Why BitLocker Won't Help Most Companies
A couple of weeks ago, Mike Rothman [link to http://securityincite.com/blog/mike-rothman/the-daily-incite-march-5-2007 no longer works] linked to an article by George Ou [link to http://blogs.zdnet.com/Ou/?p=437 no longer works] about using EFS and BitLocker under Vista. There he made an extraordinary claim:
Since BitLocker won’t encrypt additional hard drive volumes, whether they’re logical partitions on the same physical disk or additional disks, you must use EFS to encrypt those volumes by selecting all the folders and files from the root.
I said to myself. “Surely this must be wrong, Microsoft would never do anything like that….” So I set about Googling and I discovered that I was in fact, wrong. According to the technical overview [link to http://technet.microsoft.com/en-us/windowsvista/aa906017.aspx#EYD no longer works] of BitLocker on technet (Section 3.4.1):
Volumes other than the operating system volume and the system volume are called “data volumes”. BitLocker encryption of data volumes is only supported in Windows Server “Longhorn” in v1.
We’ve now confirmed that BitLocker only works on the system volume. This makes it completely useless for a huge chunk of corporate America. Why? Because in most companies tend to configure their machines with at least two partitions, a systems partition where all of the OS and software goes and a data partition where all documents, emails and what not are stored. This is done for both ease of backup as well as giving IT the ability to reinstall the operating systems without the worry of overwriting users’ data. Additionally, companies are increasingly giving users external hard drives of one variety or another so that they can do their own backups.
So either companies won’t use BitLocker because it doesn’t give them anything, or worse will deploy BitLocker and think they are protected when they aren’t. I’ve already harassed Adam about this, but I’m curious about why this design decision was made.
Update: Sean [link to http://blogs.technet.com/seanearp/ no longer works] from MS provided a link in the comments to the command line magic incantation [link to http://blogs.technet.com/steriley/archive/2006/11/25/bitlocker-command-line.aspx no longer works] to enable BitLocker on any NTFS volume. Thanks Sean!
you make it sounds like everyone is doing that and to be honest they aren’t. really, I ‘ve been doing this for 15 years, and I hardly ever see a client with partitioned disks. Get over your self “security guy”.
Bitlocker can be enabled on non-system drives, just not through the Control Panel Interface. Details on using the Bitlocker Command Line Interface can be found in this posting: http://blogs.technet.com/steriley/archive/2006/11/25/bitlocker-command-line.aspx
-Sean
Besides Sean’s comment, lets be clear that Bitlocker in combination with EFS works well. Bitlocker will protect the EFS keys stored on the system volume, and leaves you to use EFS easily enough on the data volumes. And if using Vista Ultimate, you can store both your Bitlocker and EFS keys up in your Digital Locker online with your Live account.
http://www.dilbert.com/comics/workingdaze/archive/images/workingdaze2007048874323.jpg