As a remote worker at Microsoft I have to deal with a few little things that the average worker in Redmond doesn't.
For example, none of my machines are wired to "CorpNet." They're all remote so for the last two years I've had to RAS (Remote Access Service) into the corporate network. For a while you could use your password, but then you needed to use your Smart Card (or your immortal soul, as I call it) and a complex pin. So you've got multi-factor authentication, you need your actual network password (and of could your domain\username), your physical smart card and your smart card's pin. That's a lot. Someone evil could have two of those three things and you'd still be OK.
Since two of my three machines are laptops, there's always risk that I could lose it or have it stolen. If I kept secret stuff on my laptop (I don't) that could be a problem. Laptops run Windows 7 now and are required to be BitLocker'ed (FAQ). This means the whole hard drive is encrypted, there's an (optional) PIN to even turn it on, and it can take advantage of newer machines that have a TPM (Trusted Platform Module). Basically a TPM is a hardware cryptoprocessor that can store keys for securing information. BitLocker uses this chip to project the keys and makes sure the BIOs and boot sector haven't been tampered with. Fortunately it's all automatic so I don't have to think about it.
This is what I see when I'm booted off my Bitlocker'ed C: drive. That D: drive is my other spindle.
I recently Bitlocker'ed both my laptops, but I Boot to VHD for many demos and it's not possible to boot off a VHD that lives on a Bitlocker'ed volume. That's the one bad thing about Bitlocker from my point of view. I'm sure it's a chicken and the egg problem. How do you boot off a file on an encrypted volume without booting off the encrypted volume?
Turns out though that you can still Boot to VHD in a few other ways. You can partition your drive with a Bitlocker'ed C: and an unencrypted D:, or you can get a second spindle. That means, you can get another hard drive and put it in the slot when your DVD/CD usually goes. That's what I decided to do.
I bitlockered my 256 gig OCZ Vertex SSD, and I have a D: drive that is my 160 gig random no-name SATA drive. On that drive I only put demo VHDs.
I had to go into the BIOS of my Lenovo W500 and add the drive to the "boot order" in order to make it spin up on boot and be available to Windows. Then, since I can't really be sure of it's drive letter that early, I changed the syntax of my BCDEdit settings a bit. Figured I'd let Windows figure it out, so instead of [D:] I used [LOCATE]. Like this:
C:\>bcdedit /copy {current} /d "My New VHD Option"
C:\>bcdedit /set {guid} device vhd=[LOCATE]\<directory>\<vhd filename>
C:\>bcdedit /set {guid} osdevice vhd=[LOCATE]\<directory>\<vhd filename>
C:\>bcdedit /set {guid} detecthal on
Now, when I'm booted into my VHD, I see this:
What are we seeing?
- My D: drive is my original boot SSD. It's marked with a lock icon. I can't access it right now.
- My C: drive is the whatever.vhd that I booted off of. I made it 40gigs, so it is. (The actual file is 15gigs, but it "blows up" while I'm running on it. It'll shrink back down when I'm not booted off it.
- My E: drive is some system partition I don't know about.
- My F: is the Second Spindle that all my VHDs live on.
But, how can I get access to my secure C: drive when I'm booted into this insecure world? Of course, we don't want the bad guys to get in there, which makes sense.
If I double click, I see this:
These options are all settable with Group Policy I think, but my choices are to add a really complex Password to get access to this drive or use my Smart Card. I can also use the recovery key that I saved in a secure location when I originally locked the drive.
I unlock it, and I see this:
Now, just for the duration of this single boot, this disk is available to me. Very cool.
I was a little afraid when I Bitlocker'ed my machine just before a trip, but I'm feeling pretty good about it so far. I haven't noticed any perceptible slowdown but the FAQ says "single digit." I've heard numbers like 3%, but I haven't noticed it in the sense that my machine isn't suddenly "sluggish."
I'm VERY suspicious when corporate IT wants to reach out from Redmond and do something to my computer but this turned out great.
Here's the email I sent internally to my team today about Bitlocker:
As you know, MSIT is starting to put BitLocker on mobile machines. I recommend you upgrade any Vista machine to Windows 7 before running Bitlocker. As always, backup your data first.
I figured I should be the guinea pig for you guys, so I Bitlockered BOTH my Lenovo T60p and Lenovo W500 yesterday. These are my two corporate machines.
1a. On my W500 I was automatically prompted to reboot and enable the TPM (trusted platform module) in my BIOs. This enable step was automatic and only required me to press F10 once.
1b. On my T60p, I was told to enter the BIOs manually and enable it. There is no “TPM” section in the T60p. Instead, you go into Security, the Security Chip and turn on all the options under Security Reporting. Save your BIOS settings and reboot.
2. When prompted for a “PIN” I declined. This >=5 digit number would be a system-level password for when you start-up your machine. It's recommended, but ultimately up to you.
3. The process ran OVERNIGHT. It took at least 5 hours on each machine from what I can tell.
4. Next, go to the Start Menu and type “manage bitlocker.” You’ll want to save and print your recovery key. The Importance of this step cannot be overstated. Save this key and treat it like it is your immortal soul.
c. If Bitlocker smells any funny business you’ll get prompted for these keys. Murphy’s Law says this will happen 10 minutes before a major conference speech. No excuses for not having these. Without them, your computer is a brick. (That's kind of the wonderful point of BitLocker. ;) )
That scary part said, it works exactly as it should. It was easy and painless.
So far, we are not forced to lockup second drives/spindles. This means that you can STILL boot to VHD off of a second drive if that drive is NOT connected via USB (SATA, IDE, etc are still Ok). I’ve moved my BootToVHDs off into D:\ for this purpose. Regular VMs run just fine on the BitLocker'ed drive.
All in all, it works exactly as it should. I have no idea it’s there and my machine seems just as fast.
Let me know it you have any questions.
All in all, an interesting experience. I'm glad it went so well. You can even BitLocker USB drives as well with BitLocker To Go.
Related Links