how to encrypt your windows 7 sds machine with bitlocker · how to encrypt your windows 7 sds...

Document: Windows 7 BitLocker for SDS Author: Charles Last

1

How to Encrypt your Windows 7 SDS Machine with Bitlocker

************************************ IMPORTANT *******************************************

Before encrypting your SDS Windows 7 Machine it is highly recommended that a Full System Backup is taken beforehand. It is also essential that the BitLocker Recovery Key is saved to a safe and secure location. If you lose your recovery key and BitLocker ‘Locks’ there is no way to unlock the system without the recovery key.

************************************************************************************************


2

How to Encrypt your Windows 7 SDS Machine with Bitlocker

Introduction:

BitLocker Drive Encryption is a full disk encryption feature included with the Windows 7 desktop operating system. It is designed to protect data by providing encryption for entire volumes. BitLocker helps prevent a thief who boots another operating system or runs a software hacking tool from breaking Windows 7 file and system protections or performing offline viewing of the files stored on the safeguarded drive.

Prerequisites:

- SDS Windows 7 OS. - Trusted Platform Module (TPM) version 1.2 - A Trusted Computing Group (TCG)-compliant BIOS. - The BIOS must be set to start first from the hard disk. - The BIOS must be able to read from a USB flash drive during startup. - Enable the "USB-FDD Legacy Emulation" BIOS Setting if available. - A USB Flash Drive. - The user needs Local Administrator rights to enable Bit locker. - Bitlocker is disabled by default by Group Policy. In order to allow the machine to be encrypted the PC Needs to be added to the ‘SSPCS-Bitlocker Group’ in Active Directory. Contact the IT Service Desk on Ext 222333 who can raise a ticket for this to be actioned.

Encrypting your Windows 7 SDS Machine

1 – Log on to the PC with an account that has Local Administrator rights. 2 – Open the Control Panel and locate the ‘Bitlocker Drive Encryption’ Icon. Launch the program.


3

3 – The ‘Bitlocker Drive Encryption’ window will appear. Turn on Bitlocker for Drive C. (Note that Bitlocker is disabled by default by Group Policy. In order to allow the machine to be encrypted the PC Needs to be added to the ‘SSPCS-Bitlocker Group’ in Active Directory. Contact the IT Service Desk on Ext 222333 who can raise a ticket for this to be actioned)

4 – On the Bitlocker startup preferences windows click on ‘Require a PIN at every startup’. Note that the other preferences are greyed out by Group Policy restrictions.


4

5 – Choose a startup PIN. The PIN must be between 8 and 20 characters in length. Once the PIN has been entered click on ‘Set PIN’.


5

6 – Once the PIN has been set Insert Your Flash Drive and then click on ‘Save the recovery key to a USB flash drive’. If you do not see the window below do not continue with the Encryption Process as you won’t be able to generate a recovery key. Cancel out of the Encryption Process and contact IT Services for assistance. If there is a problem with your TPM configuration then this window may not be displayed.

7 – Select the USB device that you have just inserted and click on ‘Save’.

It’s a good idea to check that the ‘Recovery Key’ has been saved to the USB device. You will need to locate the USB drive and look for a BEK file in the root of the drive. The recovery key will look something like: 9CC7E3D4-634D-4915-B352-E47D05EAC7ED.BEK


6

This is a hidden file so if you can’t see it the root of your USB drive you will need to untick the ‘Hide protected operating system files (Recommended)’ setting from the Windows 7 Folder Options.

Once this is done you should be able to see your key.

8 – You will now be taken back to the previous window. Click on ‘Next’.


7

9 – Leave the ‘Run BitLocker System Check’ ticked and click on ‘Continue’.

10 – Make sure the USB device with the recovery key is still inserted and select ‘Restart Now’. The PC will automatically reboot.


8

11 – As soon as the machine boots backup you will be prompted to supply your PIN. Press enter once you have done this. The PC will continue to boot into Windows.

12 – Log back into Windows. Once the desktop has loaded up you should see a information box pop up in the system tray informing you that Encryption is in Progress.


9

13 – If you click on this Bitlocker System Tray Icon the window below will open up and display the encryption progress.

BitLocker encryption occurs in the background while you continue to work, and the system remains usable, but encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive. If you open up ‘Bitlocker Drive Encryption’ from the Control Panel you will see that the C:\ drive displays the ‘Encrypting’ status. The hard drive light on the machine will also be rapidly flashing on then off.


10

14 – Once the Encryption process has completed the system tray icon will display:

If you open up ‘Bitlocker Drive Encryption’ from the Control Panel you will see that the C:\ drive displays the encrypted drive as seen below.

15 - You have successfully encrypted the C:\ drive with Bitlocker.


11

16 - If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable. Turning Off Bitlocker

BitLocker can be turned off in two ways: by suspending BitLocker or by

decrypting the drive. When you suspend BitLocker, your drive is still encrypted but your computer uses a plain text decryption key that is stored on the drive to read the information. When you decrypt the drive, everything on your drive is decrypted.

Suspending BitLocker Drive Encryption is a temporary method for removing BitLocker protection without decrypting the drive Windows is installed on (the operating system drive). Suspend BitLocker if you need to update the computer’s basic input/output system (BIOS) or startup files; this will help prevent BitLocker from locking the drive and can help avoid a lengthy decryption process. When the update is complete and you have restarted the computer, you can click Resume Protection.

You can only suspend BitLocker on operating system drives. If you want to turn off Bitlocker on a fixed data drive (such as an internal hard drive) or a removable data drive (such as an external hard drive or a USB flash drive), you must decrypt the drive. Decrypting an operating system drive means that BitLocker protection is removed from the computer, which can be time-consuming.

To temporarily suspend BitLocker, click Suspend Protection, and then click Yes. To turn off BitLocker and decrypt the drive, click Turn Off BitLocker, and then click Decrypt Drive.

How to Suspend Bitlocker Protection on Drive C:\ 1 – From the Bitlocker Drive Encryption Options in the control panel click on ‘Suspend Protection’.


12

2 - The window below will appear. Click on ‘Yes’.

3 – An information window will appear in the system tray stating “Protection is suspended. Protection of C:\ by Bitlocker Drive Encryption is suspended. Click to resume protection”. The window below will display ‘Resume Protection’ instead of ‘Suspend Protection’.


13

How to Resume Bitlocker Protection on Drive C:\ 1 – From the Bitlocker Drive Encryption Options in the control panel click on ‘Resume Protection’. In a few seconds Bitlocker will be active and the window below will change from ‘Resume Protection’ to ‘Suspend Protection’.

Decrypting the Entire Drive 1 - To completely turn off Bitlocker click ‘Turn Off Bitlocker’. This decryption process will take hours to complete.


14

2 – The window below will appear. Select ‘Decrypt’ drive.

3 – Decryption will commence and the progress will begin.

4 – From the Bitlocker Drive Encryption Options in the control panel it will show the C:\ Drive Decrypting.


15

How to Encrypt your USB Flash Devices with ‘BitLocker To Go’

Introduction

Windows 7 now has the ability to encrypt USB external media. This feature is called Bitlocker To Go and is only available on the enterprise version of the Operating System.

Encrypting with Bitlocker To Go

This is a guide on how to configure and use ‘Bitlocker To Go’.

Firstly insert the USB device that needs encrypting and then launch BitLocker Drive Encryption from the Windows 7 Control Panel. Locate the USB drive you want to encrypt and click on ‘Turn On Bitlocker’.

As soon as Bitlocker To Go has been activated, it will begin initialising the USB device. This process is non-destructive; therefore data already on the drive will not be affected. Once the initialisation process is complete, BitLocker To Go will prompt you to set up a password that you will use to unlock the drive.


16

After you set up a password, BitLocker To Go will prompt you to store a recovery key. It is advised that you store the recovery key file somewhere safe and not with the USB device. You can use the recovery key to unlock your drive in the event that you forget the password.

When you have created a password and saved your recovery key file, Bitlocker To Go will prompt you begin the encryption process. During the encryption process, you'll see a standard progress monitor. The amount of time that it will take to complete the process will depend on how large the drive is. There is a Pause button which will allow you to temporarily halt the process should you need to perform another task.


17

Once the encryption is complete, BitLocker To Go displays a confirmation dialogue box and changes the icon associated with the encrypted drive (as seen below).

After the USB drive has been encrypted you can perform various management functions by clicking on ‘Manage BitLocker’. The options can be seen below:


18

Using ‘Bitlocker To Go’ Encrypted Drives in Windows 7

When you later insert the BitLocker To Go encrypted drive in the Windows 7 system, you will immediately be prompted to enter the password.

The show password option will display the password while you type, this is not secure and is not recommended. The automatically unlock on this computer from now on will store the password in the Windows 7 password cache. Note you must tick the option to “Automatically unlock on this computer from now on”. Since we use FIPS standards Bitlocker To Go will only work in read only mode if you try and unlock with a password. The only way around this is to save the password to the computer. Once this is done you will have full read \ write to the USB encrypted drive.

Once you click Unlock, you'll see an AutoPlay dialogue box that prompts you to view the files. When you click the Open folder to view files button, you will be able to access the drive and its contents as you normally would.


19

Using Bitlocker To Go encrypted drive in Windows XP / Vista

When you insert the ‘BitLocker To Go’ encrypted drive in a Windows XP or Vista system, you will see an AutoPlay dialog box that prompts you to install the ‘BitLocker To Go Reader’. When you click this button, it will take just a moment to install and run the Reader.

You'll then see the BitLocker To Go Reader dialogue box, which will prompt you to enter your password.


20

After you type the password and click the Unlock button, you'll see the BitLocker To Go Reader window, which essentially looks like Windows Explorer.

If you attempt to open any file by double-clicking it in the BitLocker To Go Reader window, you'll immediately be prompted to copy the file to the desktop.


21

If you attempt to copy a file from the computer to the BitLocker To Go Reader window, you'll immediately see the error message You can only read and copy files from the BitLocker To Go Reader:

Bitlocker To Go encrypted device is in Read Only mode when used on Windows XP or Vista

Frequently Asked Questions What is a BitLocker Drive Encryption PIN?

When you use BitLocker Drive Encryption to encrypt the drive that Windows is installed on you can use a personal identification number (PIN) to start your computer for added security. If you use a PIN, you'll need to remember it and type it each time you start the computer. The PIN can be any alphanumeric combination that you choose from 8 to 20 characters in length. The PIN is stored on your computer. After you create the PIN, you can use Manage BitLocker to change the PIN. What is a BitLocker Recovery Key?

A BitLocker recovery key is a special key that you can create when you turn on Bitlocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. Store the recovery key separate from your computer. After you create a recovery key, you can use Manage BitLocker to make additional copies. If you lose your recovery key and Bitlocker locks the drive you will never be able to boot up the PC. It’s critical that the Recovery Key is kept in a safe place.

How can I tell whether my computer has a TPM version 1.2?

Click Start, click Control Panel, click System and Security, click BitLocker

Drive Encryption, and then click Turn On BitLocker. If your computer does not have a TPM version 1.2 or the BIOS is not compatible with the TPM, you will receive the following error message: “A compatible Trusted Platform Module (TPM) Security


22

Device must be present on this computer, but a TPM was not found. Please contact your system administrator to enable BitLocker”.

What happens if the computer is turned off during Encryption or Decryption? If the computer is turned off or goes into hibernation, the BitLocker encryption

and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.

Why does it appear that most of the free space in my drive is used when BitLocker is converting the drive?

BitLocker cannot ignore free space when the drive is being encrypted

because unallocated disk space commonly contains data remnants.

What system changes would cause the integrity check on my operating system drive to fail?

The following types of system changes can cause an integrity check failure

and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:

- Moving the BitLocker-protected drive into a new computer. - Installing a new motherboard with a new TPM. - Turning off, disabling, or clearing the TPM. - Changing any boot configuration settings. - Changing the BIOS, master boot record, boot sector, boot manager, option

ROM, or other early boot components or boot configuration data. This functionality is by design; BitLocker treats unauthorized modification of any of the early boot components as a potential attack and will place the system into recovery mode. Authorized administrators can update boot components without entering recovery mode by disabling BitLocker beforehand.

What causes BitLocker to start into recovery mode when attempting to start the operating system drive?

The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:

- Changing any boot configuration data settings. - Changing the BIOS boot order to boot another drive in advance of the hard

drive. - Having the CD or DVD drive before the hard drive in the BIOS boot order and

then inserting or removing a CD or DVD.


23

- Failing to boot from a network drive before booting from the hard drive. - Docking or undocking a portable computer. In some instances (depending on

the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.

- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.

- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated.

- Turning off the BIOS support for reading the USB device in the pre-boot environment if you are using USB-based keys instead of a TPM.

- Turning off, disabling, deactivating, or clearing the TPM.

What causes BitLocker to start into recovery mode when attempting to start the operating system drive? (Cont)

- Upgrading critical early startup components, such as a BIOS upgrade,

causing the BIOS measurements to change. - Forgetting the PIN when PIN authentication has been enabled. - Updating option ROM firmware. - Upgrading TPM firmware. - Adding or removing hardware. For example, inserting a new card in the

computer, including some PCMIA wireless cards. - Removing, inserting, or completely depleting the charge on a smart battery on

a portable computer. - Changes to the master boot record on the disk. - Changes to the boot manager on the disk. - Hiding the TPM from the operating system. Some BIOS settings can be used

to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS secure startup is disabled, and the TPM does not respond to commands from any software.

- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.

- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including PCR[1] would result in most changes to BIOS settings, causing BitLocker to enter recovery mode.

- Moving the BitLocker-protected drive into a new computer. - Upgrading the motherboard to a new one with a new TPM. - Failing the TPM self test. - Disabling the code integrity check or enabling test signing on Windows Boot

Manager (Bootmgr). - Pressing the F8 or F10 key during the boot process.


24

- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.

- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.

Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?

Yes, if the drive is a data drive, you can unlock it from the BitLocker Drive Encryption Control Panel item just as you would any other data drive by using a password or smart card. If the data drive was configured for automatic unlock only, you will have to unlock it by using the recovery key. If it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key. If I lose my recovery information, will the BitLocker-protected data be unrecoverable?

BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive. Therefore, we highly recommend that you store the recovery information in a safe location. Can I generate multiple PIN combinations? In Windows 7, it is not possible to generate multiple PIN combinations. Why is the system check failing when I am encrypting my operating system drive? The system check is designed to ensure your computer's BIOS is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:

- The computer's BIOS cannot read USB flash drives. - The computer's BIOS or boot menu does not have reading USB flash drives

enabled. - There are multiple USB flash drives inserted into the computer. - The PIN was not entered correctly. - The computer's BIOS only supports using the function keys (F1–F10) to enter

numerals in the pre-boot environment. - The startup key was removed before the computer finished rebooting. - The TPM has malfunctioned and fails to unseal the keys.


25

Language Packs

When installing a language pack, an additional option in the language pack

installation wizard asks if the user wants to apply language settings to All users and system accounts. If this option is selected, it will change the local computer BCD settings (if the user-only option is selected, BCD settings are not changed). This change will result in a modification of a BCD setting to the new locale value. If you are using a TPM with BitLocker, this is interpreted as a boot attack on reboot and the computer will require that the user enters the recovery password or recovery key to start the computer.

We recommend that you suspend BitLocker before changing locales or installing a language pack, just as you would before making any major computer configuration change, such as updating the BIOS. Known Issues with Specific Hardware Portege R700: On the Portege R700, Gavin Chappell found that enabling the "USB-FDD Legacy Emulation" option made the Bitlocker Encryption Process work properly. Before this was done the encryption process would fail with:

“With this option enabled, when I reboot the system for the Bitlocker system checks I get prompted for my startup PIN, once entered I get into Windows and the encryption starts. Note that the laptop can still boot from USB media (i.e. an SCCM memory stick) with this option disabled so this setting needs to be checked explicitly


26

as well as the "BIOS must be able to read from a USB flash drive during startup" item you already list.”

Desktops with the DQ35JO Motherboard:

Again Gavin Chappell discovered that Desktop’s machines with the DQ35JO motherboard were not Bitlocker compatible.

how to encrypt your windows 7 sds machine with bitlocker · how to encrypt your windows 7 sds...

Documents