Enabling BitLocker on 2nd Hard Drive

I have enabled Bitlocker on the OS hard drive in several computers without much problems.
This particular Win 7 Ultimate workstation has two hard drives. (1) 1st HD is for OS only (2) Second HD is for Data only. It is 2nd HD that is being shared by several other users on the network (without DC).
I am in the process of encrypting 1st HD right now and will need to encrypt the 2nd HD as well. That said, is there anything I should know encrypting 2nd HD with respect to  how it may impact other users who will need to open/save documents from this computer?
Who is Participating?
btanExec ConsultantCommented:
Bitlocker does not support the concept of more than one user.

Reference MS Bitlocker FAQ

You may want to enable Group Policy settings to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. The policy settings you use for this are:

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\Deny write access to fixed drives not protected by BitLocker

Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\Deny write access to removable drives not protected by BitLocker

When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that are not protected by BitLocker as read-only. If you are concerned that your users might inadvertently store data in an unencrypted drives while using a computer that does not have BitLocker enabled, use access control lists (ACLs) and Group Policy to configure access control for the drives or hide the drive letter.


The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
sgleeAuthor Commented:
My ComputerBitLocker OptionAs seen above, C drive (contains OS) is encrypted and the start key is stored in G (USB) drive.
When I tried to enable "BitLocker" on  E drive(2nd Hard Drive), I saw the option screen and like to know, on option 1 and 3, what they are and what implications each option comes with.
btanExec ConsultantCommented:
On the unlock drive, it is mainly in use case like insert your bitlocker hard disk into a different computer. This is for data drive. Mounting the hard disk on another computer running Windows 7 is a quick and straightforward way to recover information from a damaged computer that has a BitLocker-protected drive on the hard disk.

The BitLocker Drive Encryption Control Panel allows the chosen option to unlock using a password or smart card. In other words, when inserted in different machine, you then supplied the required secret to access that data HDD.  However, if you the data HDD was configured for automatic unlock only, you will have to unlock it by using the recovery key.

Overall, if it is an operating system drive mounted on another computer running Windows 7, the encrypted hard disk can be unlocked by a data recovery agent if one was configured or it can be unlocked by using the recovery key.

FAQ - http://technet.microsoft.com/en-us/library/ee449438(v=ws.10).aspx
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

sgleeAuthor Commented:
Are you saying that once the data drive (2nd hard drive) is bitlocked, no one can access the shared folders off this hard drive? This network has no domain controller or file server. There are 4 computers in the office all with Windows 7 and one computer acts as file server by sharing the folders on the 2nd HD.
While waiting for the answers on this board, I went ahead and installed 2nd HD on my computer and performed the testing. After encryption was finished on my 2nd HD, I was able to access the shared folder (in 2nd HD) from another workstation.
I have starting encrypting 2nd hard drive in real environment and almost 50% finished.
Once finished, I will restart this computer and other 3 computers in the office to see any computer has a problem accessing files from this computer with 2nd HD (with shared folders)
sgleeAuthor Commented:
I don't quite understand what you are explaining.
I will simply post the result once encrypting on the 2nd HD is finished.
bbaoIT ConsultantCommented:
Commonly, the two options do not make any difference in your scenario if the G drive is always available to unlcok both drives.

If BitLocker is enabled on the OS drive, when you turn on BitLocker for a fixed data drive, you will have the 3rd option of allowing the drive to be automatically unlocked when the OS drive is unlocked.

But be aware it is for FIXED drives, in other words the drives must be physically secured.

Therefore, technically, any drive could be removable especially for that in laptop computers though the drive can be recognised as a fixed drive if it is not a USB based external drive. From this point of view, the 3rd option should not be used.

In conclusion, it depends on how confident you are on physical security.
sgleeAuthor Commented:
Sorry, in my previous posting ID: 39863015, I forgot to mention that I chose 3rd option and saved another BitLocker Recovery Key 14364B79-F3F5-44F5-AC16-xxxxxxxxxxx.txt

I have another question.
First time I attempted to encrypt 2nd HD, I stopped right before encryption started  and during the process, it created Recovery Key file.
Second time I was more confident with what I was doing and went thru the whole process including starting encryption. During the process, it created another Recovery Key file.
But I noticed that first Recovery Key file was differently name as 2nd one and also the contents of both files were even different.
Is this by design?
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Choose the Automatically Unlock option in the shown dialogue box.

Encryption is the sole property of the OS meaning once booted up the encryption is transparent to everyone and anything accessing that system whether local or remote across the network.

Note that a backup that is tested and viable/good is MANDATORY when the data is encrypted as there is virtually NO recovery option if something happens.

Make sure to store the BitLocker keys in a safe place.

btanExec ConsultantCommented:
>is there anything I should know encrypting 2nd HD with respect to  how it may impact other users who will need to open/save documents from this computer?

First you already know that Bitlocker is not multiuser and is specific to just HDD encryption so it does not matter who keyed in the password there is means to lock down the access to the BL partition as mention in my earlier post . Your 2nd HDD is just like another Data volume mentioned in the posting.

> on option 1 and 3, what they are and what implications each option comes with
My second shared on the unlocking and the use case when you normally need this. since you chose option 3 for autounlock, I have also shared the use case in term of shifting to different platform etc.

>Is this by design?
the sector level encryption key for the data volume is likely the same as it use the physical HDD metadata and info to generate, that same key is protected by another data volume encryption that would be generated and not differ in each request. Likely the recovery password which protect the data volume changes and till it is finalised and accepted by user, it will eventually be used to protect the data volume encryption key. Hence you see different recovery key password in each attempt but the underlying mentioned keys to protect the volume and sector remains ... unless the h/w differs
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.