In this series, we briefly talked about BitLocker technology, which is a security tool in modern Windows operating systems. In principle, the article described the architecture of this tool, which will not be of much use when performing disk encryption itself at home or in an organization. Also from the first article you could find out that in order to take full advantage of this technology, the computers for which encryption will be carried out must be equipped with such a module as a Trusted Platform Module (TPM), which, unfortunately, can be found far from on every computer. Therefore, in the following articles of this series, when describing how to work with a trusted platform module, only its emulator on a virtual machine will be considered. Also, I think it’s worth noting that neither this nor the following articles in this series will discuss blocking data drives when using smart cards.

As you probably know, BitLocker technology allows you to encrypt an entire drive, while the Encrypting File System (EFS) allows you to encrypt only individual files. Naturally, in some cases you need to encrypt only certain files and it would seem there is no point in encrypting the entire partition, but it is advisable to use EFS only on computers on the intranet that will not be moved between departments and offices. In other words, if your user has a laptop, he needs to periodically travel on business trips, and such a user has, say, only a few dozen files on his computer that need to be encrypted, it is better for his laptop computer to use BitLocker technology rather than an encrypted file system. This is explained by the fact that with EFS you will not be able to encrypt such vital elements of the operating system as registry files. And if an attacker gets to the registry of your laptop, he can find a lot of interesting information for himself, such as cached data for your user’s domain account, a password hash, and much more, which in the future can cause significant harm and loss not only to this user, but and the entire company as a whole. And with the help of BitLocker technology, unlike an encrypted file system, as noted a little above, all data located on the encrypted disk of your user’s laptop will be encrypted on your user’s laptop. Many may ask: how can other users in the organization use files that are encrypted using this technology? In fact, everything is very simple: if a computer with encrypted files using BitLocker technology is shared, then authorized users will be able to interact with such files as easily as if there was no encryption on that user’s computer. In addition, if files located on an encrypted disk are copied to another computer or to an unencrypted disk, then these files will be automatically decrypted.

In the following sections, you will learn how to encrypt the system and secondary partitions on a non-TPM laptop running Windows 7.

Enable BitLocker encryption for the system partition

There is nothing complicated about enabling BitLocker drive encryption on a system partition on a computer that is not part of a domain. Before encrypting the system disk, I think you should pay attention to the fact that on the laptop on which the disks will be encrypted, three partitions have been created, and the first two must be encrypted:

Rice. 1. Windows Explorer on the laptop on which the disks will be encrypted

To encrypt the system partition, follow these steps:

1. First of all, since the laptop in this example on which the drives will be encrypted does not have a TPM, it is advisable to perform some preliminary steps. You need to open the snap "Local Group Policy Editor" and go to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives. Here you can find six different policy settings. Since it was mentioned earlier that this laptop is not equipped with a TPM module, you need to make sure that before loading the operating system, you use a USB drive containing a special key designed to confirm authentication and subsequent boot of the system. The policy setting used to perform this operation is "Required additional authentication at startup". In the properties dialog box for this policy setting, you should check the options "Allow BitLocker without a compatible TPM". In this case, since this is the only option that may interest us when encrypting a disk in a workgroup, save the changes made. The properties dialog box for this policy setting is shown in the following illustration:



Rice. 2. Require Additional Authentication at Startup Policy Setting Properties Dialog Box

There are many different Group Policy settings available to manage BitLocker technology. These options will be discussed in detail in a future article on BitLocker technology.

2. Open "Control Panel", go to category "System and safety" and then select "BitLocker Drive Encryption";
3. In the Control Panel window that appears, select the system partition, and then click on the link "Enable BitLocker". It is worth paying attention to the fact that you can only encrypt a partition if it is located on a basic disk. If you have created partitions on a dynamic disk, before encrypting them you will need to convert the disk from dynamic to basic. The following illustration shows the window "BitLocker Drive Encryption":



Rice. 3. Control Panel BitLocker Drive Encryption window

4. After checking your computer's configuration, on the first page of the BitLocker Drive Encryption Wizard, you can specify various startup options. But since my laptop does not have a TPM, and a Group Policy setting has been changed to allow BitLocker encryption on non-TPM-enabled hardware, I can only select the "Ask for key at startup". The first page of the wizard is shown below:



Rice. 4. BitLocker Drive Encryption Wizard startup option

5. On the page "Save the startup key" In the BitLocker Drive Encryption wizard, you must attach a flash drive to your computer, and then select it in the list. After you select the drive, click on the button "Save";
6. On the third page of the wizard, you will have to specify the location for the recovery key. The recovery key is a small text file containing some instructions, a drive label, a password ID, and a 48-character recovery key. It must be remembered that this key differs from the launch key in that it is used to gain access to data in cases where it is impossible to access it by any other means. You can choose one of the following three options: save the recovery key to a USB flash drive, save the recovery key to a file or print recovery key. Please note that when choosing the first option, you need to save the recovery and startup keys on different flash drives. Since it is recommended to save several recovery keys, and on computers other than the one being encrypted, in my case the recovery key was saved in a network folder on one of my servers, as well as on an HP cloud drive. Now the contents of the recovery key will be known only to me and HP, although, most likely, they convince us of the complete confidentiality of the information. If you print out a recovery key, Microsoft recommends storing the document in a locked safe. I recommend just memorizing these 48 numbers and after reading the document just burn it :). Page “How to save the recovery key?” The BitLocker encryption wizard is shown in the following illustration:



Rice. 5. Saving the recovery key for data encrypted with BitLocker

7. This is the last page of the Drive Encryption Wizard because at this point you can run a BitLocker system check to ensure that you can easily use your recovery key if necessary. To complete the system check, you will be prompted to restart your computer. In principle, this step is not mandatory, but it is still advisable to perform this check. You can see the last page of the wizard below:



Rice. 6. Last page of the Disk Encryption Wizard

8. Immediately after the POST test, you will be prompted to insert a flash drive with a startup key to start the operating system. Once the computer is restarted and BitLocker knows that no unforeseen circumstances will occur after encryption, the disk encryption process itself will begin. You will know this from the icon displayed in the notification area or if you go to the window "BitLocker Drive Encryption" from the control panel. The encryption process itself runs in the background, that is, you will be able to continue working on your computer while encryption is running, but BitLocker will intensively use processor resources and free space on the encrypted disk. To see what percentage of your drive is already encrypted, look for the icon in the notification area "Encrypting %volume_name% using BitLocker Drive Encryption" and double click on it. BitLocker notification icon and dialog box "BitLocker Drive Encryption" shown below:



Rice. 7. Perform encryption

9. Once the BitLocker drive encryption process is complete, you will be notified that encryption of the drive you selected has completed successfully. This dialog box can be seen below:





Rice. 8. Completing BitLocker Drive Encryption

For those who are encrypting a disk for the first time, I would like to note that this procedure is not performed instantly and, for example, it took me 70 minutes to encrypt a system disk with a capacity of 75 gigabytes.

Now, as you can see in the following illustration, in Windows Explorer there is a lock on the system partition icon, which means that this partition is encrypted using BitLocker technology:

Rice. 9. Windows Explorer with an encrypted system partition

Conclusion

In this article, you learned how to encrypt a drive using BitLocker technology. The process of preparing for encryption and encrypting the disk itself using a graphical interface is considered. Since at the beginning of the article I indicated that two drives will be encrypted on this laptop, in the next article you will learn how you can encrypt a drive using BitLocker technology using a command line utility manage-dbe .

Hello, friends! In this article we will continue to study the systems built into Windows designed to increase the security of our data. Today it is the Bitlocker disk encryption system. Data encryption is necessary to prevent strangers from using your information. How she will get to them is another question.

Encryption is the process of transforming data so that only the right people can access it. Keys or passwords are usually used to gain access.

Encrypting the entire drive prevents access to data when you connect your hard drive to another computer. The attacker's system may have another operating system installed to bypass the protection, but this will not help if you are using BitLocker.

BitLocker technology appeared with the release of the Windows Vista operating system and was improved in Windows 7. Bitlocker is available in Windows 7 Ultimate and Enterprise versions as well as in Windows 8 Pro. Owners of other versions will have to look for an alternative.

How BitLocker Drive Encryption Works

Without going into details it looks like this. The system encrypts the entire disk and gives you the keys to it. If you encrypt the system disk, the computer will not boot without your key. The same thing as apartment keys. You have them, you will get into it. Lost, you need to use a spare one (recovery code (issued during encryption)) and change the lock (do the encryption again with other keys)

For reliable protection, it is desirable to have a TPM (Trusted Platform Module) in your computer. If it exists and its version is 1.2 or higher, then it will control the process and you will have stronger protection methods. If it is not there, then it will be possible to use only the key on the USB drive.

BitLocker works as follows. Each sector of the disk is encrypted separately using a key (full-volume encryption key, FVEK). The AES algorithm with 128-bit key and diffuser is used. The key can be changed to 256-bit in group security policies.

To do this, use the search in Windows 7. Open the Start menu and in the search field write “policies” and select Change group policy

In the window that opens on the left side, follow the path

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

On the right side, double-click on Select disk encryption method and encryption strength

In the window that opens, click Enable Policy. In the Select encryption method section, select the desired one from the drop-down list

The most reliable is AES with a 256-bit key with a diffuser. In this case, most likely the load on the central processor will be a little higher, but not by much, and on modern computers you will not notice the difference. But the data will be more reliably protected.

The use of a diffuser further increases reliability as it leads to significant changes in the encrypted information with a slight change in the original data. That is, when encrypting two sectors with almost identical data, the result will be significantly different.

The FVEK key itself is located among the hard disk metadata and is also encrypted using the volume master key (VMK). VMK is also encrypted using the TPM module. If the latter is missing, then using the key on the USB drive.

If the USB drive with the key is unavailable, you will need to use the 48-digit recovery code. After this, the system will be able to decrypt the volume's master key, with which it will decrypt the FVEK key, with which the disk will be unlocked and the operating system will boot.

BitLocker improvements in Windows 7

When installing Windows 7 from a flash drive or disk, you are prompted to partition or configure the disk. When setting up the disk, an additional 100 MB boot partition is created. I’m probably not the only one who had questions about his appointment. This is exactly the section that is needed for the Bitlocker technology to work.

This partition is hidden and bootable and it is not encrypted otherwise it would not be possible to load the operating system.

In Windows Vista, this partition or volume should be 1.5 GB. In Windows 7 it was made 100 MB.

If, when installing the operating system, you partitioned it with third-party programs, that is, you did not create a boot partition, then in Windows 7 BitLocker will prepare the necessary partition itself. In Windows Vista, you would have to create it using additional software included with the operating system.

Windows 7 also introduced BitLocker To Go technology for encrypting flash drives and external hard drives. Let's look at it later.

How to enable BitLocker drive encryption

By default, BitLocker is configured to run with the TPM module and will not want to launch if it is missing. (First just try to enable encryption and if it starts, you don’t need to disable anything in group policies)

To start encryption, go to Control Panel\System and Security\BitLocker Drive Encryption

Select the desired disk (in our example it is the system partition) and click Enable BitLocker

If you see a picture like below

you need to edit group policies.

Using search from the Start menu, call up Local Group Policy Editor

Let's go along the way

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives

On the right, select Required additional authentication

In the window that opens, click Enable, then you need to make sure that the Allow use of BitLocker without a compatible TPM checkbox is checked and click OK

After this, BitLocker can be launched. You will be asked to select the only security option - Request a startup key at startup. This is what we choose

Insert the USB flash drive onto which the startup key will be written and click Save

Now you need to save the recovery key in case the flash drive with the launch key is not in the access zone. You can save the key on a flash drive (preferably another one), save the key in a file for later transfer to another computer, or print it out immediately.

The recovery key should naturally be stored in a safe place. I will save the key to a file

The recovery key is a simple text document with the key itself

Then you will see a final window in which you are advised to Run a BitLocker system scan before encrypting the drive. Click Continue

Save all open documents and click Reload now

Here's what you'll see if something goes wrong

If everything works, then after restarting the computer, encryption will start

The time depends on the power of your processor, the capacity of the partition or volume you are encrypting and the speed of data exchange with the drive (SSD or HDD). A 60 GB solid-state drive filled almost to capacity is encrypted in about 30 minutes, while Voluntary distributed computing is still working.

When encryption is complete you will see the following picture

Close the window and check whether the startup key and recovery key are in safe places.

Encrypting a flash drive - BitLocker To Go

With the advent of BitLocker To Go technology in Windows 7, it became possible to encrypt flash drives, memory cards and external hard drives. This is very convenient because it is much easier to lose a flash drive than a laptop or netbook.

Through searching or following the path

Start > Control Panel > System and Security > BitLocker Drive Encryption

open the control window. Insert the flash drive you want to encrypt and in the BitLocker To Go section enable encryption for the desired USB drive

You must select a method to unlock the drive. The choice is not big: a password or a SIM card with a PIN code. SIM cards are issued by special departments in large corporations. Let's use a simple password.

Check the box next to Use a password to unlock the disk and enter the password twice. By default, the minimum password length is 8 characters (can be changed in group policies). Click Next

We choose how we will save the recovery key. It will probably be safe to print it. Save and click Next

Click Start encryption and protect your data

Encryption time depends on the capacity of the flash drive, how full it is with information, the power of your processor and the speed of data exchange with the computer.

On capacious flash drives or external hard drives, this procedure can take a long time. In theory, the process can be completed on another computer. To do this, pause encryption and remove the drive correctly. You insert it into another computer, unlock it by entering your password, and encryption will continue automatically.

Now when you install a flash drive into your computer, a window below will appear asking you to enter a password.

If you trust this computer and do not want to constantly enter the password, check the box Next to automatically unlock this computer and click Unlock. On this computer you will no longer have to enter the password for this flash drive.

In order for the information on an encrypted USB drive to be used on computers running Windows Vista or Windows XP, the flash drive must be formatted into the FAT32 file system. In these operating systems, it will be possible to unlock the flash drive only by entering a password and the information will be read-only. Recording information is not available.

Encrypted partition management

Management is carried out from the BitLocker Drive Encryption window. You can find this window using search, or you can go to the address

Control Panel > System and Security > BitLocker Drive Encryption

You can turn off encryption by clicking on “Turn off BitLocker”. In this case, the disk or volume is decrypted. This will take some time and no keys will be needed.

You can also pause protection here

This function is recommended for use when updating the BIOS or editing a boot disk. (The same one with a volume of 100 MB). You can pause protection only on the system drive (the partition or volume on which Windows is installed).

Why should you pause encryption? So that BitLocker does not block your drive and do not resort to the recovery procedure. System parameters (BIOS and boot partition contents) are locked during encryption for additional protection. Changing them may block your computer.

If you select Manage BitLocker, you can Save or Print the Recovery Key and Duplicate the Startup Key

If one of the keys (startup key or recovery key) is lost, you can recover them here.

Manage encryption of external drives

The following functions are available to manage the encryption settings of the flash drive:

You can change the password to unlock it. You can only remove a password if you use a smart card to unlock it. You can also save or print the recovery key and enable disk unlocking for this computer automatically.

Recovering disk access

Restoring access to the system disk

If the flash drive with the key is out of the access zone, then the recovery key comes into play. When you boot your computer you will see something like the following:

To restore access and load windows, press Enter

You will see a screen asking you to enter your recovery key.

When you enter the last digit, provided the recovery key is correct, the operating system will automatically boot.

Restoring access to removable drives

To restore access to information on a flash drive or external HDD, click Forgot your password?

Select Enter recovery key

and enter this terrible 48-digit code. Click Next

If the recovery key is suitable, the disk will be unlocked

A link appears to Manage BitLocker, where you can change the password to unlock the drive.

Conclusion

In this article, we learned how to protect our information by encrypting it using the built-in BitLocker tool. It's disappointing that this technology is only available in older or advanced versions of Windows OS. It also became clear why this hidden and bootable partition of 100 MB in size is created when setting up a disk using Windows.

Perhaps I will use encryption of flash drives or external hard drives. But this is unlikely since there are good substitutes in the form of cloud data storage services such as DropBox, Google Drive, Yandex Drive and the like.

Best regards, Anton Dyachenko

YouPK.ru

Enable or disable Bitlocker in windows

No one is at all surprised by the fact that purely personal information or corporate data of high value can be stored on a personal computer. It is undesirable if such information falls into the hands of third parties who can use it, causing serious problems for the former owner of the PC.

Depending on the circumstances, Bitlocker can be activated or deactivated.

It is for this reason that many users express a desire to take some action aimed at limiting access to all files stored on the computer. Such a procedure actually exists. Having performed certain manipulations, no outsider, without knowing the password or the key to recovering it, will be able to gain access to the documents.

You can protect important information from being accessed by third parties by encrypting your drive with Bitlocker. Such actions help ensure complete confidentiality of documents not only on a specific PC, but also in the case when someone removes the hard drive and inserts it into another personal computer.

Algorithm for enabling and disabling the function

Bitlocker disk encryption works on Windows 7, 8 and 10, but not all versions. It is assumed that the motherboard equipped with the specific computer on which the user wants to perform encryption must have a TPM module.

ADVICE. Don't be upset if you know for sure that there is no such special module on your motherboard. There are some tricks that allow you to “ignore” such a requirement and, accordingly, install without such a module.

Before you begin the process of encrypting all files, it is important to note that this procedure is quite lengthy. It is difficult to give an exact amount of time in advance. It all depends on how much information is on the hard drive. During the encryption process, Windows 10 will continue to work, but it is unlikely to please you with its performance, since the performance indicator will be significantly reduced.

Enabling the feature

If you have Windows 10 installed on your computer, and you have an active desire to enable data encryption, use our tips so that you not only succeed, but also the way to realize this desire is not difficult. Initially, find the “Win” key on your keyboard, sometimes it is accompanied by the windows icon, hold it down, and simultaneously hold down the “R” key. Pressing these two keys at the same time opens the Run window.

In the window that opens, you will find an empty line in which you will need to enter “gpedit.msc”. After clicking the “Ok” button, a new “Local Group Policy Editor” window will open. In this window we have a short way to go.

On the left side of the window, find and immediately click on the line “Computer Configuration”, in the submenu that opens, find “Administrative Templates”, and then in the next submenu that opens, go to the option located first in the list and called “Windows Components”.

Now move your gaze to the right side of the window, find “Bitlocker Disk Encryption” in it, and double-click to activate it. Now a new list will open, in which your next goal should be the line “Operating system disks”. Click on this line as well, you just have to make one more transition to get closer to the window where Bitlocker will be directly configured, allowing you to turn it on, which is exactly what you want.

Find the line “This policy setting allows you to configure the requirement for additional authentication at startup,” double-click to expand this setting. In the open window you will find the desired word “Enable”, next to which you will find a checkbox, in it you need to put a specific mark in the form of a tick of your consent.

Just below in this window there is a subsection “Platforms”, in it you need to check the checkbox next to the offer to use BitLocker without a special module. This is very important, especially if your Windows 10 does not have a TPM module.

The configuration of the desired function is completed in this window, so you can close it. Now move the mouse cursor over the “windows” icon, just right-click on it, which will allow an additional submenu to appear. In it you will find the line “Control Panel”, go to it, and then to the next line “Bitlocker disk encryption”.

Be sure to indicate where you want the encryption to occur. This can be done on both hard and removable drives. After selecting the desired object, click on the “Enable Bitlocker” button.

Now Windows 10 will start an automatic process, occasionally attracting your attention, asking you to specify your desires. Of course, it is best to make a backup before undertaking such a process. Otherwise, if the password and its key are lost, even the PC owner will not be able to recover the information.

Next, the process of preparing the disk for subsequent encryption will begin. While this process is running, you are not allowed to turn off the computer, as this action can cause serious harm to the operating system. After such a failure, you simply will not be able to start your Windows 10, therefore, instead of encryption, you will have to install a new operating system, wasting extra time.

As soon as the disk preparation is successfully completed, the actual setting up of the disk for encryption begins. You will be prompted to enter a password, which will provide later access to the encrypted files. You will also be asked to create and enter a recovery key. Both of these important components are best kept in a safe place, preferably printed. It is very stupid to store the password and recovery key on the PC itself.

During the encryption process, the system may ask you which part specifically you want to encrypt. It is best to subject the entire disk space to this procedure, although there is an option to encrypt only the occupied space.

All that remains is to select an action option such as “New encryption mode”, and then run an automatic scan of the BitLocker operating system. Next, the system will safely continue the process, after which you will be prompted to restart your PC. Of course, fulfill this requirement and reboot.

After the next launch of Windows 10, you will be convinced that access to documents without entering a password will be impossible. The encryption process will continue, you can control it by clicking on the BitLocker icon located in the notification panel.

Disabling the feature

If for some reason the files on your computer are no longer of high importance, and you don’t really like entering a password every time to access them, then we suggest that you simply disable the encryption function.

To perform such actions, go to the notification panel, find the BitLocker icon there, and click on it. At the bottom of the open window you will find the line “Manage BitLocker”, click on it.

Now the system will prompt you to choose which action is preferable for you:

• archive the recovery key;
• change the password for accessing encrypted files;
• remove a previously set password;
• disable BitLocker.

Of course, if you decide to disable BitLocker, you should choose the last option offered. A new window will immediately appear on the screen, in which the system will want to make sure that you really want to disable the encryption function.

ATTENTION. As soon as you click on the “Disable BitLocker” button, the decryption process will begin immediately. Unfortunately, this process is not characterized by high speed, so you will definitely have to prepare yourself for some time, during which you will simply have to wait.

Of course, if you need to use a computer at this moment, you can afford it; there is no categorical prohibition on this. However, you should prepare yourself for the fact that PC performance at this moment may be extremely low. It’s not difficult to understand the reason for this slowness, because the operating system has to unlock a huge amount of information.

So, if you want to encrypt or decrypt files on your computer, you just need to read our recommendations, then without haste carry out each step of the indicated algorithm, and upon completion, rejoice at the result achieved.

NastroyVse.ru

Setting up Bitlocker

Bitlocker is a tool that provides data encryption at the volume level (a volume can occupy part of a disk, or can include an array of several disks.) Bitlocker is used to protect your data in case of loss or theft of a laptop/computer. In its original version, BitLocker provided protection for only one volume - the disk with the operating system. BitLocker is included with all editions of Server 2008 R2 and Server 2008 (except Itanium edition), plus Windows 7 Ultimate and Enterprise, and Windows Vista. In versions of Windows Server 2008 and Vista SP1, Microsoft has implemented protection for various volumes, including local data volumes. In versions of Windows Server 2008 R2 and Windows 7, developers added support for removable data storage devices (USB flash memory devices and external hard drives). This feature is called BitLocker To Go. BitLocker technology uses the AES encryption algorithm; the key can be stored in a TMP (Trusted Platform Module - a special circuit installed in a computer during its manufacture that provides storage of encryption keys) or in a USB device. The following access combinations are possible:

TPM - TPM + PIN - TPM + PIN + USB key - TPM + USB key - USB key Since computers often do not have TMP, I want to describe step by step how to configure BitLocker with a USB drive.

Go to “Computer” and right-click on the local drive that we want to encrypt (in this example we will encrypt local drive C) and select “Enable BitLocker”.

After these steps we will see an error.

It’s understandable, as I already wrote - there is no TMP module on this computer and this is the result, but this can all be easily fixed, just go to the local policies of the computer and change the settings there, for this you need to go to the local policies editor - write in the gpedit search field .msc and press “Enter”.

As a result, the local policies window will open, go to the path “Computer Configuration - Administrative Templates -windows Components -Bit-Locker Drive Encryption - Operating System Drives” and in In the Required additional authentication at startup policy, we set it to Enable. You must also make sure that the Allow use of BitLocker without a compatible TPM checkbox is checked. Click “Ok.”

Now, if you repeat the first steps to enable BitLocker on a local drive, a window will open to configure disk encryption; select “Request startup key” at startup (however, we didn’t have a choice, this is due to the lack of a TPM).

In the next window, select the USB device on which the key will be stored.

Then we select where we will save the recovery key (this is the key that is entered manually in case of loss of the media with the main key), I recommend doing it on another USB drive, or on another computer, or print it out if you save the recovery key on the same one computer or on the same USB drive, you will not be able to start Windows if you lose the USB on which the key is saved. In this example, I saved to another USB drive.

In the next window, run the Bitlocker system check by clicking the “Continue” button, after which the computer will restart.

After the computer boots, the encryption process window will appear. This is often a lengthy procedure requiring several hours.

As a result, we have an encrypted drive C, which will not start without a USB drive with a key or a recovery key.

pk-help.com

How to set up BitLocker data encryption for Windows

To protect against unauthorized access to files stored on the hard drive, as well as on removable drives (external drives or USB flash drives), Windows OS users have the ability to encrypt them using the built-in BitLocker and BitLocker To Go encryption software.

The BitLocker encryption program and BitLocker To Go are pre-installed in the Proffessional and Enterprise versions of Windows 8/8.1 OS, as well as in the Ultimate version of Windows 7. But users of the basic version of Windows 8.1 also have access to the option “Device Encryption”, which acts as an analogue of BitLocker in more advanced versions of the operating system.

Enable BitLocker encryption software

To enable the BitLocker encryption program, open Control Panel and then go to System and Security > BitLocker Drive Encryption. You can also open Windows Explorer (“Computer”), right-click on the selected drive and select “Enable BitLocker” from the drop-down menu. If the above line is not in the menu, then you have the wrong version of Windows OS.

To enable BitLocker for your system drive, data drive, or removable drive, you must select Enable BitLocker.

In this window, 2 types of BitLocker drive encryption are available to you:

• BitLocker Drive Encryption - Hard Drives: This feature allows you to encrypt your entire drive. When you boot your computer, the Windows boot loader will load data from the area of ​​the hard drive reserved by the system, and you will be prompted for the type of unlock you have specified, for example, to enter a password. BitLocker will then perform the data decryption process and the Windows boot process will continue. In other words, encryption can be thought of as a process that occurs unnoticed by the user. As usual, you work with files and data, which in turn are encrypted on the disk. In addition, you can use encryption not only for system drives.
• "BitLocker Drive Encryption - BitLocker To Go": External storage devices such as USB flash drives or external hard drives can be encrypted using the BitLocker To Go utility. When you connect an encrypted device to your computer, you will be asked, for example, to enter a password, which will protect your data from strangers.

Using BitLocker without a TPM

If you try to encrypt using BitLocker on a PC without a Trusted Platform Module (TPM) installed, the window below will open asking you to enable the “Allow BitLocker without a compatible TPM” option.

BitLocker encryption software requires a PC with a hardware TPM to protect the system drive to function properly. The TPM module is a small chip installed on the motherboard. BitLocker can store encryption keys there, which is a more secure option than storing them on a regular data drive. The TPM module provides keys only after startup and checking the system status, which eliminates the possibility of data decryption in case your hard drive is stolen or an encrypted disk image is created for hacking on another PC.

To enable the above option, you must have administrator rights. You just need to open the “Local Group Policy Editor” and enable the following option.

Press the Win + R key combination to launch the Run dialog, enter the command gpedit.msc. Next, go to the following points - Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Double-click on the “Require additional authentication at startup” option, select the “Enabled” option and check the “Allow BitLocker without a compatible TPM” checkbox ). Click “Apply” to save the settings.

Selecting a disk unlock method

If you successfully complete the above steps, you will be prompted with the “Choose how to unlock your drive at startup” window. If your PC does not have a TPM module, then you have two options: enter a password or use a special USB flash drive (smart card) as an unlock key.

If a TPM module is present on the motherboard, then more options will be available to you. For example, it is possible to configure automatic unlocking when the computer boots - all keys will be stored in the TPM module and will automatically be used to decrypt data on the disk. You can also put a PIN password on the bootloader, which will then unlock your decryption keys stored in the TPM, and then the entire disk.

Choose the method that suits you best and follow the installer's instructions.

Creating a backup key

BitLocker also gives you the ability to create a backup key. This key will be used to access encrypted data if you forgot or lost your main key, for example, forgot the key access password or moved the hard drive to a new PC with a new TPM module, etc.

You can save the key to a file, print it, place it on an external USB drive, or save it to your Microsoft account (for Windows 8 and 8.1 users). The main thing is to be sure that this backup key is stored in a safe place, otherwise an attacker can easily bypass BitLocker and gain access to all the data of interest to him. But despite this, it is imperative to create a backup key, since if you lose the main key without a backup key, you will lose all your data.

Disk encryption and decryption

BitLocker will automatically encrypt new files as they become available, but you have to choose how you want to encrypt the rest of your disk space. You can encrypt the entire disk (including free space) - the second option in the screenshot below, or just the files - the first option, which will speed up the encryption process.

When using BitLocker on a new PC (meaning, with a freshly installed OS), it is better to use encryption of the space occupied by files, as this will take a little time. However, if you enable encryption for a disk that has been in use for a long time, it is better to use a method in which the entire disk is encrypted, even with free space. This method will make it impossible to recover previously deleted files that were not encrypted. Thus, the first method is faster, but the second is more reliable.

When further setting up encryption, BitLocker will analyze the system and restart the computer. After restarting the PC, the encryption process will start. It will be displayed in the tray as an icon, with the help of which you will see the percentage progress of the process. You will continue to be able to use your computer, but there will be a slight system slowdown due to file encryption running at the same time.

After encryption is complete and the next time you start your PC, BitLocker will present you with a window in which you will need to enter a password, PIN, or insert a USB drive as a key (depending on how you previously configured access to the key).

Pressing the Escape key in this window will take you to the window for entering the backup key if access to the primary key has been lost.

If you select the BitLocker To Go encryption method for external devices, you will be presented with a similar setup wizard, however, in this case, you will not need to restart your computer. Do not disconnect the external drive until the encryption process is complete.

The next time you connect the encrypted device to the PC, you will be asked for a password or smart card to unlock it. A device protected with BitLocker will appear with a corresponding icon in the file manager or Windows Explorer.

You can manage the encrypted drive (change the password, turn off encryption, create backup copies of the key, etc.) using the BitLocker Control Panel window. Right-clicking on the encrypted drive and selecting "Manage BitLocker" will take you to your destination.

Like any other method of protecting information, on-the-go real-time encryption with BitLocker will, of course, take up some of your computer's resources. This will mainly result in increased CPU load due to the continuous encryption of data from disk to disk. But on the other hand, for people whose information must be reliably protected from prying eyes, information that can provide malicious trump cards in the hands of attackers, this loss of productivity is the most compromise solution.

osmaster.org.ua

Encryption in Windows 7 using BitLocker

Vladimir Bezmaly

On January 7, 2009, Microsoft presented for testing the next version of the operating system for workstations - windows 7. In this operating system, as has become customary, security technologies are widely represented, including those previously presented in Windows Vista. Today we will talk about the Windows BitLocker encryption technology, which has undergone significant changes since its introduction in Windows Vista. It seems that today no one needs to be convinced of the need to encrypt data on hard drives and removable media, however, nevertheless, we will present arguments in favor of this solution.

Loss of confidential data due to theft or loss of mobile devices

Today, the cost of hardware is many times less than the cost of the information contained on the device. Lost data can lead to loss of reputation, loss of competitiveness and potential litigation.

All over the world, issues of data encryption have long been regulated by relevant legislation. So, for example, in the USA, U.S. The Government Information Security Reform Act (GISRA) requires data encryption to protect sensitive government information. EU countries have adopted the European Union Data Privacy Directive. Canada and Japan have their own regulations.

All of these laws impose severe penalties for the loss of personal or corporate information. Once your device is stolen (lost), your data may be lost along with it. Data encryption can be used to prevent unauthorized access to data. In addition, do not forget about such dangers as unauthorized access to data during repairs (including warranty) or the sale of used devices.

And the fact that these are not empty words, alas, has been repeatedly confirmed by facts. A freelance employee of the UK Home Office lost a memory card containing the personal data of more than hundreds of thousands of criminals, including those serving prison sentences. This is stated in the department's message. The media contained the names, addresses and, in some cases, details of charges of 84,000 prisoners held in prisons in the United Kingdom. Also on the memory card are the addresses of 30 thousand people with a criminal record of six or more. As the ministry clarified, the information from the memory card was used by a researcher from RA Consulting. “We have become aware of a security breach which resulted in a contract employee losing personal information about lawbreakers in England and Wales. A thorough investigation is now underway,” said a representative of the Ministry of Internal Affairs.

The Minister of Internal Affairs of the “shadow” government, Dominic Grieve, has already made a comment on this matter. He noted that British taxpayers would be "absolutely shocked" by the British government's handling of classified information.

This is not the first case in the UK of loss of confidential information by various organizations and departments, Grieve recalled.

In April, a large British bank, HSBC, admitted to the loss of a disk on which the personal data of 370 thousand of its clients was stored. In mid-February, it became known that a laptop with medical data of 5 thousand 123 patients was stolen from the British hospital Russels Hall Hospital in the city of Dudley (West Midlands). At the end of January, it was reported that a laptop with the personal data of 26 thousand employees was stolen from the British supermarket chain Marks and Spencer. The head of the British Ministry of Defense Des Brown announced on January 21 that three laptops with personal data of thousands of people were stolen from the department.

Last December it was revealed that a private US company had lost the records of three million UK driving license applicants. They were contained on the computer's hard drive. The lost data includes the names, addresses and telephone numbers of driver's license applicants between September 2004 and April 2007.

At the end of October 2007, two disks containing information on 25 million child benefit recipients and their bank accounts disappeared en route between two government agencies. A massive search operation costing taxpayers £500,000 has yielded no results.

Also in June of this year, a package with secret documents (http://korrespondent.net/world/493585) containing information on the fight against terrorist financing, drug smuggling and money laundering was discovered on one of the trains heading to London. Previously, a package containing secret documents relating to the latest information about the Al-Qaeda terrorist network was discovered (http://korrespondent.net/world/490374) on a train seat in London. The question is, what were the users thinking who allowed this to happen?

Here's another fact that should make mobile device owners think

According to a report by the Ponemon Institute (http://computerworld.com/action/inform.do?command=search&searchTerms=The+Ponemon+Institute), approximately 637,000 laptops are lost annually at large and medium-sized airports in the United States. According to the survey, laptops are commonly lost at security checkpoints.

About 10,278 laptops are lost every week at 36 major American airports, and 65% of them are not returned to their owners. Around 2,000 laptops are reported lost at mid-sized airports, and 69% of them are not returned to their owners. The Institute conducted surveys at 106 airports in 46 countries and interviewed 864 people.

The most common places to lose laptops are the following five airports:

• Los Angeles International
• Miami International
• John F. Kennedy International
• Chicago O'Hare
• Newark Liberty International.

Travelers are not sure that lost laptops will be returned to them.

Some 77% of those surveyed said they had no hope of getting their lost laptop back, with 16% saying they wouldn't do anything if they lost their laptop. Some 53% said the laptops contained confidential company information, and 65% said they had done nothing to protect the information.

(http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=17&articleId=9105198&intsrc=hm_topic)

What can be opposed to this? Data encryption only.

In this case, encryption acts as the last line of physical defense for your PC. There are a great variety of hard drive encryption technologies today. Naturally, after the successful premiere of its BitLocker technology as part of Windows Vista Enterprise and Windows Vista Ultimate, Microsoft could not help but include this technology in Windows 7. However, in fairness, it is worth noting that in the new OS we will see a significantly redesigned encryption technology.

Encryption in Windows 7

So, our acquaintance begins with installing Windows 7 on your PC. In Windows Vista, to use encryption, you had to do one of two things: either prepare your hard drive first using the command line by partitioning it appropriately, or do it later using special software from Microsoft (BitLocker Disk Preparation Tool). In Windows 7, the problem is solved initially, when partitioning the hard drive. So, during installation, I specified a system partition with a capacity of 39 gigabytes, and got... 2 partitions! One is 200 MB in size, and the second is a little over 38 gigabytes. Moreover, in the standard Explorer window you see the following picture (Fig. 1).

Rice. 1. Explorer window

However, by opening Start – All Programs – Administrative Tools – Computer Management – ​​Disk Management you will see (Fig. 2) the following:

Rice. 2. Computer Management

As you can see, the first partition, 200MB in size, is simply hidden. By default, it is the system, active and primary partition. For those who are already familiar with encryption in Windows Vista, there is nothing particularly new at this stage, except that partitioning in this way is carried out by default and the hard drive is already prepared for subsequent encryption at the installation stage. The only noticeable difference is its size - 200 MB versus 1.5 GB in Windows Vista.

Of course, such partitioning of the disk into partitions is much more convenient, because often the user, when installing the OS, does not immediately think about whether he will encrypt the hard drive or not.

Immediately after installing the OS, in the Control Panel in the System and Security section we can select (Fig. 3) BitLocker Drive Encryption

Rice. 3.System and Security

By selecting Protect your computer by encrypting data on your disk, a window appears (Figure 4)

Rice. 4. BitLocker Drive Encryption

Please note (highlighted in red in the figure) the options that are missing in Windows Vista or are organized differently. Thus, in Windows Vista, removable media could be encrypted only if they used the NTFS file system, and encryption was carried out according to the same rules as for hard drives. And it was possible to encrypt the second partition of the hard drive (in this case, drive D:) only after the system partition (drive C:) was encrypted.

However, don't think that once you choose Turn on BitLocker, you're good to go. Not so! If you enable BitLocker without additional options, all you get is encryption of the hard drive on this PC without using TPM, which, as I have already pointed out in my articles, is not a good example. However, users in some countries, for example, the Russian Federation or Ukraine, simply have no other choice, since the import of computers with TRM is prohibited in these countries. In this case, you select Turn on BitLocker and get to Fig. 5.

Rice. 5. BitLocker Drive Encryption

If you want to use TPM to take advantage of the full power of encryption, you need to use the Group Policy Editor. To do this, you need to start command line mode (cmd.exe) and type gpedit.msc in the command line (Fig. 6), launching the Group Policy Editor (Fig. 7).

Rice. 6. Launch the Group Policy Editor

Rice. 7. Group Policy Editor

Let's take a closer look at the Group Policy options that can be used to manage BitLocker encryption.

BitLocker Drive Encryption Group Policy Options

Store BitLocker recovery information in Active Directory Domain Services (windows Server 2008 and windows Vista)

With this Group Policy option, you can manage Active Directory Domain Services (AD DS) to back up information for later BitLocker Drive Encryption recovery. This option only applies to computers running Windows Server 2008 or Windows Vista.

When this option is set, when BitLocker is enabled, its recovery information will be automatically copied to AD DS.

If you disable this policy option or leave it at its default, BitLocker recovery information will not be copied to AD DS.

Choose default folder for recovery password

This policy option will allow you to define the default folder location for saving the recovery password, which is displayed by the BitLocker Drive Encryption wizard when prompted. This option applies when you enable BitLocker encryption. However, it should be noted that the user can save the recovery password in any other folder.

Choose how users can recover BitLocker-protected drives (windows Server 2008 and windows Vista)

This option will allow you to control the BitLocker recovery options displayed by the installation wizard. This policy applies to computers running Windows Server 2008 and Windows Vista. This option applies when BitLocker is enabled.

To recover encrypted data, the user can use a 48-digit digital password or a USB drive containing a 256-bit recovery key.

With this option, you can allow the 256-bit password key to be saved to the USB drive as an invisible file and a text file containing the 48-digit recovery password.

If you disable or do not configure this Group Policy rule, the BitLocker Setup Wizard will allow the user to select recovery options.

If you disable or do not configure this policy setting, the BitLocker Setup Wizard will provide users with other ways to preserve recovery options.

Choose drive encryption method and cipher strength

Using this rule, you can select the encryption algorithm and the length of the key to use. If the drive is already encrypted and you then decide to change the key length, nothing will happen. The default encryption method is AES with a 128-bit key and diffuser.

Provide the unique identifiers for your organization

This policy rule will allow you to create unique IDs for each new drive that is owned by your organization and protected by BitLocker. These identifiers are stored as the first and second fields of the identifier. The first ID field will allow you to set a unique organization ID on BitLocker-protected drives. This ID will be automatically added to new BitLocker-protected drives, and it can be updated for existing BitLocker-encrypted drives using the Manage-BDE command line software.

The second ID field is used in combination with the "Deny access to removable media not protected by BitLocker" policy rule and can be used to manage removable drives in your company.

A combination of these fields can be used to determine whether a drive belongs to your organization or not.

If the value of this rule is undefined or disabled, identification fields are not required.

The identification field can be up to 260 characters long.

Prevent memory overwrite on restart

This rule will improve your computer's performance by preventing memory from being overwritten, but you should understand that BitLocker keys will not be deleted from memory.

If this rule is disabled or not configured, BitLocker keys will be removed from memory when the computer is restarted.

To enhance security, this rule should be left as default.

Configure smart card certificate object identifier

This rule will allow the smart card certificate object identifier to be associated with a BitLocker encrypted drive.

Stationary hard drives

This section describes the Group Policy rules that will apply to data disks (not system partitions).

Configure use of smart cards on fixed data drives

This rule will determine whether smart cards can be used to allow access to data on the PC hard drive.

If you disable this rule, smart cards cannot be used.

By default, smart cards can be used.

Deny write access to fixed drives not protected by BitLocker

This rule determines whether or not you can write to drives that are not protected by BitLocker. If this rule is defined, then all drives not protected by BitLocker will be read-only. If the drive is encrypted using BitLocker, it will be readable and writable. If this rule is disabled or not defined, then all computer hard drives will be read and write accessible.

Allow access to BitLocker-protected fixed data drives from earlier versions of windows

This policy rule controls whether drives with the FAT file system can be unlocked and read on computers running Windows Server 2008, Windows Vista, Windows XP SP3, and Windows XP SP2.

If this rule is enabled or not configured, data disks formatted with the FAT file system may be readable on computers running the above operating systems.

If this rule is disabled, the corresponding drives cannot be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP SP3 and Windows XP SP2.

Attention! This rule does not apply to NTFS formatted drives.

This rule determines whether a password is required to unlock BitLocker-protected drives. If you want to use a password, you can set password complexity requirements and minimum password length. It is worth considering that to set complexity requirements, you need to set the password complexity requirement in the Password Policies section of Group Policy.

If this rule is defined, users can configure passwords that meet the selected requirements.

The password must be at least 8 characters long (default).

Choose how BitLocker-protected fixed drives can be recovered

This rule will allow you to control the recovery of encrypted disks.

If this rule is not configured or blocked, default recovery options are available.

Operation System Drives

This section describes the Group Policy rules that apply to operating system partitions (usually the C: drive).

Require additional authentication at startup

This Group Policy rule will allow you to determine whether you are using a Trusted Platform Module (TMP) for authentication.

Attention! It is worth considering that only one of the options can be specified at startup, otherwise you will receive a policy error.

When enabled, users will be able to configure advanced startup options in the BitLocker Setup Wizard

If the policy is disabled or not configured, basic options can only be configured on computers running TPM.

Attention! If you want to use a PIN and a USB drive, you must configure BitLocker using the bde command line instead of the BitLocker Drive Encryption wizard.

Require additional authentication at startup (windows Server 2008 and windows Vista)

This policy applies only to computers running Windows 2008 or Windows Vista.

On computers equipped with TPM, you can set an additional security parameter - a PIN code (from 4 to 20 digits).

On computers not equipped with TRM, a USB disk with key information will be used.

If this option is enabled, the wizard will display a window in which the user can configure additional BitLocker startup options.

If this option is disabled or not configured, the installation wizard will display the basic steps for running BitLocker on computers with TPM.

Configure minimum PIN length for startup

This parameter allows you to configure the minimum length of the PIN code to start the computer.

The PIN code can be from 4 to 20 digits long.

Choose how BitLocker-protected OS drives can be recovered

This Group Policy rule allows you to determine how BitLocker-encrypted drives are recovered if the encryption key is missing.

Configure TPM platform validation profile

Using this rule, you can configure the TPM model. If there is no corresponding module, this rule does not apply.

If you enable this rule, you can configure which bootstrap components will be checked by TPM before allowing access to the encrypted drive.

Removable media

Control use of BitLocker on removable drives

This Group Policy rule allows you to control BitLocker encryption on removable drives.

You can choose which settings users can use to configure BitLocker.

Specifically, to allow the BitLocker encryption installation wizard to run on a removable drive, you must select "Allow users to apply BitLocker protection on removable data drives."

If you select "Allow users to suspend and decrypt BitLocker on removable data drives", then the user will be able to decrypt your removable drive or pause encryption.

If this rule is not configured, users can use BitLocker on removable media.

If this rule is disabled, users will not be able to use BitLocker on removable drives.

Configure use of smart cards on removable data drives

This policy setting allows you to determine whether smart cards can be used to authenticate a user and access removable drives on a given PC.

Deny write access to removable drives not protected BitLocker

With this policy rule, you can prevent writing to removable drives that are not protected by BitLocker. In this case, all removable drives that are not protected by BitLocker will be read-only.

If the “Deny write access to devices configured in another organization” option is selected, then writing will only be available on removable disks that belong to your organization. The check is performed against two identification fields defined according to the group policy rule “Provide the unique identifiers for your organization.”

If you disable this rule or it is not configured, then all removable disks will be both read and write accessible.

Attention! This rule can be overridden by the User ConfigurationAdministrative TemplatesSystemRemovable Storage Access policy settings. If the "Removable Disks: Deny write access" rule is enabled, this rule will be ignored.

Allow access to BitLocker-protected removable data drives from earlier versions of windows

This rule determines whether removable drives formatted as FAT can be unlocked and viewed on computers running Windows 2008, Windows Vista, Windows XP SP3, and Windows XP SP2.

If this rule is enabled or not configured, removable drives with the FAT file system can be unlocked and viewed on computers running Windows 2008, Windows Vista, Windows XP SP3 and Windows XP SP2. In this case, these disks will be read-only.

If this rule is blocked, then the corresponding removable disks cannot be unlocked and viewed on computers running Windows 2008, Windows Vista, Windows XP SP3 and Windows XP SP2.

This rule does not apply to drives formatted with NTFS.

Configure password complexity requirements and minimum length

This policy rule determines whether removable drives locked with BitLocker must be unlocked with a password. If you allow the use of a password, you can set password complexity requirements and a minimum password length. It is worth considering that in this case the complexity requirements must coincide with the requirements of the password policy Computer Configurationwindows SettingsSecurity SettingsAccount PoliciesPassword Policy

Choose how BitLocker-protected removable drives can be recovered

This rule allows you to select how BitLocker-protected removable drives are recovered.

However, let's continue encrypting the hard drive. Since you have already seen that changes to Group Policy will allow you to use BitLocker encryption capabilities much more widely, let’s move on to editing Group Policy. To do this, we will formulate the goals and conditions for using our encryption.

1. The computer under test has the TRM module installed

2. We will encrypt:

• system disk
• data disk
• removable media, both NTFS and FAT.

Moreover, we must check whether our removable media formatted under FAT will be available on a computer running both Windows XP SP2 and Windows Vista SP1.

Let's move on to the encryption process.

To begin with, in the BitLocker group policies, select the encryption algorithm and key length (Fig. 8)

Rice. 8. Selecting an encryption algorithm and key length

Then, in the Operation System Drive section, select the Require additional authentication at startup rule (Fig. 9)

Rice. 9. Rule “Require additional authentication at startup”

After this, we set the minimum PIN length to 6 characters using the Configure minimum PIN length for startup rule.

To encrypt the data section, we will set requirements for complexity and a minimum password length of 8 characters (Figure 10).

Rice. 10. Setting requirements for minimum password length and complexity

It is necessary to remember that you need to set requirements for password protection (Figure 11).

Rice. 11. Password protection requirements

For removable disks, select the following settings:

• Do not allow reading removable disks with the FAT file system under lower versions of Windows;
• Passwords must meet complexity requirements;
• The minimum password length is 8 characters.

After this, use the gpupdate.exe /force command in the command line window to update the policy (Figure 12).

Rice. 12. Update Group Policy settings

Since we decided to use a PIN code at every reboot, we select (Fig. 13) Require a PIN at every startup.

Rice. 13. Enter PIN every time you boot

Rice. 14. Entering PIN code

Enter a PIN code 4 characters long (Fig. 15)

Rice. 15. PIN does not meet minimum length requirements

The minimum length of the PIN code specified in the policy is 6 digits; after entering the new PIN code, we receive an invitation to save the key on a USB drive and as a text file.

Rice. 16. Saving a backup encryption key

After this, we reboot the system, and the actual process of encrypting the C: drive begins.

After this, you and I encrypt the second partition of our hard drive - drive D: (Fig. 17)

Rice. 17. Encrypting drive D:

Before encrypting drive D: we must enter a password for this drive. In this case, the password must meet our minimum password length and password complexity requirements. It is worth considering that it is possible to automatically open this disk on this PC.

Accordingly, we will similarly save the recovery password to a USB drive.

It is worth considering that when you save your password for the first time, it is also saved in a text file on the same USB drive!

It must be borne in mind that when encrypting a data partition of 120 GB in size (of which 100 are free), Windows Explorer always displays a message about the lack of space on the partition (Fig. 18).

Rice. 18. Windows Explorer window

Let's try to encrypt a USB drive formatted with the FAT file system.

Encrypting a USB drive begins with us being asked to enter a password for the future encrypted drive. According to certain policy rules, the minimum password length is 8 characters. In this case, the password must meet the complexity requirements (Fig. 19)

Rice. 19. Entering a password to encrypt a removable USB drive

After encryption was complete, I tried to view this USB drive on another computer running Windows Vista Home Premium SP1. The result is shown in Fig. 21.

Rice. 21. Trying to read an encrypted USB drive on a computer running Windows Vista SP1

As you can see, if your disk is lost, the information will not be read; moreover, most likely the disk will simply be formatted.

When you try to connect the same USB drive to a computer running Windows 7 Beta1, you will see the following (Fig. 22).

Conclusion

Thus, we have seen how encryption will be carried out in Windows 7. What can we say - compared to Windows Vista, it has many more rules in group policies, and accordingly, the responsibility of IT staff for their correct application and the correct construction of interconnected relationships increases .

How to delete system restore points in windows 7

BitLocker - new disk encryption capabilities

Loss of confidential data often occurs after an attacker has gained access to information on the hard drive. For example, if a fraudster somehow got the opportunity to read system files, he can try to use them to find user passwords, extract personal information, etc.

Windows 7 includes a tool called BitLocker, which allows you to encrypt your entire drive, keeping the data on it protected from prying eyes. BitLocker encryption technology was introduced in Windows Vista and has been further developed in the new operating system. Let's list the most interesting innovations:

• enabling BitLocker from the Explorer context menu;
• automatic creation of a hidden boot disk partition;
• Data Recovery Agent (DRA) support for all protected volumes.

Let us remind you that this tool is not implemented in all editions of Windows, but only in the “Advanced”, “Corporate” and “Professional” versions.

Disk protection using BitLocker technology will preserve confidential user data under almost any force majeure circumstances - in the event of loss of removable media, theft, unauthorized access to the disk, etc. BitLocker data encryption technology can be applied to any files on the system drive, as well as to any additional connected media. If the data contained on an encrypted disk is copied to another medium, the information will be transferred without encryption.

To provide greater security, BitLocker can use multi-level encryption - simultaneous use of several types of protection, including hardware and software methods. Combinations of data protection methods allow you to obtain several different modes of operation of the BitLocker encryption system. Each of them has its own advantages and also provides its own level of security:

• mode using a trusted platform module;
• mode using a trusted platform module and a USB device;
• mode using a trusted platform module and personal identification number (PIN);
• mode using a USB device containing a key.

Before we take a closer look at how BitLocker is used, some clarification is necessary. First of all, it is important to understand the terminology. A Trusted Platform Module is a special cryptographic chip that allows identification. Such a chip can be integrated, for example, into some models of laptops, desktop PCs, various mobile devices, etc.

This chip stores a unique "root access key". Such a “stitched” chip is another additional reliable protection against hacking of encryption keys. If this data were stored on any other medium, be it a hard drive or a memory card, the risk of information loss would be disproportionately higher, since these devices are easier to access. Using the "root access key", the chip can generate its own encryption keys, which can only be decrypted by the TPM. The owner password is created the first time the TPM is initialized. Windows 7 supports TPM version 1.2 and also requires a compatible BIOS.

When protection is performed exclusively using a trusted platform module, when the computer is turned on, data is collected at the hardware level, including BIOS data, as well as other data, the totality of which indicates the authenticity of the hardware. This mode of operation is called “transparent” and does not require any action from the user - a check occurs and, if successful, the download is performed in normal mode.

It is curious that computers containing a trusted platform module are still only a theory for our users, since the import and sale of such devices in Russia and Ukraine is prohibited by law due to problems with certification. Thus, the only option that remains relevant for us is to protect the system drive using a USB drive on which the access key is written.

BitLocker technology allows you to apply an encryption algorithm to data drives that use the exFAT, FAT16, FAT32, or NTFS file systems. If encryption is applied to a disk with an operating system, then in order to use BitLocker technology, the data on this disk must be written in NTFS format. The encryption method that BitLocker technology uses is based on the strong AES algorithm with a 128-bit key.

One of the differences between the Bitlocker feature in Windows 7 and a similar tool in Windows Vista is that the new operating system does not require special disk partitioning. Previously, the user had to use the Microsoft BitLocker Disk Preparation Tool to do this, but now it is enough to simply specify which disk should be protected, and the system will automatically create a hidden boot partition on the disk that is used by Bitlocker. This boot partition will be used to start the computer, it is stored in unencrypted form (otherwise booting would not be possible), but the partition with the operating system will be encrypted. Compared to Windows Vista, the boot partition takes up about ten times less disk space. The additional partition is not assigned a separate letter, and it does not appear in the list of partitions in the file manager.

To manage encryption, it's convenient to use a tool in Control Panel called BitLocker Drive Encryption. This tool is a disk manager that allows you to quickly encrypt and unlock disks, as well as work with the TPM. From this window, you can stop or pause BitLocker encryption at any time.

⇡ BitLocker To Go - encryption of external devices

A new tool has appeared in Windows 7 - BitLocker To Go, designed to encrypt any removable drives - USB drives, memory cards, etc. In order to enable encryption of a removable drive, you need to open "Explorer", right-click on the desired drive and In the context menu, select the “Turn on BitLocker” command.

After this, the Encryption Wizard for the selected disk will be launched.

The user can choose one of two methods for unlocking an encrypted drive: using a password - in this case, the user will need to enter a combination of a set of characters, and also using a smart card - in this case, they will need to specify a special PIN code for the smart card. The entire disk encryption procedure takes quite a lot of time - from several minutes to half an hour, depending on the volume of the encrypted drive, as well as on the speed of its operation.

If you connect an encrypted removable drive, accessing the drives in the usual way will be impossible, and when trying to access the drive, the user will see the following message:

In Explorer, the icon of the disk to which the encryption system is applied will also change.

To unlock the media, you must again right-click on the media letter in the context menu of the file manager and select the appropriate command in the context menu. After the password is entered correctly in the new window, access to the contents of the disk will open, and you can then work with it, as with unencrypted media.

Launch the encryption tool on Windows by searching for "BitLocker" and selecting "Manage BitLocker." In the next window, you can enable encryption by clicking on “Enable BitLocker” next to the hard drive (if an error message appears, read the section “Using BitLocker without a TPM”).

You can now choose whether you want to use a USB flash drive or a password when unlocking an encrypted drive. Regardless of the option you choose, you will need to save or print the recovery key during the setup process. You'll need it if you forget your password or lose your flash drive.

Using BitLocker without TPM

Setting up BitLocker.
BitLocker also works without a TPM chip - although this requires some configuration in the Local Group Policy Editor.

If your computer does not have a TPM (Trusted Platform Module) chip, you may need to make some adjustments to enable BitLocker. In the Windows search bar, type "Edit Group Policy" and open the "Local Group Policy Editor" section. Now open in the left column of the editor “Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption | Operating system disks”, and in the right column, check the entry “Required additional authentication at startup”.

Then, in the middle column, click on the "Edit Policy Setting" link. Check the box next to “Enable” and check the box next to “Allow BitLocker without a compatible TPM” below. After clicking on "Apply" and "OK", you can use BitLocker as described above.

An alternative in the form of VeraCrypt

To encrypt the system partition or entire hard drive using TrueCrypt's successor, VeraCrypt, select "Create Volume" from the VeraCrypt main menu, and then select "Encrypt the system partition or entire system drive." To encrypt the entire hard drive along with the Windows partition, select “Encrypt the whole drive”, then follow the step-by-step setup instructions. Note: VeraCrypt creates a rescue disk in case you forget your password. So you will need a blank CD.

Once you've encrypted your drive, you'll need to specify PIM (Personal Iterations Multiplier) after your password when you boot up. If you did not install PIM during setup, just press Enter.

Encryption adds another layer of security by ensuring that the file can only be read by its creator. If any other user - even one with administrator privileges - tries to open such a file, he will see either a meaningless set of characters or nothing at all. In other words, your encrypted data cannot be read unless you are logged into the system under your own account.

Encrypting files and folders in Windows 7 is a convenient way to protect sensitive data, but storing encrypted and unencrypted data on the same drive can lead to unpredictable results, as discussed in the File Encryption section. However, owners of Windows 7 Ultimate and Enterprise versions can solve this problem by taking advantage of the BitLocker Drive Encryption tool.

Bit Locker puts all the data on a disk into one huge archive and treats it as a virtual hard disk. In Windows Explorer, you treat BitLocker-encrypted files like any other data—Windows does the encryption and decryption silently in the background. The big advantage of BitLocker is that it encrypts Windows files and all system files, making it much more difficult for someone to hack your password and gain unauthorized access to the system. Additionally, when the entire drive is encrypted, there is no need to encrypt individual files.

To encrypt the drive, open the BitLocker Drive Encryption page in Control Panel. If you see a TPM was not found error, check to see if your computer has a BIOS update that supports TPM.

TPM, Trusted Platform Module, is a chip on the motherboard that stores the BitLocker encryption key. Thanks to it, the computer can boot from an encrypted drive. If the BIOS does not support TPM, then a regular USB drive can be used as such a chip.

You only mark the file as intended for encryption. Windows encrypts and decrypts files in the background while the file's creator writes or views it, respectively. True, in Windows 7, on-the-fly encryption can sometimes throw up surprises, and security is not an area where you can rely on chance.

File encryption

Encryption is a feature of the NTFS file system (discussed in the "Choose the Right File System" section) that is not available in any other file systems. This means that if you copy an encrypted file to, say, a memory card, USB drive, or CD, it will be impossible to decrypt it because the NTFS file system is not supported on these devices.

How to encrypt a file:

1. Right-click one or more files in Explorer and select Properties from the context menu.
2. On the General tab, click Advanced.
3. Select the Encrypt contents to secure data checkbox, click OK, then close the window by clicking OK again.