BitLocker demystified: The basics

In the second part of the guide to BitLocker, channel professionals will learn how the tool works, and find out about special features.

In the second part of the guide to BitLocker, channel professionals will learn how the tool works, and find out about special features. This tip originally appeared on

When a Windows Vista system is configured to use BitLocker, which is present in the Enterprise and Ultimate editions of Windows Vista, the system's boot drive is split into at least two partitions: a boot volume, with normal NTFS volume, and a system volume, which is encrypted.

The boot volume starts the system, reads any available provided encryption keys and then attempts to read and decrypt the OS files from the system volume. If the right keys are present, the OS loads and all the files on the encrypted volume (and any auxiliary volumes encrypted with that install of Vista) will be available. If the keys can't be read or don't match, the system will not boot, and none of the files on any of the encrypted volumes will be readable.

BitLocker uses authentication in one of four ways:

  1. Transparent authentication. This is the easiest and most hassle-free implementation of BitLocker, but it requires a computer that has the Trusted Platform Module (TPM) implemented in the hardware. The encryption keys are stored in a protected module on board the computer itself that is resistant to tampering or reverse engineering. Any signs of hacking will automatically force the system to boot in user-authentication mode (see below). TPM setups can also work with a PIN -- a user-supplied ID number -- to increase security.

  2. USB key authentication. This is the most commonplace way to start a BitLocker-encrypted system without a TPA module, and it's the easiest choice for people running existing commodity hardware. The encryption key is stored on a removable USB drive, which is connected to the computer at boot time.

  3. Combined authentication. A TPM system can also be forced to rely on the presence of an external USB drive with a key for authentication for greater security.

  4. User authentication. This is the fail-safe way to boot a BitLocker machine. Each BitLocker-protected install of Vista will have a recovery passphrase (it's fairly long) that can be typed in to boot the system.

Note that if the TPM module detects a failure or that it has been compromised, or if the USB drive with the key is not available, the system will automatically boot in user-authentication mode.

Aside from protecting a system during its normal lifecycle, BitLocker protects a system after it's been retired as well. A drive secured with BitLocker doesn't need to be sanitized as aggressively when it's removed from a computer; once the boot volume and partition headers are erased, it's impractical to try and recover the encrypted data.

BitLocker encryption is also reversible. It can be disabled, and the entire volume can be decrypted on demand if needed without reinstalling the OS. In addition, you can move a protected volume to another computer, but only if the recovery key is provided. This simply involves turning off BitLocker, moving the drive and turning it back on again.

BitLocker demystified: End-to-end encryption for Vista

  The basics
  Keying up
  Common misconceptions

About the author
Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!

This tip originally appeared on

Dig Deeper on Managed network security services