After my experience with TrueCrypt and reinstalling Windows (Link). I was wondering how the Microsoft encryption works. I’m running Windows 7 Ultimate and within this version (and Enterprise) BitLocker is available. The net steps show howto encrypt the boot/system partition.
Now the harddisk/partition is encrypted. But no password is asked when booting the pc. This is because the certificates are stored on the TPM chip. Windows is owner of this chip, so only your Windows can unlock the partition/harddisk. That’s why Windows 7 comes with a 100MB hidden boot partition. This unencrypted partition is needed for booting the encrypted system. The following steps shows how to enable a PIN or password for booting Windows. Just to have that hand’s on experience of safety ![Knipogende emoticon](https://www.jeroentielen.nl/wp-content/uploads/2011/05/wlEmoticon-winkingsmile1.png)
First open: GPEDIT.MSC |
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb7.png) |
Navigate to: Computer Configuration –> Administrative Templates –> Windows Components –> BitLocker Drive Encryption –> Operation System Drives. Open: Require additional authentication at startup.
|
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb8.png) |
Select: Enabled
Deselect: Allow BitLocker without a compatible TPM
Configure TPM startup PIN: Require startup PIN with TPM
Click on: OK
!!Tip!! If you want to use characters in your PIN, enable the: Allow enhanced PINs for startup policy.
|
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb9.png) |
Open an elevated command prompt. |
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb10.png) |
Type: manage-bde.exe –protectors –add c: –tpmandpin
Give the pin twice.
|
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb11.png) |
Every time Windows boot, it will ask for the PIN.
Edit: 10/05/2011 Encrypting the next partition.
In the following steps I’m showing how to encrypt the next partitions (eg. D:).
Start Windows Explorer and right click on the partition.
Select: Turn on BitLocker. |
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb12.png) |
Since the system partition is also encrypted, it’s possible to select: Automatically unlock the drive on this computer.
If you want a password. Select: Use a password to unlock the drive. |
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb13.png) |
Save the recovery key to the same USB fash drive as above.
Store the USB key in a safe place.
Click: Next. |
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb14.png) |
Click: Start Encrypting |
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb15.png) |
The partition is now encrypted. It will automatically unlock when Windows boots. |
![image image](https://www.jeroentielen.nl/wp-content/uploads/2011/05/image_thumb16.png) |
Like this:
Like Loading...