Walkthrough for BitLocker on Windows 7

Windows 7 is the next generation of operating system due from Microsoft and it is still set for a planned release for early 2010 which would be three years after the release of Windows Vista.

This article is a walkthrough of the steps for enabling BitLocker on your Windows 7 system.

[NOTES FROM THE FIELD] Microsoft has now released their Release Candidate for Windows 7; I wrote a brief article Windows 7 Release Candidate (Build 7100) – Early Details on this already and at this time there is a tentative release date for Windows 7 this fall supposedly near the end of October time frame.

An Overview of BitLocker on Windows 7

From a write up provided by Microsoft titled Windows 7 Pre-release (M3) Privacy Supplement (which was last updated in October of 2008) indicated that only certain versions of Windows 7 would natively include BitLocker; they were “Windows 7 Enterprise Edition and Windows 7 Ultimate Edition”

This may have changed since that release of information but I still do not know of any other versions other than Windows 7 Starter Edition, Windows 7 Home Basic, Windows 7 Home Premium, Windows 7 Professional, Windows 7 Enterprise and Windows 7 Ultimate.

[NOTES FROM THE FIELD] I am speculating that since there is no Windows 7 Business Edition listed as we have with Vista that there will be no released in that category and that Windows 7 Professional may well be the replacement for that.

Having said that it would appear that only Windows 7 Enterprise Edition and Windows 7 Ultimate Edition would natively include BitLocker unless Microsoft makes any changes or releases any additional information on their proposed SKUs (stock keeping units).

System requirements for BitLocker Drive Encryption

There are system requirements in order to leverage BitLocker. The quick rundown on these requirements are:

  • In order for BitLocker to use the system integrity check provided by the Trusted Platform Module it must have a TPM running version 1.2 otherwise BitLocker will require you to save a startup key on a removable device such as a USB flash drive.
  • Systems with a TPM must also have the Trusted Computing Group compliant BIOS which allows for the required chain of trust for the initialization process before the operating system loads. Systems without a TPM do not require a TCG-compliant BIOS.
  • The system BIOS for TPM and non-TPM systems must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
  • You need to have a primary partition that is at least 1.5 gigabytes (GBs) in size and it needs to be marked as the active partition. This is used by bootmgr to boot the system. The boot files are also found on this partition as well.
  • You’ll need at least one other primary partition to be used for the operating system and for data storage.

I won’t go into too many of the additional details here in the overview as much of that would be a repeat of my A Security Comparison Overview of BitLocker and Encrypting File System (EFS) in Windows 7 PART 2 – BitLocker for Windows 7 article that is already posted online so rather than do that I will just go into the walkthrough from here.

Getting Started with BitLocker Drive Encryption

To get started with BitLocker you would open up the Control Panel and choose the System and Security category and then choose the BitLocker Drive Encryption subcategory.

Bitlocker_for_Windows_7_1

Bitlocker_for_Windows_7_2

Once you do that you’ll see the “Help protect your files and folders by encrypting your drives” screen and we are going to choose “New Volume (E:)” to turn on BitLocker by selecting the “Turn On BitLocker” link option next to the volume description.

Bitlocker_for_Windows_7_3

The next screen we’re presented is the “Choose how you want to unlock this drive” page and we will select the “Use a password to unlock this drive” checkbox and enter a password twice before hitting NEXT to continue.

Bitlocker_for_Windows_7_4

The next property page we arrive at is the “How do you want to store your recovery key” page. There are three options to choose from but for the purposes of this walkthrough we are going to choose the “Save the recovery key to a USB flash drive” option and choose NEXT to continue.

Bitlocker_for_Windows_7_5

[NOTES FROM THE FIELD] If you chose the print option you’d see a file print out much like the image below.

Bitlocker_for_Windows_7_7


Additionally, if you saved it to a file instead you’d see the output of the file.xps file as shown below.

Bitlocker_for_Windows_7_6

After choosing the “Save the recovery key to a USB flash drive” option and then NEXT to continue we arrive at the “Encrypt the drive” property page where we have the summary of our actions shown and the option to cancel our efforts or to choose “Start Encrypting” to continue.

Bitlocker_for_Windows_7_8

Once we choose “Start Encrypting” the property page closes and we see a smaller status / progress window of the ongoing actions and the final result when the drive is fully managed by BitLocker Drive Encryption.

Bitlocker_for_Windows_7_9

Bitlocker_for_Windows_7_10

What you’ll notice now from the “Help protect your files and folders by encrypting your drives” screen is that icon for “New Volume (E:)” has changed to show a set of keys that represents the drive locked and under the security of BitLocker Drive Encryption.

Bitlocker_for_Windows_7_12

You’ll also notice a couple of administrative options (provided you are logged in as an Administrator and the options are not managed in some other way – e.g. Group Policy) next to your BitLocker controlled drive: “Turn Off BitLocker” and “Manage BitLocker.”

A little management of BitLocker Drive Encryption

We’ll continue the walk through effort by selecting the “Manage BitLocker” option which brings up the “Selection options to manage” screen.

Bitlocker_for_Windows_7_13

We’ll chose the “Change password to unlock the drive” option.

Bitlocker_for_Windows_7_14

When we do this we are presented with the “Create a password to unlock this drive” page and we can enter in a new password of our choosing.

The image above shows the error that is thrown when the passwords between the two fields do not match. The one below shows the error thrown when you attempt to enter a password that does not meet the minimum length requirements.

Bitlocker_for_Windows_7_15

Once you enter a password that does meet the minimum length requirements you’ll have finished with this step.

Bitlocker_for_Windows_7_15

And that’s it – your drive is now protected via BitLocker Drive Encryption and locked with the password of your choice.

That’s a wrap for my Walkthrough for BitLocker on Windows 7 article – I hope you found it a good investment of your time.

In my next article Walkthrough for BitLocker To Go on Windows 7 I will be reviewing some of the high level information on the BitLocker To Go functionality which extends BitLocker data protection to USB storage devices allowing them to be secured and performing a walkthrough of those steps.

I am always looking forward to any feedback you have on this or any of the articles I have written so feel free to drop in some comments or contact me directly.

Additionally, I would welcome any suggestions topics of interest that you would like to see and based on demand and column space I’ll do what I can to deliver them to you.

Best of luck in your studies.