Web U-M ITSS only
page-bannerV3HOME
ITSS Home ITSS Information for Students ITSS Information for faculty and staff ITSS Information for IT Professionals
Events
Training
Services
Tools & Tips
Resources
Report an IT Security Incident
About ITSS
Contact Us

ITSS Home IT Security Tools and Tips Security Shorts

How to Encrypt Documents with BitLocker on Your Vista Computer

ESTIMATED TIME TO COMPLETE: 15 MINS

What do you carry around on your laptop? Does it include things like your resume, transcripts, school or internship applications, or financial records? If you are using a laptop for your job, maybe you have files like human resources records, student applications, transcripts, human subject research data or payroll information.

These documents likely include some form of SENSITIVE DATA, which is data whose unauthorized disclosure may have serious adverse effect on the University’s reputation, resources, services or individuals. If your laptop falls outside of your physical control due to loss or theft, you’ll want the data inside to be electronically inaccessible.  

Encryption is the standard technology used to protect sensitive data from unauthorized disclosure. Microsoft’s latest operating system, Vista, makes encryption easy by providing built-in tools: the Encrypting File System (EFS) and BitLocker. EFS provides encryption for specific folders, while BitLocker provides full-drive encryption.

BitLocker is the recommended method for securing your information because:

  • you don’t have to worry about getting documents in the encrypted folders.
  • you don’t have to worry about unencrypted sensitive data left over in temp files, page files, hibernation files, etc.

Be aware that BitLocker has certain requirements:

  • you must be running Vista Ultimate or Vista Enterprise Edition.
  • Vista must be installed onto a suitable hard disk configuration.
  • even though it’s not technically required, we highly recommend that you use a laptop with a Trusted Platform Module (TPM) v1.2 chip (see page 6 for more information).

This security short will tell you how to determine whether or not you meet these requirements and, if not, what you can do about it, before enabling BitLocker.

BEFORE YOU PROCEED:

These Security Shorts are intended for non-technical users who manage their own computers. If your laptop is managed by an IT department, do not proceed. Contact your IT administrator for further assistance.

Please note that in order to complete this process, you will need a new back-up thumb drive that can’t be used for other purposes.

Keep in mind:

  • Disk encryption technologies such as BitLocker can protect your data from unauthorized access, but it does nothing to protect data that is transmitted over the network or via e-mail.
  • BitLocker does not protect your data when you log in and visit a malicious Web site or open a malicious e-mail.
  • Remember to back up your data and encryption keys, or you risk losing your data irretrievably.

Requirement 1: You must be running Vista Enterprise or Ultimate

To find out what version of Vista you are running:

  • Click Start in the bottom left corner
  • Type winver in the Search bar

Vista Screen Shot

If the version of Vista does not say Enterprise or Ultimate, then you’ll need to upgrade.

If you are currently running Windows XP on an older laptop, you’ll likely need to upgrade your hardware as well in order to meet Vista’s minimal hardware requirements. You can use the following site to identify Vista-compatibile laptops: http://winqual.microsoft.com/HCL/Default.aspx.

Note: Vista-compatible does not necessarily mean BitLocker-compatibile. See Requirement #3 (TPM v 1.2 chip) for further information, including Dell model numbers, regarding the recommended hardware for BitLocker.

Requirement 2: Vista must be installed onto a suitable hard disk configuration

The easiest way to tell whether your Vista Ultimate or Enterprise system was properly installed (Unfortunately, at the time of this writing, Dell does not ship a laptop system that has a BitLocker-ready hard drive configuration via M-MarketSite. Thus, it is highly likely that an IT Pro will be required to reconfigure inbound Dell systems for BitLocker. Even via Dell-Online, customers cannot “customize” the desired hard disk configuration) onto a suitable (two partition) hard disk configuration is to try and configure BitLocker:

  1. Click Start > Control Panel
  2. Click the Classic View on the left side.
  3. Double-click BitLocker Drive Encryption
  4. Click Continue to tell Vista it’s OK to run the program with Administrative privileges

If your current drive layout is not suitable for BitLocker, you’ll see a message like the following:

drive laout Error

In this case, you’ll need an IT professional to back up your data then reconfigure your hard disk for BitLocker.  To make this process easier, Microsoft provides a BitLocker Drive Preparation Tool. Refer your IT professional to http://support.microsoft.com/kb/930063 for further information regarding this tool.
If you are running:

    • Vista Ultimate, the drive preparation tool can be downloaded via Windows Ultimate Extras, which is available on the Start menu.
    • the Enterprise version of Vista, the tool can be downloaded by UM IT Security Professionals from the ITSS web site here.

Requirement 3: Use a laptop with a Trusted Platform Module (TPM) v1.2 chip

As of this writing (early 2008) all currently shipping Dell Latitude models contain the TPM v1.2 chip recommended for BitLocker. The easiest way to confirm that your Vista Ultimate or Enterprise system is running on a laptop with a TPM v1.2 chip is to try and configure BitLocker:

  1. Click Start > Control Panel
  2. Click the Classic View on the left hand side
  3. Double-click BitLocker Drive Encryption
  4. Click Continue to tell Vista it’s OK to run the program with Administrative privileges

If your system does not contain a TPM v1.2 chip, you’ll see a message like the following:

no TPM chip

Another clue that your system does not contain a TPM v1.2 chip would be the absence of the TPM Administration option on the left hand side of the BitLocker control panel applet.

absence of the TPM Administration

While it is technically possible to turn on BitLocker without a TPM v1.2 chip we do not recommend it because it would require the user to insert a USB flash drive every time the system boots. This typically causes more problems (e.g. denial of service) than it solves.

If your current laptop is running Vista Ultimate or Enterprise but does not have a TPM 1.2 chip, then we recommend using EFS until your laptop is up for capital replacement and you can get one with a TPM v1.2 chip

Note: If you believe your system has a TPM chip but Vista does not recognize it, you may need to enable the TPM in the system BIOS. Contact an IT professional for help changing your BIOS settings.

Enabling BitLocker

As long as you meet the pre-requisites above, enabling BitLocker is fairly straightforward:

Step 1: Click the Turn On BitLocker button
Step 2: Follow the prompts to initialize the TPM (as necessary)
Step 3: Save your Recovery password. DO NOT SKIP THIS STEP.

The remainder of this security short assumes you’ve met the prerequisites above and walks you through these steps. Before starting, make sure:

  • You have a USB flash drive with some unencrypted space to store your BitLocker recovery password.
  • You can print from your laptop so you can generate a hardcopy version of your recovery password

Step 1: Turn On BitLocker

When you are encrypting your data, make sure to use your plug and not your battery to power your computer!

  1. Click Start > Control Panel
  2. Click the Classic View on the left hand side
  3. Double-click BitLocker Drive Encryption
  4. Click Continue to tell Vista it’s OK to run the program with Administrative privileges. Assuming you’ve met the prerequisites above, you should now see the option to Turn On BitLocker.
  5. Click Turn On BitLocker

bitlocker Screen shot

Step 2: Follow prompts to initialize TPM (as necessary)

What happens next depends on the state of the TPM chip in your laptop. If your TPM chip is not initialized, BitLocker will start an initialization process that requires a restart. This doesn’t require much interaction from you other than acknowledging the prompts.

Here’s what that initialization process looks like on a Dell Latitude D620:

  • BitLocker begins initializing the TPM chip after the Turn On BitLocker option is clicked:

initialize TPM

  • After a few minutes, a Restart is requested:

restart

  • Upon reboot, a warning message from Dell is received. Modify was selected, then Enter.

Dell message

If your system restarted in order to initialize the TPM, redo the steps in Step 1 to get back to the BitLocker applet, and then begin Step 3.

Step 3: Save Recovery Password

When you click the Turn on BitLocker option and the TPM is initialized, you’ll be prompted to save the recovery password.

  1. Click Save the password on a USB drive

    2. save recovery password prompt

    Warning: As the recommendation in the dialog states, you should save multiple copies of the recovery password. If there is a TPM or other boot problem and you do not have a recovery password, your data will be irretrievably lost.

    If your USB drive is not already inserted, you’ll be prompted to do so.

  2. Select the USB drive as the destination for the recovery password and click Save

    3. USB save

    After the recovery password is saved to a USB drive, you are returned to the Save Recovery Password dialog where you can make another copy.

  3. Click Print the Password

This will evoke the Windows common print dialog. Collect the hardcopy off the printer before proceeding. The hardcopy should contain a 48-digit password.

Step 4: Encrypt the Disk

After the recovery password is saved on a USB drive and printed:

  1. Click Next on the Save Recovery Password Dialog to initiate the encryption process
  2. Check the option to Run BitLocker System check, then click Continue

run sys check

You’ll be prompted to insert your recovery thumb drive and restart the computer. Click Restart Now.

encrypt auto

After the system reboots the encryption process will start automatically:

restart

You can continue to work while the drive is being encrypted in the background.

Unencrypting a BitLocker-Encrypted Drive

Turn off BitLocker from the same place you turned it on:

  1. Start > Control Panel
  2. Click the Classic View on the left hand side
  3. Double-click BitLocker Drive Encryption
  4. Press Continue to tell Vista it’s OK to run the program with Administrative privileges
  5. The Turn On BitLocker option has changed to Turn Off BitLocker. Select Turn Off BitLocker.

turn off BL

Regenerating Copies of Your Recovery Keys

If you lose the USB drive and/or hardcopy printout of the recovery keys that you created in Step 3 above, you should make copies immediately:

  1. Start > Control Panel
  2. Click the Classic View on the left hand side
  3. Double-Click BitLocker Drive Encryption
  4. Press Continue to tell Vista it’s OK to run the program with Administrative privileges
  5. Click on the option to Manage BitLocker Keys and follow the instructions.

manage BL keys

BitLocker Recovery

If your TPM chip or the integrity of your boot files is damaged, BitLocker will not decrypt the hard drive. If you previously backed up your recovery key to a USB drive, you’ll be prompted for it.

BL prompt

  1. Insert the USB flash drive that contains your recovery key
  2. Press the ESC key to Reboot.

If you do not have a USB recovery drive, but you do have your 48-digit recovery password (from the hardcopy you printed in Step 3) then press the ENTER key to go to the BitLocker Password Entry screen.

Use the function keys to type in the 48-digit password. Press the ENTER key.

BL PW
Last modified January 21, 2008