OdeToCode IC Logo

BitLocker To Go

Monday, November 2, 2009

I had some data on a Cruzer flash drive I wanted to protect, and I just discovered how easy it use to use BitLocker on a flash drive (thanks to Hanselman, who pointed this out in one sentence at the end of a post).

BitLocker is another Windows 7 feature that has been around since Vista, but BitLocker To Go (encryption for removable drives) is new.  I believe it is only available on Win7 Ultimate and Enterprise.

Once the drive is inserted, right-click the drive in Windows Explorer and select “Turn on BitLocker…”. Windows will ask if you want to unlock the drive using a password or a smart card + PIN. I took the password option:

bitlocker to go setup

Encryption can take some time (~ 15 minutes for my 4GB flash drive).Windows will place a BitLocker To Go “reader” application on the drive so you can have read access to files from Vista and XP machines (bitlockertogo.exe). Note: the down-level reader only works if the drive was not formatted with NTFS. It’s interesting to read about how this works:

Getting BitLocker To Go functionality to work on Windows XP and Windows Vista required some reengineering of the core BitLocker feature. To do this, the team refactored the method by which BitLocker protects FAT volumes. BitLocker behavior was modified to overlay a "discovery volume" onto the physical, original volume and virtualize the blocks overwritten. The discovery volume contains the BitLocker To Go Reader as well as a readme file. This is called a Hybrid BitLocker drive. By default, when a FAT drive is encrypted, a hybrid BitLocker drive is created. The discovery drive is visible only on the Windows XP and Windows Vista operating systems.

I always thought encrypting my entire system hard drive was a little bit scary. I like BitLocker To Go because it is built-in, and can protect a removable device where I keep sensitive files.