How to use BitLocker-to-go in order to prevent accidental data disclosure by encrypting removable media.
Users who work outside of an organization have always presented a special security challenge to IT employees. On one hand, mobile workers need access to corporate data on their laptops or mobile devices. On the other hand, placing data on such devices puts the data at risk of being compromised should the device be lost or stolen.
Many organizations forbid employees from storing data on laptops or mobile devices for this very reason. This approach is not always practical though. Restricting users from placing data on their laptops or mobile devices means that the users will have to connect to the Internet any time that they need to access data, and as we all know Internet access is not always available.
Over the years Microsoft has created several different solutions that are designed to help secure the data that is stored on laptops. In Windows Vista for example, Microsoft introduced the BitLocker drive encryption feature.
As much of an improvement as BitLocker is over the file level encryption that was previously available in Windows XP, BitLocker does have its limitations. For example, the Windows Vista version of BitLocker was only able to encrypt the system volume. If a computer contains other volumes, then EFS encryption or a third-party encryption product must still be used to secure those volumes.
Another major BitLocker limitation was its inability to encrypt removable media. It is important to remember that USB flash drives have become ubiquitous. Furthermore, the capacity of such devices has increased exponentially over the last few years. What all of this means is that vast quantities of data can easily be stored in a small and inexpensive device that offers no native encryption capabilities. The really scary part is that because USB flash drives are small and inexpensive, a user may not even notice when one goes missing.
When Microsoft created Windows 7, one of the things that they set out to do was to address the various shortcomings of BitLocker. Some of these improvements include:
BitLocker is now capable of encrypting all of a system’s volumes, not just the volume containing the operating system.
The system now performs an integrity check as a part of the boot process. This helps to verify that the computer hasn’t been tampered with while offline, and that the encrypted drive is in its original computer.
It is now possible to move an encrypted hard drive to another computer.
Windows guards against cold boot attacks by requiring users to either enter a PIN or insert a USB flash drive containing key material prior to booting a computer or resuming from hibernation.
BitLocker recovery keys are now stored in the Active Directory. These keys can be used to regain access to BitLocker encrypted data in the event that a user forgets their PIN, or loses the USB flash drive containing the keying information.
BitLocker to Go
Perhaps the most significant new BitLocker feature is BitLocker to Go. BitLocker to Go makes it possible to encrypt removable storage devices, such as USB flash drives. That way, if the removable media is lost or stolen, the data that it contains will not be compromised.
As you would probably expect, BitLocker encryption is not enabled by default for USB flash drives. However, BitLocker encryption can be enabled either by an administrator (via group policy settings) or by an end user.
Microsoft has made it really easy for an end user to enable BitLocker encryption. BitLocker functionality is now integrated directly into Windows Explorer.
In figure A, I have inserted a USB flash drive into a computer that is running Windows 7. When I right click on the USB flash drive, Windows displays an option to turn on BitLocker.
Figure A: Windows Explorer now contains an option to turn on BitLocker
If I select the Turn on BitLocker option, BitLocker will only be enabled for the selected drive, not the entire system. When you enable BitLocker, Windows will prompt you to enter a password that you can use to unlock the drive. As you can see in Figure B, you also have the option of using a smart card to unlock the drive.
Figure B: You must provide a password and / or a smart card that can be used to unlock the drive
After entering a password, Windows generates a recovery key, and prompts you to either save the recovery key to a file or to print the recovery key, as shown in Figure C. You will notice in the figure that the Next button is grayed out until you perform at least one of these actions. Microsoft requires the recovery key to be saved or printed as a way of preventing data loss due to forgotten passwords.
Figure C: You must save or print your recovery key
After saving or printing your recovery key, it is time to encrypt the drive. To do so, just click the Start Encrypting button, shown in Figure D.
Figure D: Click the Start Encrypting button to encrypt the drive
Using an Encrypted Flash Drive
Using an encrypted flash drive really is not that much different than using any other flash drive. If you look at Figure E, you can see that when I insert the flash drive, I am prompted to enter a password. You will also notice that the drive’s icon includes a padlock.
Figure E: Upon inserting an encrypted flash drive, you are required to enter a password
Upon entering the password, the icon changes to show that the drive is unlocked, as shown in Figure F.
Figure F: After entering a password, the drive is unlocked
Other Operating Systems
Since BitLocker to Go was first introduced in Windows 7, you may be wondering what happens if you insert an encrypted flash drive into a PC that is running an older operating system. Figure G shows what happens when you insert an encrypted flash drive into a machine that is running Windows Vista.
Figure G: Vista gives you the option of installing a BitLocker to Go Reader
Although Vista does not natively support BitLocker to Go, you are provided with the option of installing a BitLocker to Go Reader. This reader is stored on the encrypted drive (in a non encrypted format), so it is possible to install the reader even if you do not have Internet access.
In this article, I have shown you how you can use BitLocker to Go to manually encrypt a USB flash drive. In Part 2 of this series, I will show you how you can use group policies to automate the process.