BitLocker, EFS, and Windows Backup

Submitted on Jul 05, 2007, 6:28 p.m.

I remember the first time I was burgled. It was in 1993 and I was living in London at the time. It was a tad unsettling to come home and see the front door of my apartment smashed open, and things not exactly the way I left them before I went to work!  I lost a bunch of Audio CDs, my TV and some cash that was lying around - but NOT my computer.

Since then being online a LOT more, and needing a safe place to store personal online information - account codes, banking information, subscription information etc. means that I've thought often about the best way to secure my personal (and work related) data.

I've used a couple of third party products in the past - but with Windows Vista Ultimate and BitLocker beckoning - I thought I'd give a combined BitLocker and Encrypted Files System (EFS) combination a shot.

BitLocker (in case you've not heard of it) encrypts the entire system partition - and until a valid key is supplied during system boot - the drive and its contents are effectively a nifty digital paperweight and nothing more. You can even safely dispose of the drive in this state - because again - without the key - it's just a lump of encrypted data.

My biggest concern with BitLocker was going to be performance especially since I was going to enable BitLocker on my main DEV box. Fortunately I have a 'kick it and see' PC I used to test everything on before implementing all of this on my main machine.

Here's the best article there is on how to configure BitLocker... Windows BitLocker Drive Encryption Step-by-Step Guide. In my case my PC doesn't have a Trusted Platform Module (TPM)- so I made the change as detailed in the article to allow BitLocker to be installed without a TMP.

Shortly after Vista Ultimate RTM was released - there was an update that included a BitLocker drive preparation tool. A word of warning here - and this relates to Windows Backup. Use the default partition settings from the drive preparation tool and allow it to create the new (and small) boot partition that will be needed for system startup (so that the boot process can start (unencrypted of course) before loading the OS from the encrypted drive). 

I have two partitions on my drive - my C: drive - which I will enable BitLocker on, and my D: drive which contains all my data. While exploring the command line options for the BitLocker drive preparation tool - I thought that since I already had a second partition (my D: drive) I could make this my boot drive (boot.in and OS loader) - but this was a bad idea. For starters it's a BIG partition - over 100GB. Secondly - when using Windows Complete System Backup (which I now use in favour of my previous third party imaging tool) - the backup will correctly detect that it needs both partitions to do a complete system backup. I don't want my D: drive included in this image (the reason for separate partitions in the first place) and so I switched back to the default BitLocker drive preparation settings - which creates a new small partition (S:) to hold the boot information.

My BitLocker generated key was created and written to a USB thumbdrive (attached to my key ring - along with the other 'real' keys). I put a second USB thumbdrive in a 'real' safe along with the recovery key. If I loose my keys (literally) this is the only way I'm getting back into my machine - so having a safe and alternate location for your recovery key is essential. It's kind of neat having to put the USB thumbdrive in my PC to start it up - like starting a car... :-). And it really doesn't interfere with the way I use my PC - my keys are always there on my desk - and I take them with me wherever I go so it fit fine into my pattern of work and play (you can take the key out of the computer as soon as BitLocker reads it - in fact BitLocker tells you to once it's read the key).

I have to say I was really impressed. I saw no performance difference on the 'kick it and see' PC and when installed on my live box - no difference there either. Impressive.

BitLocker will only work on system partitions - so that left the data on my D: drive. And this is where Encrypted File System comes to the rescue. That said not everything on my D: falls under the category of 'sensitive data' so I wasn't about to encrypt the entire drive. Instead I grouped my 'sensitive data' together in a special folder - and encrypted the contents using EFS. EFS uses a public-private key pair and a per-file encryption key to encrypt and decrypt data. The public-private key pair are stored in your Personal Certificate Store - which you can view by typing certmgr.msc in the search line of the start menu in Vista, or from the 'Run' command in XP. Alternatively you can view the personal store from the Tools, Internet Options, Content, Certificates option in Internet Explorer.

Since the certificate store in on the system partition - and this is now under the protection of BitLocker - the certificates are safe (although you still need to take a backup of the EFS certificate and keep this someplace safe too).

EFS is pretty cool - and they way it uses public keys to protect a per file symmetric key is neat - since it allows you to use several public keys - from several users - to encrypt a file - and then share it amongst those users if you needed to.

Here's an excellent description of how EFS works... Windows XP Resource Kit: Using Encrypting File System.

So I now have a production PC - working hard every day - with BitLocker on the system partition, EFS where I need it on the data partition - a set of keys safely tucked away in two locations - and I feel better about the prospect of getting robbed - because at least this time if they choose to take the PC - they'll be getting a lump of iron and silicone - and not a whole lot more than that.