While the percentage of laptop theft continues to soar, users are still unconcerned about protecting their valuable data! Although you may give yourself a pat on the back for having a backup of your data elsewhere, have you stopped and considered what will happen to that same unencrypted data on your laptop that's now in the hands of a complete stranger? While buying another laptop is not the end of the world, have you placed a 'value' on your data itself? It's possible to buy a powerful laptop for less than $1000 now days, but can you place a money value on that spreadsheet file containing all of your families financial and other personal information? Read on to see how you can protect yourself from a stolen computer by using a new Microsoft technology called Bitlocker.
The Importance of Encyrption
While most of us quickly realize the need to purchase a new laptop or computer after one has been stolen, it usually doesn't occur for a while but sooner or later, we realize that money can never replace unencrypted and stolen data. Just ask the many companies that had their employees travel with unencrypted laptops filled with confidential data (social security numbers, addresses, phones numbers, etc) only to have it stolen. Did the IT department then wish that they had encrypted the laptops 'before' the situation occurred? You probably bet they would have! Imagine how embarrassed they must have felt when they had to explain to their customers (imagine if you were one of them) and to the media that their personal information is now in the hands of a stranger because they didn't feel it necessary to 'encrypt' that data in the first place. Hearing these security incidents just raises my blood pressure to a whole new level. A mishap like this could seriously damage the reputation of a company and lose potential customers, costing them serious money.
No, I probably know what you are thinking right now. Just because you are not a traveling businessman in a fancy suit doesn't exempt you from this problem! Data theft is very real and can happen to anyone. Even if you just bring your home laptop with you on your travels, you should still look into encrypting your hard drive and data. Many times users (myself included, sadly) thought that their computers and laptop doesn't include any personal information only to realize how ignorant that thought can be when their machine actually gets stolen. For example, would you want me going over your entire email database you got configured in Outlook? Would you want me to be able to log in to the many websites you visit because you were 'nice' enough to have the browser remember all your username and password information? How about going over your entire family photo and music collection? Probably not. But oh wait. You just realized that you have a password protecting your user account! Beat that sucker! Sadly to say, a simple Windows account password, even if it's 20 or 30 characters in length can be easily bypassed and I'll explain it here just to paint you a bigger picture of how important it is to protect your hardware at all costs!
Breaking Into a Laptop
I have detailed here how easily it can be to 'unlock' or 'reset' a password of a user account and gain complete access to the computer. I really hope that you only use that method to reset a password on a computer that you yourself rightfully own. But as you can already see, it can be used in devious ways as well. If I stole your laptop, I could easily use that same method to gain access to all of your documents, were they not encrypted. Physical security is as important as any other security measurements. Once I have the machine at my hands, I have as much time needed to do whatever I want with it. Another method that bypasses cracking passwords altogether is to simply detach the hard drive and mount it on my own computer. If your data or hard drive itself was not encrypted, its game over. Again, I'm only detailing this to show you how easy it is for even a amateur to break into your system. I really hope I don't encourage you to try any of this on hardware you do not actually own!
The Power of Encryption
Encryption can go a long way. Think about it for a second. If I stole your laptop, you obviously just lost the entire laptop, in terms of physical hardware. That much cannot be denied (although it could have been prevented!). However, wouldn't you, the original laptop owner, want to protect your data to make my job of stealing your data that much more harder, if not impossible? You already lost your laptop so it makes sense to actually protect the data stored inside that hard drive. Sure, I'll have a fancy new laptop to play with or to sell on Ebay, but I'll not be able to access your data. Most amateur thieves steal laptops to make a profit. However, we humans are curious by nature so you can bet on the thief snooping around your hard drive before making the sell. If he finds more valuable data on your hard drive like credit card numbers, you can also bet on him/her exploiting that as well to make a even bigger profit.
Microsoft's solution to this problem is their new Bitlocker Encryption system. Once turned on, Bitlocker will encrypt your entire hard drive and will not be accessible to anyone until the right PIN or password file have been submitted. This prevents data thieves from physically mounting the stolen hard drive to their own computer for access. Also, the password reset method will not work as well because the hard drive is locked. The neat thing about Bitlocker is that it works seamlessly. You'll never even know Bitlocker was turned on once you log in into your session. You can save and open files just as before. To use Bitlocker however, requires several pre-requisites and pretty good knowledge of how the technology works. You'll need to be using either Windows Vista Ultimate or Windows 7 Ultimate, a computer with a TPM chip, and you'll need to create a separate 2GB partition. Going into details about Bitlocker is beyond the scope of this article as it's certainly a very deep and complicated subject. Deploying it on a single computer or laptop is certainly not that difficult but the consequences of not understanding exactly what it is it can do will be very grave. You could actually prevent yourself from booting into Windows altogether if you are not careful and if that does happen and you don't have the recovery password, you're out of luck as the hard drive is now locked. The really cool thing is during startup, you can configure Bitlocker so that it either requires you to enter a PIN number, a USB key with the password file, or a combination of both before releasing the key to decrypt your hard drive. Don't know the PIN number or don't have the USB key? Then you basically have a very expensive paper weight. In my tutorial, I'll be going over how to setup Bitlocker with a TPM and PIN combination.
VERY IMPORTANT!! YOU MUST read more about this topic BEFORE actually implementing it. I will not be held responsible should anything go wrong with your implementation of Bitlocker on your system following my guide. I documented the procedures I went through to get Bitlocker going on my Vista Ultimate laptop. Your steps and procedures may vary. Therefore, you can consider my guide as just a starting point or for references only. It is not set in stone. I should believe that the process should be similar in Windows 7. Also, once enabled, getting rid of Bitlocker is not as easy as doing a simple program uninstall. So think and plan first before deploying Bitlocker. For starters, you can head over to Microsoft's Technet site to read more on Bitlocker.
Implementing Bitlocker
1. You will need to prepare your hard drive first. Bitlocker requires a separate 2GB partition to hold the boot files. This partition is NOT encrypted at all with Bitlocker. You can manually create the 2GB partition the old fashion way or you can download the Bitlocker Preparation Tool by Microsoft created especially for this purpose. To simplify things, I’ll use the tool. If you have Vista SP1, you can download the tool by following these instructions found here. If you have Vista without the service pack, download the stand-alone tool here. If you are using Windows 7 RC, you don't have to worry about this step as the system partition has already been created for you whether you decide to implement Bitlocker or not.
Run the preparation tool, follow the instructions and reboot the computer once it's done.
This is what it looks like after you run the tool:
2. Next I'm going to initialize the TPM chip on my laptop. Although you don't actually need a TPM 1.2 chip in order for Bitlocker to work, it's highly recommended that you do use it if you have it. To see if you have the chip, check Device Manager and look under Security Devices. If your laptop does have it, you will see it listed under there. Initialzing the TPM chip is pretty straightforward. Click Start, type in Tpm.msc and hit Enter. You can then configure/initialize your TPM chip in that applet as shown here. Just hit the 'Initialize TPM' option and follow the instructions. Be sure to save the password!
3. Next we configure Group Policy so that it requires us to enter a PIN when the computer boots up. This is the recommended method when setting up Bitlocker (TPM + PIN). Hit Start and type in Gpedit.msc. Drill down to Computer Configuration/Administrative Templates/Windows Components/Bitlocker Drive Encryption. Double click the 'Control Panel Setup: Enable advanced startup options' option. Click the 'Enabled' radio button. In the first drop down menu, select 'Disallow startup key with TPM'. In the second menu, select 'Require startup PIN with TPM'. I believe this step is optional as the default behavior is set so that Bitlocker will ask you what you want to do when you enable it up but I like doing things manually so it's up to you.
4. With most of the legwork done, it's finally time to enable the feature. In Control Panel, select Bitlocker Drive Encryption. You should now see your C: volume listed. Simply select 'Turn On Bitlocker'. You are now asked to select your startup preferences and if you did the Group Policy method earlier, only the PIN option can be selected. Please enter a PIN number that you can remember and please don't use your debit card PIN number! Remember though, EVERY time you boot your computer, you are REQUIRED to enter this PIN so keep that in mind. The next step is VERY VERY VERY important. You are asked to save or print the Recovery Password. This will be used if you somehow forget your PIN number or when you have to make legitimate system wide changes to your computer. This is a super long string of digits so remembering it is not an option. I recommend you saving it. You aren't allowed to save it on your computer (if you forget your PIN, you can't get to your desktop) so you will need a USB thumb stick for this portion. If you forget your PIN and don't have your recovery password, you might as well reformat your hard drive because there is no way of recovering your files back. Not one file. Everything will be lost. EVERYTHING. Next, it's recommended you leave the system check option turned on. You will then be asked to reboot the computer and you will be presented with a screen asking you to enter your PIN number.
5. Once you boot back into Windows, the encryption will begin. This takes a super long time so make sure you can leave your computer on, although you can pause the process. Good news is that you can continue working on your computer while the encryption of your hard drive is taking place, although I would recommend not doing anything processor or hard drive intensive (like encoding or converting a video file). Also, although you can pause the process, it's recommended you don't shutdown or restart your computer until the entire encryption process has fully completed. Once it has, that's it! The entire Bitlocker process is now completed and you will now have a secured laptop/computer!
6. (Optional) Test your hibernation. I've encountered a rather serious problem as I couldn't resume back from hibernation after deploying Bitlocker. Everytime I tried to resume, it gave me a Windows Error Recovery message stating that my computer was 'Unexpectedly Shutdown' and basically treated it as if it was a shutdown process instead, forcing me to reboot my computer everytime. After pulling out a few strands of hair, I finally found the fix here. I know, this seems like a lot of work as you'll have to edit BCD, restart, enter the long recovery Bitlocker password (as it detected a change was made so it halted your computer from booting. This is also a good way to see Bitlocker in action though), disable Bitlocker, enable it again and then finally do another restart.
7. (Optional) Make another backup of your Bitlocker recovery password! I can't stress enough how important this file is. If you lose it, you'll never be able to boot your computer again and lose all files! You can do what I did and attach the file to an email and then email it to yourself. That way, you'll always have the file in your inbox. Simply printing the password and keep it in a very safe place is also highly suggested. Just remember where you put it!
Bitlocker is an awesome piece of technology and with Windows 7, you'll also be getting Bitlocker-To-Go, which allows you to deploy the technology onto USB thumb drives. My main concern with Bitlocker is that Microsoft is forcing you to purchase either Windows Vista Ultimate or Windows 7 Ultimate in order to deploy it. As the name suggest, Ultimate is the priciest edition of either operating systems and after what a lot of people (including yours truly) went through with Windows Vista Ultimate, we're not so sure we want to yet again waste so much money on the Ultimate edition. In my opinion, they should have scrapped the Ultimate edition altogether and move everything to the Professional edition, including Bitlocker.
Evolution54
05 July 2009
Protect Your Laptop With Bitlocker!
