In an earlier blog, I discussed the benefits and requirements of implementing Microsoft's BitLocker disk encryption technology. As promised, I shall be sharing my experience implementing BitLocker on my laptop today. My hope here is that the relative ease of setting up full disk encryption will encourage more SMBs to implement this crucial step towards dealing with data theft.
My teaching position in an institution with more than 10,000 students gave me access to a licensed copy of Windows Vista Enterprise used by the organization. So I dropped by the help desk and did a self-serviced installation over the Vista Business that came with my laptop. As highlighted earlier, small and medium businesses without the requisite volume licensing agreements will have to fork out for the Ultimate edition of Windows Vista if they want to use BitLocker encryption.
BitLocker is not enabled by default. In order to enable it after installation of the operating system, you will need to go to Control Panel and click on the "BitLocker Drive Encryption" applet there. Also, it is necessary to first create a separate, active partition with which to boot up the encrypted Windows partition.
To help you along the above steps, Microsoft created the BitLocker Drive Preparation Tool, which is available for free. Once the tool completes successfully, you are ready to enable BitLocker.
The encryption process
Once enabled, BitLocker will proceed to encrypt your main Windows volume. Depending on the capacity and usage of your hard disk, this stage can take a significant amount of time. While I have read of accounts where small partitions took only minutes to encrypt, this was not the case for me.
On a 2.4GHz Core 2 Duo laptop with 4GB of RAM and a 256GB SSD with 100GB of data, the encryption process took over four hours. Bearing the tremendous speed advantage of the SSD in mind, I would not be surprised if systems with standard hard disk drives take twice as long.
My guess is that the duration required for the encryption is related to the amount of data that needs to be processed. Also, while I was able to continue working throughout the entire process, regular writes to the disk saw most applications freezing for up to 30 seconds intermittently. With these in mind, I would advocate enabling BitLocker right after the installation of the OS and associated drivers, and not later -- and don't count on doing productive work until encryption is complete.
And yes, BitLocker will prompt to save a copy of the encryption key just before it starts encrypting your data. Possessing a copy of this key is of vital importance, since it is required to decrypt your disk if anything goes awry. For example, if the motherboard of your laptop dies and you don't have the decryption key, then your data is irretrievable. So make adequate copies of this key and keep it safe. You are free to create additional copies from the BitLocker applet at any time.
The additional step of decrypting and encrypting data logically infers a higher processing overhead. So far though, everything feels and looks the same to me. On the other hand, I now have full assurance that my data is safe even if my laptop is misplaced or stolen.
I did not cover the various TPM (Trusted Platform Module) options that can work with BitLocker for greater security, nor the various hardware-based encryption options on the market today. If there is interest, I will share more about these topics in subsequent blogs.
In the meantime, feel free to chip in on the topic of data encryption here.