2019

ODM Team

Windows BitLocker Drive Encryption

Technical Resources

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 1 of 17

Table of Contents
Context ...................................................................................................................................... 2

What is BitLocker? .................................................................................................................. 2

What does BitLocker do? ........................................................................................................ 3

Limitation ............................................................................................................................. 3

BitLocker hardware requirements ......................................................................................... 4

On operating system (OS) drive ......................................................................................... 4

On data drives ...................................................................................................................... 4

How to turn on BitLocker on OS drive?................................................................................ 4

On a machine equipped with a compatible TPM .............................................................. 4

On a machine not equipped with a compatible TPM or with no TPM ........................... 9

How to turn on BitLocker on data drives? .......................................................................... 14

On fixed drives ................................................................................................................... 14

On external drives .............................................................................................................. 15

Contacts and support............................................................................................................. 17

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 2 of 17

Context
Data protection is an important aspect to take into account when manipulating information that
belong to persons of concern. And in order to be in phase with the Division of International
Protection (DIP) that recommends measures to be taken to ensure the confidentiality and
integrity of personal data, we are about to present a Windows functionality that can play a key
role in securing data: BitLocker Drive Encryption.

It is sure that all machines and devices we use in our daily work do not contain sensitive data
regarding PoCs. Servers (fixed and mobile) that contain proGres servers and databases, hard
drives that contain database backups, scanned documents of PoCs and any kind of sensitive
information should be protected to level up the security of the data contained.

Through this document, we will explain what this Windows functionality is about and how to
used it.

What is BitLocker?

BitLocker lets you encrypt the hard drive(s) on your Windows 7 and Vista Enterprise, Windows
7 and Vista Ultimate or Windows Server 2008 and R2 and late versions of Windows (8, 8.1,
and 10). BitLocker will not encrypt hard drives for Windows XP, Windows 2000 or Windows
2003.

BitLocker drives can be encrypted with 128 bit or 256 bit encryption keys. This is strong
enough to protect your data in the event the computer is lost or stolen. BitLocker protects your
hard drive from offline attack. Unlike Encrypting File System (EFS), which enables you to
encrypt individual files, BitLocker encrypts the entire drive. You can log on and work with
your files normally, but BitLocker can help block hackers from accessing the system files they
rely on to discover your password, or from accessing your drive by removing it from your
computer and installing it in a different computer so they can harvest your data. BitLocker also
protects your data if a malicious user boots from an alternate Operating System.

With either attack method, BitLocker encrypts the hard drive so that when someone has
physical access to the drive, the drive is unreadable. In case of crash of a machine that has
been encrypted using BitLocker, when connected to another machine, it includes the
functionality that prompts the user for the recovery key so the hard drive can be accessed.

In late versions of Windows starting from Windows 7 (pro and ultimate editions), BitLocker
functionality is extended to removable drives. That functionality is called BitLocker to
Go. BitLocker to Go gives you the ability to encrypt your thumb drives and even USB hard
drives.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 3 of 17

What does BitLocker do?

BitLocker Drive Encryption can be used to help protect all files stored on the drive Windows
is installed on (operating system drive) and on fixed data drives (such as internal hard drives).
You can use BitLocker to Go to help protect all files stored on removable data drives (such as
external hard drives or USB flash drives).

When you add new files to a drive that is encrypted with BitLocker, BitLocker encrypts them
automatically. Files remain encrypted only while they are stored in the encrypted drive. Files
copied to another drive or computer are decrypted. If you share files with other users, such as
through a network, these files are encrypted while stored on the encrypted drive, but they can
be accessed normally by authorized users.

If you encrypt the operating system drive, BitLocker checks the computer during startup for
any conditions that could represent a security risk (for example, a change to the BIOS or
changes to any startup files). If a potential security risk is detected, BitLocker will lock the
operating system drive and require a special BitLocker recovery key to unlock it. Make sure
that you create that recovery key when you turn on BitLocker for the first time; otherwise, you
could permanently lose access to your files.

A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related

functions, primarily involving encryption keys. The TPM is usually installed on the
motherboard of a computer and communicates with the rest of the system by using a hardware
bus. Computers that incorporate a TPM can create cryptographic keys and encrypt them so that
they can only be decrypted by the TPM and the private portion of a key created in a TPM is
never exposed to any other component, software, process, or person.

If your computer has the TPM chip, BitLocker uses it to seal the keys that are used to unlock
the encrypted operating system drive. When you start your computer, BitLocker asks the TPM
for the keys to the drive and unlocks it.

If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a
password or a smart card, or set the drive to automatically unlock when you log on to the
computer. You can turn off BitLocker at any time, either temporarily by suspending it, or
permanently by decrypting the drive.

Limitation

BitLocker does not protect your files individually. After a windows log on your computer and
work with your files normally. But if you leave your computer unprotected anyone else who
have access to that machine have at the same access to all your data whether the drive is
encrypted or not.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 4 of 17

BitLocker hardware requirements

On operating system (OS) drive

To encrypt the drive that Windows is installed on (the operating system drive), BitLocker needs
to store its own encryption and decryption keys in a hardware device that is separated from
your hard disk. Hence, you must have one of the followings:

• A computer with Trusted Platform Module (TPM), which is a special microchip in many
computers that supports advanced security features. If your computer was manufactured
with TPM version 1.2 or higher, BitLocker will store its key in the TPM.
• A removable USB memory device, such as a USB flash drive. If your computer doesn’t
have TPM version 1.2 or higher, BitLocker will store its key on the flash drive. This option
is only available if your system administrator has set up your computer to allow the use of
a startup key instead of the TPM.

To turn on BitLocker Drive Encryption on the operating system drive, your computer’s hard
disk must:

• Have at least two partitions: a system partition (which contains the files needed to start
your computer and must be at least 200 MB) and an operating system partition (which
contains Windows). The operating system partition will be encrypted and the system
partition will remain unencrypted so your computer can start. If your computer doesn't
have two partitions, BitLocker will create them for you. Both partitions must be formatted
with the NTFS file system.
• Have a BIOS that is compatible with TPM or supports USB devices during computer
startup. If this isn't the case, you will need to update the BIOS before using BitLocker. For
more information on updating your BIOS, see Update the BIOS for BitLocker Drive
Encryption.

On data drives

You can use BitLocker to encrypt fixed data drives (such as internal hard drives) and you can
use BitLocker to Go to encrypt removable data drives (such as external hard drives and USB
flash drives). To encrypt a data drive, it must be formatted using either the exFAT, FAT16,
FAT32, or NTFS file system and must have at least 64 MB of available memory.

How to turn on BitLocker on OS drive?

Bios Set UP for Copatiable TPM Versions :

To start the BitLocker procedure first we have to ensure that in bios security chip is enable and
correct version is selected.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 5 of 17
>>Go to BIOS Setting

Then select Security chip and click enable.

For T470s select TPM 1.2 and T480s TPM 2.0.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 6 of 17
Then Go to Device Manager by clicking Windows key + X keyboard shortcut.

On a machine equipped with a compatible TPM

To start the procedure of turning on BitLocker drive encryption on an OS drive,

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 7 of 17

1. You can either right click on the drive and select Turn on BitLocker or go to Control
Panel > System and Security > BitLocker Drive Encryption and click on Turn on
BitLocker on the OS drive. Here we have the tree steps to go for the drive encryption.
Click Next.

1: Three steps for drive encryption

2. In this step, we’re going to prepare the drive. If not already created, BitLocker will create
a new partition on which will be installed system files that will allow the machine to start.
The partition that BitLocker will create, won’t have a drive letter, so won’t be visible on
the Computer folder. After this step, you’re going to restart the machine. Click next and
wait until the partition is created then click Restart Now.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 8 of 17

2: Warning for new partition creation.

3: Partition creation completed

3. Now that our drive has been prepared, the next step is to turn on the TPM security hardware.
By clicking next you will require to restart the machine but beforehand, make sure to
remove any external device like USB flash drives. Click on Restart.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 9 of 17

4: TPM activation

5: Reboot to activate TPM

4. Since the two first steps has been successfully completed, we’re going to proceed with the
drive encryption. Next we’ll be asked to choose one option to save the recovery key we
mentioned before.

Our recommendation: Save the recovery key in a USB flash disk. Use a USB flash disk
specially designed for the purpose of storing BitLocker recovery keys, no data. This will allow
you to keep it separate from the encrypted drive. The USB flash disk won’t need to be encrypted
and will only be used to unlock encrypted drives when in case a password is forgotten or any

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 10 of 17

kind of incident that may conduct to drive lock. We can always recover data in case we lose
the startup key.

After the key saved on the USB flash, click next. In the next window, make sure that Run
BitLocker System Check is selected before you click on Continue. You will restart the
machine to launch the drive encryption. In this case, make sure to keep the USB flash disk that
contain the recovery key plugged during the process.

6: Drive encryption preparation complete.

7: Saving recovery key

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 11 of 17

On a machine not equipped with a compatible TPM or with no TPM

When you try to turn on BitLocker on an OS drive and receive an error message related to the
absence of a compatible TPM, here is the procedure to follow to encrypt the drive.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 12 of 17

8: Missing TPM error message

1. Launch the Local group policy editor and enable the ‘Require additional authentication at
startup’ option. For that press Start + R and type in the Run dialog box: gpedit.msc. In the
editor, Go to navigation pane under Computer configuration > Administrative
Templates > Windows Components > BitLocker Drive Encryption > Operating
System Drives and double click on Require additional authentication at startup.

9: Local Group Policy snap-in

Select the Enabled option and make sure that the option Allow BitLocker without a compatible
TPM is checked then validate.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 13 of 17

10: Enabling additional authentication at startup

2. Now we can return to the Computer folder, do a right click on the OS drive and select Turn
On BitLocker.

11: BitLocker startup preference

▪ Use BitLocker without additional keys: this option is less secure because it allows you to
encrypt your drive without a single key. No PIN needed no startup key either.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 14 of 17

▪ Require a PIN at every startup: as it is stated you will be asked to give a PIN that will serve
as password and required at every system startup.
▪ Require a Startup key at every startup: with this option, you won’t need to memorize a
password since the key will be stored in an external support like a USB flash drive. And
the system to start up, will require you to have that support plugged so that the key may be
read and the operating system to be unlocked.

Our recommendation: Use this last option.

In the next window, select the USB flash drive to save the Startup key and click on Save. Next
choose to save the recovery key in a USB flash drive. Once the recovery key is saved in the
next windows, ensure that Run BitLocker System check option is selected and click on
Continue. And finally, you will reboot the machine to launch the drive encryption but make
sure that the USB flash drive that contain the startup and recovery key is plugged in.

12: Saving startup key in the flash drive

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 15 of 17

13: Saving recovery key in the flash drive

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 16 of 17

How to turn on BitLocker on data drives?

BitLocker can be turned on fixed drive, a data partition on a machine, and on external hard
drives like USB flash drive or USB hard drives. We start the procedure the same way we do
with the OS drives and it has fewer steps.

On fixed drives

When you right click on the data drive and select Turn on BitLocker, here is the interface you
get:

14: Turn on BitLocker on fixed data drive

Here we have three options to unlock our drive to get the data stored on it:

▪ Password: A set of alphanumeric character used to gain admittance or to access

information or a computer. In this option you will be requested to type your password
every time you start your computer. You can change your password in the BitLocker
Drive Encryption Control Panel.
▪ Smart card: A smart card is a small plastic card containing a computer chip. If your
company uses smart card to access to sensitive data, it can be used to unlock your

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 17 of 17

encrypted drive if this option is selected. You will require a smart card reader installed
or connected to the machine so that you can read information stored in the card.
▪ Automatically unlock: This option allows your encrypted drive to be automatically
unlocked when you log on to Windows.

Our recommendation: On fixed drives, use a password to protect the data stored in it.
Even after windows log on, the drive will remain locked until you decide to open it using
your password. It will automatically lock itself when the machine is turned off.

15: Set password to unlock drive

Next we save the recovery key in a USB flash drive and start the encryption.

On external drives

Rather than having three choices like with fixed drives, here we have two as shown in below
image.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 18 of 17

16: Unlock option for external drives

And in this case, the recovery key is not stored in USB flash but in a file or printed. And then
you can start the drive encryption.

17: Saving recovery file for external drives

With regard to the importance of securing the data, we request you to take action and start
encrypting your computers and drives as soon as possible, at least before the end of this year
(31 December 2016). And the drive encryption only concern devices on which sensitive
information are stored like proGres servers (not necessarily clients), backup drives, and all data
drives that hold PoCs related data.

BitLocker Drive Encryptions

ODM Team – BGDCO
 Page 19 of 17

Contacts and support

All Screenshot are taken from this two model (Thinkpad T470s) and will be compatible with
all Thinkpad models.

Md. Fahim Shahriar Chowdhury (shahriar@unhcr.org)

BitLocker Drive Encryptions

ODM Team – BGDCO