If you use Windows Vista Enterprise or Ultimate, or any version of Windows Server 2008, you may have heard about a feature called BitLocker Drive Encryption (BDE). This awesome feature will enable you to encrypt the operating system volume. However, in Vista RTM, Microsoft doesn't make it very apparent how to encrypt additional volumes. In Vista SP-1 and Server 2008, you can encrypt data volumes through the UI.
Of course, if you're a fan of the command prompt, the %SystemRoot%\system32\manage-bde.wsf file gave you all the commands necessary to manage your BitLocker volumes.
Or, you could get your hot little hands on the BDE WMI object model and write your own UI in Visual Studio 2008. I went with this approach.
My first blog post talked about building this tool and my need to learn where BitLocker policy settings were stored in the Registry. Well, BDE in Windows 7 is GREATLY expanded.
Microsoft has introduced a bunch of new policy settings, with backwards compatibility to Vista/Server 2008. But there are a ton of new settings for "Windows 7 family."
They've pretty much broken these up into three groups: system (OS) volume, fixed data volumes and removable data volumes. So you can get really granular with how BitLocker behaves with various volumes, whether they're hard drives inside the computer or removable media, such as flash drives.
Windows 7 BDE includes something called BitLocker To Go, which gives great flexibility in the encryption of removable volumes, including policies on whether or not to allow read/write access to unencrypted media as well as read/write access to BDE-encrypted media from another organization (this piece made possible by two new policy settings: primary BitLocker identifier and secondary BitLocker identifier).
I think Microsoft scored big with BitLocker. Now I think they made it better and more flexibile.
Security is everyone's responsibility. If Microsoft really wants to make this a winner, they will include BitLocker with all versions of Windows 7, not just Enterprise/Ultimate.
~M
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment