Security Advisor

You Can Take It with You

• By Joern Wettern
• 06/01/2009

BitLocker to Go, a new feature in some editions of the upcoming Windows 7 and Windows Server 2008 R2, lets you encrypt data on removable drives. With the new feature, you don't have to worry about what happens when you lose a flash drive. However, you should still plan carefully in order to prevent data loss.

Unleashing BitLocker
Windows Vista's BitLocker feature encrypts your computer's hard drive to ensure that data remains confidential even if your computer is lost or stolen. With Windows 7, Microsoft extends this protection to removable drives, including USB flash drives.

BitLocker to Go protects your data using a password or smart card. As a bonus, you can read the encrypted data on computers running Windows XP or Vista. This removable drive encryption is easy to use, but you'll need to think about how to recover data if a user forgets a password or loses a smart card.

To encrypt a drive, simply go to the BitLocker applet in the Control Panel, select the drive and turn on encryption. BitLocker to Go prompts you for a password or smart card and then gives you the option to either save to a file or print out the recovery code. Once you've entered all required information, BitLocker to Go encrypts the drive, which may take a few minutes. The BitLocker application in the Control Panel also lets you change a password or start the recovery process, which involves typing the 40-character code from the recovery file or printout. Make sure you store this recovery data in a safe location where it's protected against unauthorized access, and from where you can retrieve it in case of an emergency.

To access the data on the drive, insert it into any computer running Windows 7 and, when prompted, type the password or insert the smart card and type the PIN. To avoid having to type the password every time you use the drive, Windows 7 gives you the option to remember your password so that you only have to type it the first time you use a removable drive on a computer.

You can't edit the files on an encrypted drive or add new ones unless your computer is running Windows 7. So, while BitLocker to Go Reader can be a useful tool to facilitate the secure distribution of data in a heterogeneous environment, it only lets you edit the same data on multiple computers if you're running Windows 7 on all of those computers.

I Need My Data!
You may always select secure passwords and never forget them, but you can probably think of some co-workers who always use their pets' names as passwords and, if forced to use anything more complex, forget it in minutes. Sooner or later, you'll have to help them recover their BitLocker to Go data. To ensure you'll be able to help them, you must configure some of the new BitLocker to Go Group Policy settings. Until you've thoroughly planned your recovery procedures, you may even want to use Group Policy to disable mobile drive encryption.

To ensure data recovery in a corporate environment, you can't rely on users to store or print the recovery information. You can use Group Policy to enforce that this data is saved to a shared folder, but configuring permissions so that users can only access recovery data for their own drives can be tricky. Instead, consider saving recovery data to Active Directory.

Using a smart card for BitLocker to Go provides the best protection, but often passwords are more practical. Group Policy settings let you enforce a minimum password length and complexity. You may be tempted to require the same password length as for your log-in passwords, but this may not provide adequate security. A log-in password only needs to be strong enough to withstand a brute force attack until it expires or is changed.

BitLocker to Go can be a useful tool to secure corporate data. Before you make it available to users, though, consider the implications of doing so, and use the new Group Policy settings to ensure both the security and availability of your data.