!

!!1!

Encrypting*a*Windows*7*Hard*Disk*with%Bitlocker%Disk%Encryption!!!!!!

!!!!

This!document!contains!the!necessary!steps!to!encrypt!the!contents!of!a!hard!drive!using!Bitlocker!and!Windows!7.!!The!following!instructions!are!derived!from!documentation!at:!

!http://technet.microsoft.com/en1us/library/cc731549(v=ws.10)!http://technet.microsoft.com/en1us/library/dd835565(v=ws.10)!!

!!!!!!!!!!!!!!!!!5!November!2012!David!Anderson!Lou!Arminio! !

!

!!!2!

Ensure!System!has!a!TPM!Chip!!Enter!the!BIOS!of!the!system!to!verify!the!presence!of!a!Trusted!Platform!Module!(TPM)!chip.!!The!TPM!chip!stores!the!authentication!key!for!the!encrypted!drive.!!While!Bitlocker!will!work!on!a!system!that!does!not!have!a!TPM!chip,!this!will!require!the!system!user!to!insert!a!USB!flash!drive!into!the!computer!in!order!to!unlock!the!drive!whenever!it!is!started.!!Locating!the!section!of!the!BIOS!that!shows!and!allows!configuration!of!the!TPM!chip!will!vary!by!system.!!The!following!screen!shot!shows!the!BIOS!location!on!a!Dell!Latitude!D630!laptop.!!!!!

!! !

!

!!!3!

Activate!the!TPM!Chip!!Before!telling!the!system!to!start!encryption,!it!will!be!necessary!to!activate!the!TPM!chip.!!This!is!a!twoQstep!process.!!First,!ensure!the!TPM!Security!setting!is!“On”.!!If!it!is!not,!enable!the!check!box!and!click!“Apply.”!!

!!Changing!this!value!will!require!a!reboot.!!Save/Exit!the!BIOS!setting!screen,!then!reenter!the!BIOS!for!the!next!step.!!!! !

!

!!!4!

!

Activate!the!TPM!Module!!Next,!go!to!the!TPM!Activation!settings!and!activate!the!TPM!Module.!!

!!Changing!this!value!will!require!a!reboot.!!Save/Exit!the!BIOS!setting!screen,!then!reenter!the!BIOS!for!the!next!step.!!!! !

!

!!!5!

Verify!System!Boot!Order!!Another!important!setting!to!verify!is!the!boot!order!of!the!system.!!If!the!system!is!set!to!attempt!to!boot!from!a!USB!devices!before!the!internal!HDD,!attempting!to!verify!a!saved!recovery!key!will!fail,!and!the!encryption!process!will!have!to!be!restarted!(which!will!generate!a!new!recovery!key,!which!will!again!need!to!be!saved).!!

!!Once!BIOS!settings!are!properly!set,!(should!not!require!another!restart),!allow!Windows!to!start.!!! !

!

!!!6!

Start!Bitlocker!Encryption!!Log!on!to!Windows!using!an!NAU!domain!account!with!administrator!privileges!on!the!computer.!!Go!to!Start!Q>!Control!Panel!Q>!System!and!Security!Q>!Bitlocker!Drive!Encryption.!!

!!Click!“Turn!on!Bitlocker”.!! !

!

!!!7!

Windows!will!check!your!computer’s!configuration!to!make!sure!it!is!compatible!with!Bitlocker!(this!will!fail!if!the!TPM!was!not!previously!activated).!!Then!it!will!initialize!the!TPM!module.!!Before!beginning!to!encrypt!the!drive,!you!will!be!given!the!opportunity!to!save!the!recovery!key.!!The!recovery!key!will!automatically!be!sent!to!Active!Directory!as!part!of!Group!Policy,!but!making!a!local!copy!might!be!a!good!idea!as!well.!!Three!options!are!available!for!saving!the!key:!saving!to!USB!flash!drive,!saving!to!a!file,!and!printing!the!key.!!Any!and!all!options!may!be!selected.!!Before!choosing!whether!you!want!to!save!a!local!copy!of!the!key,!or!how!to!do!it,!you!should!consider!how!you!intend!to!safeguard!the!key.!!If!it!is!stored!on!the!drive!you!are!about!to!encrypt,!you!will!not!be!able!to!use!it!to!recover!the!drive!unless!it!is!copied!elsewhere,!since!it!will!be!inaccessible!from!that!drive!in!a!recovery!scenario.!!If!it!is!to!be!stored!on!a!USB!flash!drive!or!printed,!the!key!should!be!hidden!away!in!a!safe!location.!!It!should!NOT!be!kept!with!the!system!that!it!recovers.!!Doing!this!would!be!like!keeping!a!key!inside!the!keyway!of!the!lock.!!It!would!effectively!invalidate!the!protection!to!the!encrypted!drive.!!Once!you!have!secured!a!local!copy!of!the!key,!click!the!Next!button!to!proceed.!!!!You!will!see!the!following!screens!as!Windows!begins!the!process.!!!

!!! !

!

!!!8!

!!

! !

!

!!!9!

!

!

!!!10!

If!you!saved!the!recovery!key!to!a!USB!flash!drive,!the!drive!will!contain!files!such!as!the!following.!!A!copy!of!your!recovery!key!will!be!automatically!saved!to!the!NAU!domain!Active!Directory!server.!!ITS!can!recover!this!key!in!the!event!of!loss.!!You!do!not!need!the!key!to!use!your!computer.!!It!is!only!necessary!if!your!hard!drive!is!moved!to!another!system.!!!

Now!you!are!ready!to!start!the!encryption!process.!!As!an!added!safeguard,!you!are!given!the!option!to!verify!the!integrity!of!a!recovery!key!if!you!stored!one!on!a!USB!flash!drive.!!Check!the!box!on!the!“Are!you!ready!to!encrypt!this!drive?”!screen!if!you!would!like!to!do!this.!!If!you!did!not!verify!that!the!HDD!will!boot!before!a!USB!attached!device,!then!this!may!not!work,!and!will!require!restarting!the!process,!including!generating!a!new!recovery!key.!!!

!If!you!decided!to!verify!the!recovery!key,!you!will!need!to!reboot!with!the!USB!flash!drive!inserted!in!the!computer.!!The!verification!does!not!take!long.!

!

!!!11!

After!you!reboot,!you!will!see!a!message!originating!in!the!system!tray!area!of!the!screen!(typically!the!lower!right)!indicating!encryption!is!in!progress.!!You!can!verify!this!by!going!to!the!system!tray!and!clicking!on!the!icon![get!screen!shot].!!You!will!see!a!window!like!this.!

Encryption!will!take!place!in!the!background!and!the!system!can!be!used!while!this!is!taking!place.!!There!will!be!a!slight!degradation!in!performance,!but!may!not!be!that!noticeable!depending!on!the!activities!you!perform.!!!

!

!!!12!

The!system!may!take!up!to!eight!hours!or!more!to!encrypt.!!Factors!which!affect!this!time!are!size!of!the!hard!disk,!speed!of!the!CPU,!and!whether!it!is!being!used!while!encryption!is!taking!place.!!If!the!system!is!shut!down!encryption!will!resume!after!it!is!restarted.!!Be!sure!to!check!the!system!tray!to!ensure!encryption!is!running!after!a!restart.!!Once!the!hard!disk!is!encrypted,!success!can!be!verified!by!going!to!Control!Panel,!System!and!Security,!Bitlocker!Drive!Encryption.!!This!screen!will!indicate!that!Bitlocker!is!turned!on!for!the!hard!drive.!

!

!!!13!

Once!this!process!is!completed,!your!hard!drive!will!be!encrypted!and!your!data!only!visible!after!a!valid!Windows!login.!!If!your!computer!is!lost!or!stolen,!your!data!will!remain!protected.!!Please!note!that,!although!your!hard!drive!is!now!encrypted,!your!system!backups!will!not!be!encrypted.!!If!you!back!up!a!system!containing!sensitive!information,!you!must!secure!and!protect!your!backup!media!to!prevent!exposure!of!your!data.! !