Using BitLocker to Encrypt Removable Media (Part 1)

by [Published on 1 April 2010 / Last Updated on 1 April 2010]

How to use BitLocker-to-go in order to prevent accidental data disclosure by encrypting removable media.

If you would like to read the first part in this article series please go to

Introduction

Users who work outside of an organization have always presented a special security challenge to IT employees. On one hand, mobile workers need access to corporate data on their laptops or mobile devices. On the other hand, placing data on such devices puts the data at risk of being compromised should the device be lost or stolen.

Many organizations forbid employees from storing data on laptops or mobile devices for this very reason. This approach is not always practical though. Restricting users from placing data on their laptops or mobile devices means that the users will have to connect to the Internet any time that they need to access data, and as we all know Internet access is not always available. For example, it is common for mobile users to try to get some work done while on a long flight. However, if the user is unable to access any data without an Internet connection then this otherwise productive time is wasted.

Over the years Microsoft has created several different solutions that are designed to help secure the data that is stored on laptops. In Windows Vista for example, Microsoft introduced the BitLocker drive encryption feature. This feature allows the laptop’s entire hard drive to be encrypted.

As much of an improvement as BitLocker is over the file level encryption that was previously available in Windows XP, BitLocker does have its limitations. For example, the Windows Vista version of BitLocker was only able to encrypt the system volume. If a computer contains other volumes, then EFS encryption or a third-party encryption product must still be used to secure those volumes.

Another major BitLocker limitation was its inability to encrypt removable media. While this may not initially sound like such a big deal, it is important to remember that USB flash drives have become ubiquitous. Furthermore, the capacity of such devices has increased exponentially over the last few years. What all of this means is that vast quantities of data can easily be stored in a small, inexpensive, and easy to lose device that offers no native encryption capabilities. The really scary part is that because USB flash drives are small and inexpensive, a user may not even notice when one goes missing.

When Microsoft created Windows 7, one of the things that they set out to do was to address the various shortcomings of BitLocker. Some of these improvements include:

  • BitLocker is now capable of encrypting all of a system’s volumes, not just the volume containing the operating system.
  • The system now performs an integrity check as a part of the boot process. This helps to verify that the computer hasn’t been tampered with while offline, and that the encrypted drive is in its original computer.
  • It is now possible to move an encrypted hard drive to another computer, or replace the system board in a system that has been BitLocker encrypted without losing access to the encrypted files.
  • Windows guards against cold boot attacks by requiring users to either enter a PIN or insert a USB flash drive containing key material prior to booting a computer or resuming from hibernation.
  • BitLocker recovery keys are now stored in the Active Directory. These keys can be used to regain access to BitLocker encrypted data in the event that a user forgets their PIN, or loses the USB flash drive containing the keying information.

BitLocker to Go

Perhaps the most significant new BitLocker feature is BitLocker to Go. BitLocker to Go makes it possible to encrypt removable storage devices, such as USB flash drives. That way, if the removable media is lost or stolen, the data that it contains will not be compromised.

As you would probably expect, BitLocker encryption is not enabled by default for USB flash drives. However, BitLocker encryption can be enabled either by an administrator (via group policy settings) or by an end user.

What is nice is that Microsoft has made it really easy for an end user to enable BitLocker encryption. BitLocker functionality is now integrated directly into Windows Explorer. This means that if an end user wants to enable BitLocker encryption for a USB device, they do not have to fumble with the Control Panel, looking for the correct setting.

To see what I mean, take a look at Figure A. In this figure, I have inserted a USB flash drive into a computer that is running Windows 7. When I right click on the USB flash drive, Windows displays an option to turn on BitLocker.


Figure A:
Windows Explorer now contains an option to turn on BitLocker

If I select the Turn on BitLocker option, BitLocker will only be enabled for the selected drive, not the entire system. When you enable BitLocker, Windows will prompt you to enter a password that you can use to unlock the drive. As you can see in Figure B, you also have the option of using a smart card to unlock the drive.


Figure B:
You must provide a password and / or a smart card that can be used to unlock the drive

After entering a password, Windows generates a recovery key, and prompts you to either save the recovery key to a file or to print the recovery key, as shown in Figure C. You will notice in the figure that the Next button is grayed out until you perform at least one of these actions. Microsoft requires the recovery key to be saved or printed as a way of preventing data loss due to forgotten passwords.


Figure C:
You must save or print your recovery key

After saving or printing your recovery key, it is time to encrypt the drive. To do so, just click the Start Encrypting button, shown in Figure D.


Figure D:
Click the Start Encrypting button to encrypt the drive

Using an Encrypted Flash Drive

Using an encrypted flash drive really is not that much different than using any other flash drive. If you look at Figure E, you can see that when I insert the flash drive, I am prompted to enter a password. You will also notice that the drive’s icon includes a padlock.


Figure E:
Upon inserting an encrypted flash drive, you are required to enter a password

Upon entering the password, the icon changes to show that the drive is unlocked, as shown in Figure F.


Figure F:
After entering a password, the drive is unlocked

Other Operating Systems

Since BitLocker to Go was first introduced in Windows 7, you may be wondering what happens if you insert an encrypted flash drive into a PC that is running an older operating system. Figure G shows what happens when you insert an encrypted flash drive into a machine that is running Windows Vista.


Figure G:
Vista gives you the option of installing a BitLocker to Go Reader

Although Vista does not natively support BitLocker to Go, you are provided with the option of installing a BitLocker to Go Reader. This reader is stored on the encrypted drive (in a non encrypted format), so it is possible to install the reader even if you do not have Internet access.

Since the dialog box also contains an option to open the folder to view the files, I decided to click on this option to see what Vista would display. As you can see in Figure H, Vista shows you some BitLocker Reader system files. All of the actual data that is stored on the drive is contained within a series of encrypted .NG files.


Figure H:
The BitLocker to Go Reader is stored on the flash drive

Conclusion

In this article, I have shown you how you can use BitLocker to Go to manually encrypt a USB flash drive. In Part 2 of this series, I will show you how you can use group policies to automate the process.

If you would like to read the first part in this article series please go to

Featured Links