Windows Vista will feature a new drive encryption technology that was once called Secure Startup and has now been changed to BitLocker Drive Encryption. Contrary to what one tech reviewer has reported, you can do this on 5270 today with out needing a Trusted Platform Module.
A word of caution: This technology could leave your machine unusable and should only be done on a test machine/drive that you are not concerned about data loss on and are willing to rebuild again after doing this.
Requirements
To begin with you will need to start with a clean drive or will need to format and delete the partitions as part of setup. You will also need a USB memory key.
While installing Windows Vista you will also need to create two partitions. One a minimum of a 50 MB partition that is marked as active and formatted NTFS and a second partition that is of sufficient size to hold the operating system and any applications that you may want to install also formatted as NTFS.
The 50 MB partition will be used to house the Vista boot loader and some other files needed to access the encryption key and boot. This volume will not be encrypted so I have kept its size to the minimum requirement to reduce the likelihood of data exposure, but you can make this partition as large as you would like.
If you plan on using system restore with Windows Vista there may be additional space requirements on this partition.
Creating the partitions
At the setup screen for selecting where to install the operating system do the following:
1. Launch a command windows by hitting CTRL+Shift+F10. For the following commands, enter them as shown and press enter after each.
2. Diskpart
3. Select Disk 0
4. Clean
5. Create Partition Primary Size=50
6. Create Partition Primary
7. Select Partition 1
8. Assign Letter D
9. Active
10.Select Partition 2
11. Assign Letter C
12. Exit
13. Echo Y|Format D: /FS:NTFS /Q /V:BDE
14.Echo Y|Format C: /FS:NTFS /Q /V:5270
15. Exit
Setting up BitLocker Drive Encryption
After creating the partitions you will need to click “Refresh” in the setup GUI and then select the larger partition as the place to install Windows Vista and will allow setup to proceed as normal.
After setup has completed proceed to the Secure Startup control panel applet and you will now have the ability to “Turn on Secure Startup”.
Insert your USB memory key and then Select “Turn on Secure Startup” and the Secure Startup wizard will begin.
This wizard will walk you through the setup and will require you to generate and save a recovery key: be sure to save it somewhere you can access that is external to your machine.
You also have the option to print the password, if you only have one machine I would recommend this as you will have no other means of accessing the recovery key in the event you lose your memory key.
Next you will be prompted to “Save the Recovery Password on a USB device”. Select the USB key you inserted, click Save Key. Then click next.
Save recovery key to a folder. I recommend placing this one on the hard drive in a place that you can access. When you want to change setting in Secure Startup/BDE you can point to this file rather than having to type in the key manually. Click Next.
You have now completed the wizard and can begin encrypting the drive.
You will notice that your operating system drive is now red in “My Computer” and that you only have a limited amount of space now available.
You will also have a task tray item that will indicate your progress.
The encryption could take several hours depending on the size of the drive, but you can use your machine while it is running.
You’re Done!
Windows Vista will only have this capability in Ultimate or Enterprise edition so keep this in mind when selecting what version of Windows you are going to use for your deployment.
Stolen drives are a big problem for any business; Targeted theft is increasing and utilities like ERD commander make cracking into Windows entirely too easy. So, I hope that many will use BitLocker (BDE) or another encryption vendor to secure drives with their Windows Vista deployment. The advantage of BDE is that it is free, relatively easy to setup, and doesn’t require a separate password to maintain.
Posted
Dec 28 2005, 08:53 AM
by
Josh Phillips
Follow Me on Twitter
Did you enjoy this article? If yes, then subscribe to our
or
