Skip navigation

BitLocker Lessons

Windows Vista takes some getting used to. Perhaps the feature that requires the most getting used to is BitLocker Drive Encryption, which encrypts all of the C drive and tucks away the decryption key in a Trusted Platform Module (TPM) version 1.2 chip, which you'll find only on relatively new hardware.

BitLocker offers you the comfort of knowing that if you leave your laptop on a plane or in a cab, no one can get to your data. However, BitLocker exacts a price. This feature requires the still-unusual TPM chip and $100 more for the "Ultimate" version of Vista compared with the Business version. To find out if these costs are worth it for frequent travelers like me, I've been testing out BitLocker. It's been entertaining.

BitLocker loses track of your hard disk's decryption key, which can be a somewhat frightening experience: You turn on your laptop to learn that BitLocker has failed in some way, and you're prompted to attempt recovery. "Recovery" means to punch a 48-digit code into your system so that it can continue booting. If you were lazy and didn't print this 48-digit code when you first encrypted your disk with BitLocker, just open up an elevated command prompt and type

cscript c:\windows\system32\manage-bde.wsf -protectors -get c:

and press Enter. Print out the 48-digit code and put it somewhere in your luggage that isn't your laptop bag. Do it. Trust me.

I found that BitLocker was unable to start the boot process on my laptop about one out of every three times--requiring me to punch in the 48-digit recovery code. Then I realized that I was doing something wrong. For the TPM chip to cough up the decryption key, it must first verify that certain things on the laptop haven't changed. Doing so proves that the hard disk hasn't been transplanted to some other computer. BitLocker checks the boot code, BIOS, Master Boot Record of the boot disk, and a number of other things. If any of those have changed by as little as a byte, the TPM chip won't release the BitLocker code, therefore protecting your data.

So what had I done wrong? Simple: I had my laptop's boot disk order set to first boot from the CD-ROM drive, then the hard disk. If I have a disc in the CD-ROM drive, the Master Boot Record of that disk would be analyzed and found to not match the one that the TPM chip expected. The solution? Reconfigure my laptop to first boot from the hard disk.

I learned my second lesson when I called HP to ask when the company would release the Vista driver I need to use all of my RAM. (I'm running 64-bit Vista on 64-bit hardware with 4GB of RAM, but Vista only sees 2.9GB. One simple driver would make my purchase of an HP nx6325 a good move instead of the foolishness that it seems now.) The HP tech support person--"Ray"--whom I spent an hour on the phone with did his best to deny that the laptop takes more than 2GB, until I showed him three pages on the HP Web site that proved otherwise. He asked again what my exact problem was. I explained that I was running 64-bit Vista Ultimate with a BitLocker-encrypted drive and simply wanted to use the $1,100 worth of RAM I'd purchased. He consulted his experts. Their suggestion? Flash my BIOS. Now, I already had the latest BIOS, but imagine if I'd actually followed Ray's advice. The BIOS would've changed, and I wouldn't have been able to get to my data. The lesson? Simple: Don't assume that people supporting business-class computer hardware have any kind of clue how their suggestions affect your BitLocker-encrypted system. (Or perhaps it's "Don't buy an nx6325." Sigh.)

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.