Hopefully many of you fall into the intersection of the following sets:
- The set of people who regularly read WindowsConnected.
- The set of people who are testing Windows Vista
If you did fall into all of those sets of people I imagine you have now rebuilt the computer that you used for testing BitLocker. Why is that you ask? Well, it seems that the feature formerly known as a piece of Palladium, and part of NGSB, and then as Corner Stone, later as Full Volume Encryption, sometimes as Secure Startup, and finally as BitLocker Drive Encryption works too well. It makes me think of a quote from the Jake Preston character (Nicolas Cage) in Fire Birds. No, not “I am the greatest!”, although I do hear that Josh mumbles that from time to time. Instead I was thinking of the quote where he said, “All gone bye-bye.” It’s appropriate because that’s what happened to your data if you followed Josh’s instructions and enabled BitLocker using a USB key on build 5270 of Windows Vista. That’s right, your data was indeed “All gone bye-bye.”
Why is this you ask? Who knows? Maybe the Shadow knows. Obviously the CTP builds of Vista are just snapshots in time of the current development of Vista. They aren’t guaranteed to work, and of course you have to expect bugs. It just happens that this one is a doozy. Hopefully you weren’t dual booting the partition that you encrypted, since that would be gone too. The feature doesn’t appear to have gotten any testing from within MS during the stabilization of the release for CTP either or there would have been warnings about turning it on. Hey, that’s one of the hazards of getting to play in the strange and sometimes bizarre world of Beta Testing.
I know I managed to hit this bug numerous times. I just was unable to believe that it did such a good job of encrypting and forgetting that it had saved the key for me. So the first time I hit it I just figured some key piece of data had corrupted on the USB key and that I should format the thing and try again after rebuilding Windows. So I did that. It didn’t help. I then thought that it could have something to do with the specific memory key. After all, I was using a USB 1.1 32 MB generic one. So I rebuilt again and used a USB 2.0 Kingston 2 GB key. The same problems occurred. One more rebuild, this time with a USB 2.0 64 MB key from Microsoft (no, they don’t make it, but it says Windows Rights Management Services on the side and has a MS logo). This one had the same problem. So that was about 6 hours of building Windows.
At that point, I could have just decided that I hated the feature and given up. However, I hadn’t managed to make anyone else hate the feature yet so I couldn’t have been done. Instead, I conspired to get some of my co-workers (who had been shirking their beta test duties and hadn’t tried BitLocker with USB yet) to lose their data too. Actually, I wanted to see if it had anything to do with the specific hardware I had. So we tried it on my Boss’s machine, which promptly went “All gone bye-bye”. I hope that wasn’t my performance review on there! We also tried it on two other user’s machines. This totaled three distinct types of hardware and 6 types of USB key, so at that point we were sure we had just hit an unfortunate bug in the 5270 build.
As for what you actually see onscreen when this happens to you, take a look here:
OK, so everybody who tests Vista sees the “Codename Longhorn” screen. But most of you probably can’t say that you’ve left that screen happily running its progress bar overnight. Yes, that’s what happens when you finally enter the key manually and Windows accepts it. It just dies at the progress bar screen.
An interesting piece of the issue is that if you leave a bootable Vista DVD in the drive (which gives you that “Press and key to boot from CD or DVD” message and a 5 second delay), then Windows Vista does indeed find your decryption key on the USB key. Wait – before you go try to recover your lost data that way – it still hangs at the “Codename Longhorn” screen. It’s just joking with you when it says that it loaded your key and you can remove the media.
All in all, testing BitLocker Drive Encryption at this point in time on build 5270 is not a very rewarding experience. However future iterations of this are a must test for corporations. How many companies out there never have any notebooks lost or stolen? How many can look their CEO in the eye and tell him that the data on those machines was protected? For those of you using EFS and laughing smugly: What was in the temp folder on the machine? What was in other folders that weren’t encrypted like the Temporary Internet Files, etc.? BitLocker looks to be a good solution to this problem. For more info on BitLocker and how to enable it, see both Josh’s Post and the Microsoft Step-by-Step guide (although do note that the MS guide as originally published had the partitions backwards – they may fix that, so it might not be backwards anymore).
Posted
Jan 01 2006, 07:55 AM
by
Jerry
Did you enjoy this article? If yes, then subscribe to our
