Solved

Enabling BitLocker on 2nd Hard Drive

Posted on 2014-02-15
9
6,662 Views
Last Modified: 2014-02-18
I have enabled Bitlocker on the OS hard drive in several computers without much problems.
This particular Win 7 Ultimate workstation has two hard drives. (1) 1st HD is for OS only (2) Second HD is for Data only. It is 2nd HD that is being shared by several other users on the network (without DC).
I am in the process of encrypting 1st HD right now and will need to encrypt the 2nd HD as well. That said, is there anything I should know encrypting 2nd HD with respect to  how it may impact other users who will need to open/save documents from this computer?
0
Comment
Question by:sglee
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 

Author Comment

by:sglee
ID: 39862574
My ComputerBitLocker OptionAs seen above, C drive (contains OS) is encrypted and the start key is stored in G (USB) drive.
When I tried to enable "BitLocker" on  E drive(2nd Hard Drive), I saw the option screen and like to know, on option 1 and 3, what they are and what implications each option comes with.
0
 
LVL 63

Accepted Solution

by:
btan earned 180 total points
ID: 39862987
Bitlocker does not support the concept of more than one user.

Reference MS Bitlocker FAQ

You may want to enable Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. The policy settings you use for this are:

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Deny write access to fixed drives not protected by BitLocker

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker

When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. If you are concerned that your users might inadvertently store data in an unencrypted drives while using a computer that does not have BitLocker enabled, use access control lists (ACLs) and Group Policy to configure access control for the drives or hide the drive letter.

Also

The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 180 total points
ID: 39862993
On the unlock drive, it is mainly in use case like insert your bitlocker hard disk into a different computer. This is for data drive. Mounting the hard disk on another computer running Windows 7 is a quick and straightforward way to recover information from a damaged computer that has a BitLocker-protected drive on the hard disk.

The BitLocker Drive Encryption Control Panel allows the chosen option to unlock using a password or smart card. In other words, when inserted in different machine, you then supplied the required secret to access that data HDD.  However, if you the data HDD was configured for automatic unlock only, you will have to unlock it by using the recovery key.

Overall, if it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key.

FAQ - http://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 

Author Comment

by:sglee
ID: 39863015
@breadtan
Are you saying that once the data drive (2nd hard drive) is bitlocked, no one can access the shared folders off this hard drive? This network has no domain controller or file server. There are 4 computers in the office all with Windows 7 and one computer acts as file server by sharing the folders on the 2nd HD.
While waiting for the answers on this board, I went ahead and installed 2nd HD on my computer and performed the testing. After encryption was finished on my 2nd HD, I was able to access the shared folder (in 2nd HD) from another workstation.
 
I have starting encrypting 2nd hard drive in real environment and almost 50% finished.
Once finished, I will restart this computer and other 3 computers in the office to see any computer has a problem accessing files from this computer with 2nd HD (with shared folders)
0
 

Author Comment

by:sglee
ID: 39863017
@breadtan
I don't quite understand what you are explaining.
I will simply post the result once encrypting on the 2nd HD is finished.
0
 
LVL 37

Assisted Solution

by:bbao
bbao earned 60 total points
ID: 39863027
Commonly, the two options do not make any difference in your scenario if the G drive is always available to unlcok both drives.

If BitLocker is enabled on the OS drive, when you turn on BitLocker for a fixed data drive, you will have the 3rd option of allowing the drive to be automatically unlocked when the OS drive is unlocked.

But be aware it is for FIXED drives, in other words the drives must be physically secured.

Therefore, technically, any drive could be removable especially for that in laptop computers though the drive can be recognised as a fixed drive if it is not a USB based external drive. From this point of view, the 3rd option should not be used.

In conclusion, it depends on how confident you are on physical security.
0
 

Author Comment

by:sglee
ID: 39863041
Sorry, in my previous posting ID: 39863015, I forgot to mention that I chose 3rd option and saved another BitLocker Recovery Key 14364B79-F3F5-44F5-AC16-xxxxxxxxxxx.txt

I have another question.
First time I attempted to encrypt 2nd HD, I stopped right before encryption started  and during the process, it created Recovery Key file.
Second time I was more confident with what I was doing and went thru the whole process including starting encryption. During the process, it created another Recovery Key file.
But I noticed that first Recovery Key file was differently name as 2nd one and also the contents of both files were even different.
Is this by design?
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 60 total points
ID: 39863049
Choose the Automatically Unlock option in the shown dialogue box.

Encryption is the sole property of the OS meaning once booted up the encryption is transparent to everyone and anything accessing that system whether local or remote across the network.

Note that a backup that is tested and viable/good is MANDATORY when the data is encrypted as there is virtually NO recovery option if something happens.

Make sure to store the BitLocker keys in a safe place.

Philip
0
 
LVL 63

Assisted Solution

by:btan
btan earned 180 total points
ID: 39864750
>is there anything I should know encrypting 2nd HD with respect to  how it may impact other users who will need to open/save documents from this computer?

First you already know that Bitlocker is not multiuser and is specific to just HDD encryption so it does not matter who keyed in the password there is means to lock down the access to the BL partition as mention in my earlier post . Your 2nd HDD is just like another Data volume mentioned in the posting.

> on option 1 and 3, what they are and what implications each option comes with
My second shared on the unlocking and the use case when you normally need this. since you chose option 3 for autounlock, I have also shared the use case in term of shifting to different platform etc.

>Is this by design?
the sector level encryption key for the data volume is likely the same as it use the physical HDD metadata and info to generate, that same key is protected by another data volume encryption that would be generated and not differ in each request. Likely the recovery password which protect the data volume changes and till it is finalised and accepted by user, it will eventually be used to protect the data volume encryption key. Hence you see different recovery key password in each attempt but the underlying mentioned keys to protect the volume and sector remains ... unless the h/w differs
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question