Vista's BitLocker Encryption: All It's Cracked Up to Be?

Microsoft's boot-drive encryption works best with specialized hardware and requires some effort to set up and run. After all that, does it work?

1 2 3 4 Page 3
Page 3 of 4

However, BitLocker doesn't by default encrypt anything other than the boot drive. It is possible to encrypt drives other than the boot drive with BitLocker, but this is not something that can be done automatically through BitLocker's configuration GUI (at least not yet). Microsoft does not yet support encrypting data volumes with BitLocker either.

That said, Microsoft is reported to be providing support for this feature on a case-by-case basis with specific customers, according to Gartner analysts Jeffrey Wheatman and Neil MacDonald. However, the pair don't expect official support from Microsoft for this kind of feature until late in 2007 or the first quarter of 2008. (A Microsoft spokesman said the company has "no information to share at this time.")

For the time being, Microsoft recommends that companies encrypt data volumes using its Encrypting File System. EFS, which has been in existence since Windows 2000 was rolled out, is a way to perform file-by-file encryption on NTFS volumes in Windows.

EFS encrypts data only at the file level, not the volume level, so it's possible to make educated guesses about what might be in an EFS-encrypted file through the file name or other items on the same disk. (One possible way to get around this is to place sensitive information in .zip files or in other archives that are EFS-encrypted -- making sure, of course, that the name of the archive itself isn't some kind of giveaway.)

Likewise, BitLocker doesn't encrypt removable drives by default. But again, it's possible to do this manually, using a process that's much the same as encrypting a non-boot drive.

That said, in order to unlock an encrypted removable drive for use, you need to provide users with a 48-digit PIN, much as you would for any other BitLocker volume. It's easy enough to create a batch file that handles this job, then store that batch file on the main BitLocker volume, but there's no guarantee that the main BitLocker drive can't be compromised in ways that have nothing to do with BitLocker's own security (e.g., if a user walks away from the machine while it's still logged in).

As before, it is possible to use EFS to encrypt files on removable drives or other partitions, but again, this comes with the risk of someone being able to read file names and make educated guesses about their contents.

If you want to encrypt multiple volumes in a BitLocker-protected system, you need to do one of three things: manually encrypt all the volumes (which is possible but officially unsupported); consolidate all the data to be protected on the boot volume (typically an inconvenience); or use a third-party encryption tool, either alone or in conjunction with BitLocker, that does encrypt data drives. One such product, TrueCrypt, is free and open-source and also works across operating system platforms.

Back Doors and other Vulnerabilities


So you've properly BitLocker-secured your machine. Could it still have exploitable vulnerabilities that remain undisclosed? Let's ask a few more questions:

1. Has Microsoft provided any back doors into BitLocker-encrypted volumes? When the feature was announced, there was no small amount of speculation that Microsoft had made a back door of some kind available in BitLocker that would allow the encryption on a drive to be reversed.

1 2 3 4 Page 3
Page 3 of 4
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon