Manage Learn to apply best practices and optimize your operations.

Managing client encryption with BitLocker To Go

Windows 7 Enterprise users have access to BitLocker To Go, Microsoft's encryption program for removable drives. Find out how to use it easily and automate with Group Policy settings.

If you're running Windows 7 Enterprise, you have access to both BitLocker -- the whole-disk encryption program built into Windows -- as well as BitLocker To Go, a simple but effective extension to the whole-disk encryption that automatically protects removable drives such as USB memory sticks and external hard drives.

USB sticks seemingly grow legs, and they often contain sensitive information -- the presentation you're making for a client, the latest research and development budget you're taking home for the evening, or saved emails you want to keep off company servers but still want to maintain for future use. And since the memory sticks are so small, you've probably had three times as many as you think you have in recent memory, and you've probably lost a third of them. If you didn't put something sensitive on them, chances are, one of your colleagues did.

How to use BitLocker To Go
BitLocker To Go establishes a password that is required to open files and view information on the removable drive. Once a user inserts the USB drive into a Windows 7 computer, he is prompted for the appropriate password.

To turn on BitLocker To Go, a user must do the following:

  1. Insert a USB drive into a Windows 7 machine.
  2. Right-click on the drive from within the computer window and select "Turn On BitLocker" from the pop-up context menu.
  3. BitLocker will then initialize the drive. This is a non-destructive process, so there is no need to have any concern over data currently stored on the drive.
  4. Once the initialization process is finished, the user can choose whether to decrypt the removable drive with a password or with a smart card.
  5. The user can store a recovery key in a separate file or to print a hard copy of it, which is useful if he loses a smart card or forgets the password used to protect the drive.
  6. The actual encryption process begins.

It's pretty seamless to use with Windows 7 once the drive is encrypted -- when you pop the drive in, Windows prompts you for your password or smart card. With Windows XP and Windows Vista, it's a little different: AutoPlay will prompt you to install the BitLocker To Go Reader software that is copied to the drive as part of the initialization process.

Once the program is installed -- it's very light, so the whole process should take under a minute -- you'll be prompted to enter your password and decrypt the drive for your session. The reader software presents a Windows Explorer-like interface showing the contents of the drive. Once you pick what you want to open, the program copies it to the desktop and opens it. The whole session is read-only -- no writing to the protected drive can take place on a Windows XP or Windows Vista computer.

Using Group Policy to automate BitLocker To Go
You can use Group Policy to manage the settings and configuration of BitLocker To Go across your domain, taking the responsibility out of users' hands and establishing a consistent policy across your organization.

Figure A shows the individual settings available for removable drives, located in the Group Policy Object Editor at Computer Configuration/Policies/Administrative Templates/Windows Components/BitLocker/Removable Drives. Here's what each of them does.

  • Control use of BitLocker on removable drives: This option turns on most other options for users to configure themselves at their own leisure.
  • Configure use of smart cards on removable data drives: Administrators can use this setting to permit, deny or require that smart cards be used in the BitLocker To Go decryption process.
  • Deny write access to removable drives not protected by BitLocker: You can require that BitLocker To Go be enabled before users can write data to removable disks.
  • Allow access to BitLocker-protected removable data drives from earlier versions of Windows: This option dictates whether the reader application on drives will function on Windows XP and Windows Vista.
  • Configure use of passwords for removable data drives: You can use this to set password policies that will be consistent across your organization.
  • Choose how BitLocker-protected removable drives can be recovered: This option specifies how data can be recovered from an encrypted volume if the user loses his smart card or forgets his password.

With these BitLocker To Go options, you can set simple controls to secure the use of removable drives and Windows machines at your organization

Jonathan Hassell
is an author, consultant and speaker residing in Charlotte, N.C. His books include RADIUS, Hardening Windows and, most recently, Windows Vista: Beyond the Manual.

Dig Deeper on Microsoft Windows XP Pro