MCTS 70-680: Bitlocker

Uploaded by itfreetraining on 14.11.2011

Welcome back to your free training course for Windows 7. In this video I will look at
BitLocker. BitLocker is a technology that allows you to encrypt your entire hard disk
including the operating system. The reason you would want to do this is to protect your
computers data if it was stolen. With Windows 7 you also have the option to encrypt a data
drive a feature not available in Windows Vista until the release of service pack 1.
Products like BitLocker are important because many companies consider the data on the laptop
to be more valuable than the laptop. If the data on a laptop was to get into the wrong
hands a company could lose it competitive advantage.
Windows 7 and BitLocker help secure your data by making it impossible to perform what is
referred to as an offline attack. An offline attack is when you remove the hard disk from
the computer and place it in anther computer. From here you can access the files on the
hard disk by bypassing the need to have a user name and password.
The second type of offline attack is when you leave the hard disk in the computer and
boot the computer into anther operating system usually from a DVD. Types of boot disks include
Windows PE and Linux recovery disks. BitLocker prevents this from occurring by looking at
the start up process used to boot the computer. If the boot process is not the one that it
is expecting, for example an attempt is made to boot from Windows PE, the hard disk will
not be readable. It is all so recommended that you use BitLocker
with a Trusted Platform Module or TPM. A TPM is a chip on the motherboard. BitLocker uses
this chip to hold the encryption keys and check the boot up sequence. If the startup
sequence is correct the TPM chip will allow the hard disk to be unencrypted.
The TPM chip stores cartographic keys but you can also get BitLocker to work without
a TPM. For example, you could store the keys on a USB key instead. When you boot the computer
you simply need to insert the USB key on start up. Once the system has booted you can remove
the USB key and put it in a safe place. Before you can start using BitLocker your
system needs to meet a few requirements. Firstly you need to be running Windows 7 enterprise
or ultimate edition. BitLocker also requires a 100 megabyte system partition as shown.
When you install Windows 7 this partition will be created automatically but the partition
will not be given a drive letter so you may not have even known it existed. If this partition
does not exist, don’t worry, when you configure BitLocker in Windows 7 the partition will
be created automatically. Next if you are going to use a TPM, the TPM
chip needs to be version 1.2 or higher. If Windows 7 is not detecting your TPM chip
then it may need to be enabled in the bios. Once you meet the requirements for BitLocker
you next need to decide what mode to run it in.
The first mode is TPM only. When the computer starts up, a system check is performed and
if the computer is booting up the way it is expected then the operating system will start.
This means that if a person were to steal your computer, they could still boot the computer
up without any usernames or keys. Assuming a username and password has been set in Windows
the thief will be stopped at the login screen. The thief will need to know a user name and
password to access the computer. Since the hard disk is encrypted the thief will not
be able to use an offline attack on the computer. Of course the thief could reformat the computer
and use it that way, but at least you know that your information is safe as it will be
destroyed in that process. The next mode is TPM with a pin. When the
computer is started up, the user is prompted for a pin. Without this pin the computer can’t
start. The next form of security is TPM with a USB
key. Rather than trying to remember a pin, you can store a key on a USB key that is read
during boot up. If the computer is always on, you could store the USB key in a safe.
If the computer crashes or needs to be rebooted, you could get the USB key out of the safe
then to start the computer. If you want more security you can use the
TPM chip with a USB key and a pin. This is the most secure form of security. Lastly if
you do not have a TPM chip in your computer you can use the computer with just a USB key.
Regardless of which method you use, if the you don’t have the correct key or keys or
the operating system boot process changes, for example the bios is upgraded, the computer
will go into TPM recovery mode. This mode allows you to recovery your system in the
event that you lose your key or change your hardware. Let’s look at how to configure
BitLocker on a Windows 7 computer. First of all I will open disk management from
the start menu. Normally when you install Windows 7 a separate partition will be created.
On this system I installed Windows 7 making sure that there was only one partition on
the hard disk. If I close disk management and open the control
panel. To access BitLocker, open system and security and then select BitLocker drive encryption.
To configure BitLocker select the option turn on BitLocker to start the BitLocker wizard.
Once Windows does a quick check of your system to make sure it meets the requirements, the
wizard will inform you the steps it needs to do in order to get BitLocker configured.
On this system the BitLocker partition needs to be created.
This partition will contain a small operating system. Since the c drive will be encrypted
it will not be accessible without some boot strap software to interface with the TPM chip
and start Windows 7. This partition is where that software lives.
The next step is the TPM chip needs to be configured to work with Windows 7. Lastly
the drive needs to encrypted. Once I press next I get a message reminding me that it
is a good idea to back up my data before proceeding. Once I press next BitLocker will start creating
the partition it needs to operate. This does take a few minutes so I will speed up the
process. Once complete, if I now open disk management again you can see a 300 megabyte
partition has been created for BitLocker. BitLocker only requires a 100 megabyte partition
but don’t be surprised if you see a 200 megabyte or 300 megabyte partition here. Microsoft
allows 3rd parties to store their own recovery tools in this partition alongside BitLocker
so the partition may be larger than 100 megabytes. I will now reboot the computer speeding up
the process so we don’t have to wait. Once the system has reboot and you have to
log back in. The BitLocker wizard will automatically start off again from where it left off. Once
I press next the next step is to configure the TPM hardware. This unfortunately does
require anther restart. During the computer start up, a screen will
appear asking you to confirm that TPM ownership will be changed. In order for the TPM to use
by Windows the ownership of the TPM needs to be given to Windows so I will press F1.
Once the operating system starts up again and I log back in, the BitLocker wizard will
once again start up. The last step of the process is to encrypt the hard disk. Once
I press next I will be asked where to save the recovery key. The recovery key is required
if you ever move the hard disk to anther computer or for some reason you can’t access the
hard disk. You have 3 options. The recovery key can be saved to a USB flash drive, to
a file or even printed out. Regardless of which option you select you need to keep the
data in a save place and don’t keep it on the hard disk that you encrypt. If you do
you will not be able to read the file if you lose access to the hard disk. In this case
I will save the recovery key to a USB flash drive.
If I open Windows explorer and open the recovery file notice the BitLocker recovery key is
at the bottom. This is the key that you will need to enter in if you ever need to recover
the system. Now that I have the recovery key saved, I will close the file and continue
the wizard. On the next screen I can select the option
“run BitLocker system check”. What this does is it checks the recovery key on the
USB flash drive to ensure that it can be used to recovery the system. All though this step
is not required, I would recommend performing it so you know the recovery key is working
correctly. You don’t want to find out this fact when you are trying to recover the hard
disk later on. Windows 7 will once again want to restart
the computer. I have accelerated this process so we don’t have to wait. Once the computer
has rebooted and I am logged in again, notice at the bottom right hand comer the balloon
telling us the drive is being encrypted. If click the balloon I can see the progress
of encrypting the hard drive. While this is happening, I can still use the operating system
but it is not a good idea to stop the process. For example, shutting down or rebooting the
system. The whole hard disk needs to be encrypted
including free space so the process does take a long time complete. I will pause the video
and return once it is complete. If I now open the control panel, go back to
system and security and open BitLocker drive encryption. I have a few options for BitLocker.
If I want to remove BitLocker completely I can select the option turn off BitLocker.
This will decrypt the hard disk and remove BitLocker.
The next option, suspend protection, will temporary disable some of the features of
BitLocker. If you are planning on changing part of the startup process including upgrading
the bios you will need to suspend protection. If you don’t perform this step, BitLocker
will think the system has been tampered with and BitLocker will boot into recovery mode.
The next option, manage BitLocker, allows you to resave or print the recovery key for
BitLocker in case you lost it. Down the bottom left hand side of the screen you have the
option TPM administration. Selecting this option will allow you to perform administrative
actions on the trusted platform module. This concludes how to set up BitLocker on
Windows 7. In the next video I will look at setting up BitLocker to go. In the video after
this I will look at setting up a data recovery agent for BitLocker. For more video in this
free training course please see are web page or you tube channel. Thanks for watching.