Drive Encryption: BitLocker
BitLocker allows you to encrypt all the contents of a hard disk drive partition, making it almost impossible to someone to access your data if your computer or hard disk drive is stolen. This feature is only available on Enterprise and Ultimate versions of Windows Vista.
In order to work, your computer needs to have a module called TPM (Trusted Platform Module) installed on its motherboard, which usually doesn’t come with the board. In Figure 18, you can see a TPM header on a motherboard that allows the installation of this module.
If you use a TPM module version 1.2 or greater, the encryption key will be stored on the TPM module itself. If it is below version 1.2, you will need to store the encryption key on a pen drive.
BitLocker can be enabled on the BitLocker Drive Encryption icon on Control Panel. Besides the TPM module, BitLocker has other requirements.
You hard disk drive must have at least two partitions, one for storing Windows and programs and the other for installing boot information, and both partitions must be formatted using NTFS. Only the partition where Windows is installed will be encrypted. So you must not use a different partition to store your sensitive data. Files stored on other partitions may be individually encrypted with Encryption File System (EFS), just like it happens on Windows XP.
If the computer BIOS is changed, if the hard disk drive is installed on a different computer or if the boot device is changed, BitLocker will lock the hard disk drive, and you will only be able to access its data if you enter a special recovery password. If you forget this password or simply forget to create one when setting up BitLocker say goodbye to your data, as you won’t be able to access them.
As for Encryption File System (ECS), it is an option available on Business and Ultimate version of Windows Vista, allowing you to encrypt individual files or folders. This isn’t a new feature of Windows Vista, since Windows XP has this feature as well (if you use NTFS file system). It is available by right clicking a file or folder and choosing Properties on the menu that will shown up and then clicking on Advanced button (present on General tab) and then checking “Encrypt contents to secure data”. With this box checked it is not possible to open the files or folders on a different computer (this statement isn’t 100% true – if you have the key and the certificate used to encrypt the files and folders you can open them on another PC). The problem, though, is that if the file is saved on your hard disk drive and you didn’t set a password on your computer, people will still be able to open the file on your computer if they steal your PC. This option is interesting to secure files stored on removable media, as the files can only be opened on your computer.
Other Vista versions can open encrypted files with ECS using Cypher.exe utility, if you have both the key and the certificate used to encrypt the files.