Protect a Partition - Use Bitlocker or Something Else?

I have a Dell workstation running Windows 7 Ultimate 64-bit. Two disk drives. Drive one has the C: partition and the recovery partition. Drive two has two partitions - the Windows swap file and a partition that holds all my data files (call it F: below).

I would like to secure the data on F:. Actually, there are two folders on F: that have the information I really want to secure. The other folders are optional.

I want protection that is reasonably secure, reliable, and easy to use. I do not need military-quality protection, though.

My questions:

* Would Bitlocker suffice for this? What are the pro's and con's of using Bitlocker?

* If I use Bitlocker what should I look out for? (I already know about the Microsoft articles and plan to read them. I'm looking for any practical expert advice you may have.)

* If not Bitlocker, then what?

* Is it practical to protect just those two folders or should I protect the entire F: partition?

* Should I consider protecting C: since Windows and programs such as Office store temp files in various places on C:?

Peter ByeRetiredAsked:
Who is Participating?
Gary CaseConnect With a Mentor RetiredCommented:
Personally, I think the risk of an unencrypted C: drive is very small IF you have moved (a) the swap file;  (b) the TEMP folder; and (c) your e-mail store (if it's local) off of C: to an encrypted drive.    All three of those are simple to do.      Most applications keep their data in your designated documents folder ... and any you use that don't are most likely configurable -- so you can easily ensure they also keep their data in an encrypted drive.

I agree, however, that's it's much simpler to not have to worry about that -- and simply encrypt everything (C: included).     While that may create issues with Acronis, note that Windows 7's built-in Backup utility will easily create a system image ... and it supports BitLocker  [not to mentioned that it's free :-)  ].      Aside from "playing" with it to confirm it works (it does ... and quite well) I don't use it, as I have a complex multi-boot system with 8 OS's that I image fairly regularly -- I use an Image Set with Boot-It NG to do those images (but none of these are encrypted).
Truecrypt Open source is probably a better choice.

I hope this helps !
Free encryption tool
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Depends on what you are worried about ?

If someone takes your computer, what are you worried will be revealed ?

That will determine what needs to be encrypted.

I hope this helps !
Peter ByeRetiredAuthor Commented:
The data to be protected are financial records and client data. All are stored on the F: drive within three folders.

What makes Truecrypt Open a better solution in your view?
Not proprietary for a start.

If you have issues with bitBlocker, you may end up paying $$$ to MS to get it fixed, if at all.

Check the options of both and you can decide for yourself, which offers the most flexibility in terms of backup, install, and options.

For financial records I would also consider encrypting the C drive and any drive that has a pagefile or temp folder.
Gary CaseRetiredCommented:
BitLocker is fine for your situation -- and indeed it fully encrypts the entire volume, so you don't have to worry about any temporary files or auto-save files that may be on the system drive.     TrueCrypt is also a good choice -- it has the advantage that it doesn't require the Ultimate version and isn't proprietary to Microsoft ... but neither of those are of any significance in your case.

Regardless of which you use, be CERTAIN that you have a good backup of the encryption key.     While I'm sure you keep good backups of your data (which I presume you'll also keep encrypted), neither the current data nor the backups can be read without the appropriate encryption key(s).     Losing the encryption key is FAR worse than losing a password -- for all practical purposes there is simply no way to recover the data without the key.
Peter ByeRetiredAuthor Commented:
SysExpert - thanks for elaborating.

Garycase - you raise some excellent points and a further question or two that I had not thought of.

Given that the data (F:) is on one disk drive and C: is on a different disk drive, should I encrypt both C: and F:? And should I encrypt the Windows swap partition that is on the disk drive with F:?

I keep two types of backup.

MozyHome offsite backup with my own keyword. Everything that MozyHome backs up is on F:. Will MozyHome still be able to read the files from F: for backup once Bitlocker is enabled?

I also do local backups to an external Western Digital MyBook drive. Those are not encrypted at this point. I suppose I should use Bitlocker to encrypt that MyBook drive partition?

Part of that MyBook drive is a partition where Acronis stores images of C:. I assume I would NOT protect that partition.

A strong second about storing the encryption keys. For Mozy I keep it in writing locally and also in a bank safe deposit box!
Peter ByeRetiredAuthor Commented:
I just sent Mozy technical support the question about MozyHome compatibility with Bitlocker. I'll share their response.
Gary CaseRetiredCommented:
Definitely interested in what they say.    I was looking at a few Mozy forums when comment came in, and they apparently have had some issues with encrypted drives in the past ... it's not clear if they've been resolved since  (which you should know when they reply).

r.e. your question above on the MyBook  ==>  Yes, I'd use "Bitlocker to Go" to encrypt that so your backup is secure.     Note that if you're not concerned about physical security when the MyBook is connected to YOUR system, you can set BitLocker to remember the key for that drive when it's connected to that specific computer.      Makes it a bit more seamless if this is a drive you connect/disconnect a lot and store physically elsewhere.

Note also that BitLocker requires NTFS formatting ... I believe Western Digital still ships MyBooks with FAT32 formatting -- if so (and you haven't already reformatted yours)  you'll need to change it to NTFS formatting.    [You can do this without any data loss with Windows' "Convert" utility]
SysExpertConnect With a Mentor Commented:
I would also suggest  looking  into how Acronis handles encrypted C drive.

Peter ByeRetiredAuthor Commented:
Well, things are now coming into focus.

Mozy Tech Support initially said that Mozy "didn't work well" with encrypted drives. I pushed back and asked for details including if he could consult with a Level 2 tech. Here is the follow-up response:

I appologize for that last bit of information.  I spoke to a Level 2 technician and he corrected me.  Mozy can backup Bitlocker drives.  Because Bitlocker actually does full drive encryption and when you're logged in to a "bitlocked" drive it's as if it's not even encrypted.  So yes you will be able to back up a "bitlocked" drive.

So, it appears I can use Bitlocker with the F: data partition.

Acronis continues to be unclear although it seems the answer is mostly no. These knowledge base and forum articles seem to suggest that only a sector-by-sector backup would work reliably:

At this point my plan is to enable Bitlocker on the F: partition, probably along with the computer's TPM1.2 security. I'll use Bitlocker to Go to secure the MyBook drive partition and use garycase's suggestion about having Bitlocker remember that key. Given the Acronis situation I plan to leave C: unencrypted. My only concern there is temp files so I'll just need to be careful about finding and erasing them.

Regarding the partition with the Windows swap file: SysExpert suggested encrypting it. Garycase - any thoughts?

I welcome your further thoughts.
MantvydasConnect With a Mentor Commented:
I would vote for Bitlocker.

Pros. Because there's nothing more to pay for to Microsoft, you are already using Ultimate version of Windows 7, and Bitlocker is a feature of it.
It's Microsoft way to encrypt disk, so support is in one hands - you don't need to desperately seek for community support, where noone is responsible, when bad happens.

Cons. None. See lookout below.

Lookout. You have to be careful with hardware changes or BIOS upgrades of the computer. As after every bigger hardware change (bigger: more than one device) you need to reenter Bitlocker key upon computer startup. So having your key accessable at any time is necessary (for example someone at home can read it to you over the phone, save the key somewhere on the internet (can you do that securely enough?))

If not BitLocker. Open source TrueCrypt. Paid Utimaco Safeguard Easy.

Protecting. Only whole partition is possible with Bitlocker.

Considering C: Yes, consider that. Because even with TrueCrypt, then either you need to enter the unlock key in every Windows session you need F:, or, if you don't need a Encryption key every session, then the Encryption Key is somewhere on the disk or RAM for the system to use. So the badguy simply launches system from the unprotected C: drive, by hacking your Windows user password, as it lies in unprotected C:, and grabs the key from RAM.

Going further, even that is not secure enough with TrueCrypt. Even if you protect the C: drive with TrueCrypt, then the key is still somewhere in the Harddisk (otherwise computer wouldn't boot if it wouldn't be there). So the BadGuy who knows TrueCrypt, can put the TrueCrypted harddisk into another computer, and get they Encryption Key from the harddisk.

It doesn't happen with C: protected and Bitlocker. First, because Windows user password is secured by encrypte drive. And second, because Bitlocker holds the encryption key in the TPM chip on motherboard of the computer, so even if you connect the harddrive to another computer, you can't access the Encryption Key, as the Key is in the TPM of the original computer.

Peter ByeRetiredAuthor Commented:
Mantvydas - Thanks. You raise some very valuable points. Regarding primarily your last paragraph - do I need to have C: protected to gain these added protections? Or is it sufficient to enable TPM? I ask since Acronis True Image will not work with encrypted drives so I have to forego that if I use encryption on the C: drive.

Are there any downsides to encrypting the E: partition that has the Windows swap file (and nothing else)?

I assume plugging USB devices (flash drive, camera, headset) in or out of the PC does not cause a need to re-enter the Bitlocker password?
Gary CaseRetiredCommented:
Plugging/unplugging USB devices does not trigger any requirements from BitLocker unless the USB device is a BitLocker protected drive ... in which case you'll be prompted for the key for that device (unless you've set it to be remembered with that specific drive/computer combo.

BitLocker works fine with Windows swap file ... so a swap file on its own BitLocker protected partition would be a good way to ensure there are no recoverable "bits" in the swap file.     You may have other temporary files you want to put on that partition (e.g. Windows TEMP file folder ... which many programs will use by default for temporary data).
Peter ByeRetiredAuthor Commented:
Garycase - that's an excellent idea to move the Windows TEMP folder over to the swap file partition so it gets protected along with the swap file.

I guess the primary open aspect is whether as Mantvydas suggested C: needs to be protected for Bitlocker to provide maximum security. The primary downside to this is the incompatibility with Acronis True Image for maintaining an image of the system partition. But it may be a worthwhile security trade-off.
Peter ByeRetiredAuthor Commented:
Outstanding. I just have to get Windows Backup to start. I clicked the setup link and it just sits there. I digress, though. I'll either figure that out or post a separate question.

This sounds like a great solution. Encrypt C:, E: (swap), F: (data) with Bitlocker.

Encrypt the external hard drive with Bitlocker to Go. Tell Bitlocker to remember the key so I don't have to use it each time. (Physical security for it is not much concern.)

Stop using Acronis True Image. Use Windows Backup to create a system image.

Continue using MozyHome for an encrypted offsite backup of the data.

Garycase - I can't imagine having a multi-boot with 8 OSs. One is bad enough. (smile)

Thank you everyone. You have been so helpful in navigating the options and dependencies to devise a workable solution. I'll go award points. That will be difficult - I wish I had more than 500 available.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.