Solved

Enabling BitLocker on 2nd Hard Drive

Posted on 2014-02-15
9
5,663 Views
Last Modified: 2014-02-18
I have enabled Bitlocker on the OS hard drive in several computers without much problems.
This particular Win 7 Ultimate workstation has two hard drives. (1) 1st HD is for OS only (2) Second HD is for Data only. It is 2nd HD that is being shared by several other users on the network (without DC).
I am in the process of encrypting 1st HD right now and will need to encrypt the 2nd HD as well. That said, is there anything I should know encrypting 2nd HD with respect to  how it may impact other users who will need to open/save documents from this computer?
0
Comment
Question by:sglee
9 Comments
 

Author Comment

by:sglee
Comment Utility
My ComputerBitLocker OptionAs seen above, C drive (contains OS) is encrypted and the start key is stored in G (USB) drive.
When I tried to enable "BitLocker" on  E drive(2nd Hard Drive), I saw the option screen and like to know, on option 1 and 3, what they are and what implications each option comes with.
0
 
LVL 61

Accepted Solution

by:
btan earned 180 total points
Comment Utility
Bitlocker does not support the concept of more than one user.

Reference MS Bitlocker FAQ

You may want to enable Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. The policy settings you use for this are:

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Deny write access to fixed drives not protected by BitLocker

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker

When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. If you are concerned that your users might inadvertently store data in an unencrypted drives while using a computer that does not have BitLocker enabled, use access control lists (ACLs) and Group Policy to configure access control for the drives or hide the drive letter.

Also

The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 180 total points
Comment Utility
On the unlock drive, it is mainly in use case like insert your bitlocker hard disk into a different computer. This is for data drive. Mounting the hard disk on another computer running Windows 7 is a quick and straightforward way to recover information from a damaged computer that has a BitLocker-protected drive on the hard disk.

The BitLocker Drive Encryption Control Panel allows the chosen option to unlock using a password or smart card. In other words, when inserted in different machine, you then supplied the required secret to access that data HDD.  However, if you the data HDD was configured for automatic unlock only, you will have to unlock it by using the recovery key.

Overall, if it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key.

FAQ - http://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx
0
 

Author Comment

by:sglee
Comment Utility
@breadtan
Are you saying that once the data drive (2nd hard drive) is bitlocked, no one can access the shared folders off this hard drive? This network has no domain controller or file server. There are 4 computers in the office all with Windows 7 and one computer acts as file server by sharing the folders on the 2nd HD.
While waiting for the answers on this board, I went ahead and installed 2nd HD on my computer and performed the testing. After encryption was finished on my 2nd HD, I was able to access the shared folder (in 2nd HD) from another workstation.
 
I have starting encrypting 2nd hard drive in real environment and almost 50% finished.
Once finished, I will restart this computer and other 3 computers in the office to see any computer has a problem accessing files from this computer with 2nd HD (with shared folders)
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:sglee
Comment Utility
@breadtan
I don't quite understand what you are explaining.
I will simply post the result once encrypting on the 2nd HD is finished.
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 60 total points
Comment Utility
Commonly, the two options do not make any difference in your scenario if the G drive is always available to unlcok both drives.

If BitLocker is enabled on the OS drive, when you turn on BitLocker for a fixed data drive, you will have the 3rd option of allowing the drive to be automatically unlocked when the OS drive is unlocked.

But be aware it is for FIXED drives, in other words the drives must be physically secured.

Therefore, technically, any drive could be removable especially for that in laptop computers though the drive can be recognised as a fixed drive if it is not a USB based external drive. From this point of view, the 3rd option should not be used.

In conclusion, it depends on how confident you are on physical security.
0
 

Author Comment

by:sglee
Comment Utility
Sorry, in my previous posting ID: 39863015, I forgot to mention that I chose 3rd option and saved another BitLocker Recovery Key 14364B79-F3F5-44F5-AC16-xxxxxxxxxxx.txt

I have another question.
First time I attempted to encrypt 2nd HD, I stopped right before encryption started  and during the process, it created Recovery Key file.
Second time I was more confident with what I was doing and went thru the whole process including starting encryption. During the process, it created another Recovery Key file.
But I noticed that first Recovery Key file was differently name as 2nd one and also the contents of both files were even different.
Is this by design?
0
 
LVL 38

Assisted Solution

by:Philip Elder
Philip Elder earned 60 total points
Comment Utility
Choose the Automatically Unlock option in the shown dialogue box.

Encryption is the sole property of the OS meaning once booted up the encryption is transparent to everyone and anything accessing that system whether local or remote across the network.

Note that a backup that is tested and viable/good is MANDATORY when the data is encrypted as there is virtually NO recovery option if something happens.

Make sure to store the BitLocker keys in a safe place.

Philip
0
 
LVL 61

Assisted Solution

by:btan
btan earned 180 total points
Comment Utility
>is there anything I should know encrypting 2nd HD with respect to  how it may impact other users who will need to open/save documents from this computer?

First you already know that Bitlocker is not multiuser and is specific to just HDD encryption so it does not matter who keyed in the password there is means to lock down the access to the BL partition as mention in my earlier post . Your 2nd HDD is just like another Data volume mentioned in the posting.

> on option 1 and 3, what they are and what implications each option comes with
My second shared on the unlocking and the use case when you normally need this. since you chose option 3 for autounlock, I have also shared the use case in term of shifting to different platform etc.

>Is this by design?
the sector level encryption key for the data volume is likely the same as it use the physical HDD metadata and info to generate, that same key is protected by another data volume encryption that would be generated and not differ in each request. Likely the recovery password which protect the data volume changes and till it is finalised and accepted by user, it will eventually be used to protect the data volume encryption key. Hence you see different recovery key password in each attempt but the underlying mentioned keys to protect the volume and sector remains ... unless the h/w differs
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now