2. What is BitLocker To Go? Builds on top of BitLocker introduced in Vista Protects removable storage devices with full-disk encryption Compatible with both FAT and NTFS Available only in Win 7 Enterprise & Ultimate Can be read in down-level Windows versions Works independently from BitLocker and does not require TPM
5. Recovery Key BitLocker Drive Encryption Recovery Key The recovery key is used to recover the data on a BitLocker protected drive. To verify that this is the correct recovery key compare the identification with what is presented on the recovery screen. Recovery key identification: EBC06BD0-D667-4D Full recovery key identification: EBC06BD0-D667-4D17-B87C-1B6ECB22CF03 BitLockerRecovery Key: 495330-143814-194315-013354-713449-217866-573738-034298
The BitLocker Drive Encryption wizard will start up in a separate window. After a moment's pause, you'll be asked to choose between password- and smartcard-based locking. Most individuals will need to use a password, but many businesses are starting to use smartcards, which allow administrators to centrally manage BitLocker certificates in Active Directory. Smartcards provide two-factor authentication: In addition to the physical card requirement, the user will still need to type in a four-digit PIN.In the next step of the wizard, you are asked how you would like to store your recovery key. (Assuming this hasn't been already configured in a managed AD environment.) This key will help you recover the contents of a protected drive should you forget your password, lose your smartcard, or suffer some similar problem. You have two choices: Save (to a text file) or print.
If you do choose to print or save the recovery key, you'll see something like this.
Warning: Disk encryption is still an agonizingly slow process. It takes BitLocker To Go over 20 minutes to encrypt a 2 GB USB memory stick device, for example. I recently encrypted a 320 GB USB hard drive using BitLocker To Go, which isn't recommended: It literally took all of a work day, or several long hours.Tip: As suggested by the BitLocker Drive Encryption wizard, you can pause encryption if you need to remove the device for some reason. If you don't do so, you could damage or lose files stored on the device.
Once BitLocker To Go is installed on a storage device, you can configure it in various ways. If you right-click a protected device in Explorer, a new "Manage BitLocker" option appears in the pop-up menu, replacing "Turn on BitLocker." (You can also access this functionality from the BitLocker Drive Encryption control panel, of course.) The resulting dialog provides a number of options, including ways to change and remove the device's password, remove a smart card (if one is configured), add a smart card, re-save or print the recovery key, and automatically unlock the drive on the current PC.
BitLocker in Windows 7 introduces several new Group Policy settings that permit easy management of features. For example, administrators will be able to:Require all removable drives be BitLocker-protected before data can be saved on them.Require or disallow specific methods for unlocking BitLocker-protected drives. Configure methods to recover data from BitLocker-protected drives if the user’s unlock credentials are not available.BitLocker Group Policy settings can be viewed using either the Local Group Policy Editor or the Group Policy Management Console. Using these policies helps enforce standard deployment of BitLocker Drive Encryption in your organization. In Exercise 2 you will enable the “Deny write access to removable drives not protected by BitLocker” policy setting and go through the process of use a flash drive to validate the process a standard user would go through when this policy is in use.
BitLocker To Go-protected devices work identically on all Windows 7 systems. But how does this feature work on "downlevel" Windows XP and Vista PCs? For these systems, Microsoft provides a BitLocker Reader application on the encrypted device, allowing users to access the stored files. There is one huge limitation to BitLocker Reader, however: It is read-only. So after you've provided the password to unlock the drive, you can view files and copy them to your PC hard drive. But you cannot save files back to the device. Hey, it's better than nothing.