Windows Vista Ultimate and Windows Vista Enterprise - the version of the OS designed for large corporations. Also, to get the most out of BitLocker, Microsoft recommends using it on a computer equipped with a Trusted Platform Module (TPM), a microchip embedded in a PC's motherboard that stores passwords, keys and digital certificates.

BitLocker in Action

BitLocker creates a 1.5GB boot partition in front of the system volume to be encrypted that contains decryption and boot data. When Vista was first released, users had to create this partition manually before installing Vista, but after a number of complaints, Microsoft revised the BitLocker setup process so that you can create the partition on an existing system.

One of the Vista Ultimate Extras is labelled 'BitLocker and EFS enhancements', which contains the BitLocker Drive Preparation tool. This program automates the setup process and encrypts an existing drive for BitLocker while the system is running. (It's still always best to have BitLocker set up on a system before it has been personalised for a given user so there is no chance of unencrypted data being stored on it at any time.)

There are three possible ways to implement BitLocker on a given system, each with its own benefits and drawbacks:

On a computer with TPM hardware: The TPM chip stores BitLocker's decryption keys, so any attempt to reverse-engineer a key through tampering will leave the system unbootable (and the drive unreadable). Any attempts to tamper with the unencrypted boot loader will cause the system to fail.

TPM, however, is not something that can be added to a PC after the fact - it's something that has to be included in its design from the ground up. It's difficult to determine exactly how much TPM adds to the cost of a laptop, because TPM hardware is typically offered as part of a bundle of features in 'business-class' machines. But at this point, the cost premium doesn't appear to be a lot.

On a system without TPM hardware that boots from an external USB drive: In this scenario, the system's boot key is stored on an external drive. The system boots from that drive first, which then supplies the decryption key that allows the rest of the system to boot.

However, this plan will not work on a system that does not support booting from a USB device, and by no means do all business-class machines support that capability. The USB boot device itself also can be stolen - and leaving the USB drive plugged in while the system is running (as many people are wont to do) is on the order of unlocking the front door of your house and leaving the key in the lock.

For this reason, using the USB drive method is probably not suitable for most people, although it's a useful way to allow an individual to use BitLocker.

On a system without TPM, no additional hardware required: You can opt to have users enter a 48-digit PIN number at boot time, though they may find that process cumbersome and slow. Because this is difficult to memorise, most people will be inclined to write it down - another security breach waiting to happen. In light of all this, it's clear that adding BitLocker to an existing system, with the possible risks of USB drive loss or the inconvenience of a 48-digit PIN, is inferior to using a TPM-enabled system from the outset. Running BitLocker transparently over TPM is the best option but also the most costly to implement, since in many instances it entails buying a new computer.

Whatever method you choose, when setting up BitLocker policies, be sure to enable encryption key recovery through Active Directory. When a BitLocker computer is configured, the administrator can (and should) make a backup of the encryption key into an AD repository. This way, if the key is lost but the data itself is not - for instance, if you're using a USB drive and it goes missing - any needed data can be recovered from the system without declaring the whole thing scorched earth.

Scope of Protection

So, how well does BitLocker succeed in its stated goal of functioning as a 'seamless, secure and easily manageable data protection solution'? It all hinges on the scope of the protection it provides.

On the plus side, BitLocker thoroughly encrypts something that has traditionally not been encryptable in Windows without the aid of third-party software: the operating system itself. An encrypted drive will remain unreadable even if mounted in another computer. This is crucially important with laptops, since it's trivially easy for an attacker to gain physical access to a system and remove the hard drive.

However, BitLocker doesn't by default encrypt anything other than the boot drive. It is possible to encrypt drives other than the boot drive with BitLocker, but this is not something that can be done automatically through BitLocker's configuration GUI (at least not yet). Microsoft does not yet support encrypting data volumes with BitLocker either.


Encryption is difficult to implement properly, no matter what the product, and Microsoft deserves kudos for making it possible to do this in such a tightly integrated way in Windows Vista.

There's no question that when properly implemented and deployed, BitLocker can add a considerable layer of security to a computer. Just be aware that this security comes at a cost - including the price of an edition of Windows Vista that supports BitLocker, the proper hardware to fully implement it, and, most important, the effort on the part of both IT and the end user to ensure that it has all been implemented correctly.