What is Full Drive Encryption?
Drive Encryption is a method of securing all the data that resides on a volume or disk drive of a computer. Full drive encryption essentially makes the entire volume inaccessible to unauthorised access. Usually when encryption is performed, single files or folders are encrypted and the chances of retrieving valuable information through caches and temporary files are fairly high. Passwords retrieved in this way render the entire security of a computer compromised, and therefore ineffectual. Full drive encryption takes care of all these loopholes by securing the entire drive. If the encryption is implemented using software, the boot sector will not be encrypted.
BitLocker Drive Encryption
BitLocker is a software tool that has been packaged with a few of the higher-end versions of Windows Vista, Windows Server 2008 and Windows 2007 Ultimate Beta operating systems. BitLocker also has a suite of related tools, like the BitLocker Drive Preparation Tool, the Repair Tool and Design and Deployment Guides, as well as the Recovery Password Viewer.
BitLocker requires at least two disk drives, one that contains all the booting information and the operating system, and the other which has the system files that need encryption. It also is a volume encryption tool, where a volume is not necessarily an entire drive.
A start-up key or a PIN is required when the system boots, without which the drive are virtually inaccessible.
When initially enabling BitLocker, Windows Vista will prompt the user to note down the recovery password somewhere. It presents the user with a trio of options: saving the password in a file, on a removable USB drive or printing it out.
The recovery password is a 48-digit number that needs to be entered if the start-up key or the PIN hasn’t been provided during booting. Once the number has been entered, the booting proceeds as normal. The user can then remove BitLocker and reconfigure it, whilst setting an entirely new start-up key or PIN.
BitLocker Recovery Password Viewer
In the event that the 48-digit number is not available to the user, the process of password retrieval becomes more complicated. Windows provides a utility called BitLocker Recovery Password Viewer to retrieve encrypted drives.
BitLocker Recovery Password Viewer stores the passwords in the Active Directory. However for this method to work, the system needs to be configured before the password is lost.
How to configure BitLocker Recovery Password Viewer
Firstly, the Microsoft Active Directory Domain Services needs to be set up for a network. In brief, these services allow network administrators to view all the components of a network as objects which can then be configured according to requirement. Components can range from workstations and servers to printers. After the ADDS has been set up, the encrypted computer needs to part of this domain.
The second step is to configure the domain to store the BitLocker passwords, whenever the tool is used to encrypt drives. The procedure is fairly complex, and the entire process has been explained in detail by Microsoft here. Additionally, be sure to see our article How To Avoid the Bitlocker Blues.
After these steps have been performed, BitLocker Recovery Password Viewer must be installed. The utility is freely available to Windows users. The download page performs a validation of the Windows operating system that is requesting the download.
Once the utility has been installed, another utility known as the Active Directory Users and Computers Microsoft Management Console needs to be installed as well. This particular snap-in is required to actually access the passwords that are stored in the domain.
After the installation of the Console, password retrieval is a simple process. The user can right-click on the object representing the encrypted drive, which will display a shortcut menu. On selecting the Properties command on the shortcut menu, a properties sheet will be displayed where the password will then be visible.
Using drive encryption is a great way of securing data and protecting it against exposure when laptops are lost or stolen, but lost passwords do represent a real problem.
BitLocker Recovery Password Viewer is an excellent solution, however difficult it is to set up. Installing the Viewer and the other snap-ins will probably be handled by a network administrator. Users need to have the foresight to install this valuable tool beforehand though, to prevent the loss of data due to misplaced PINs and start-up keys.
More BitLocker Articles
Be sure to check out our other articles about Bitlocker including How To Avoid the Bitlocker Blues, Protecting Your Data with BitLocker Drive Encryption, How to Use BitLocker Drive Encryption Without a TPM Chip and EFS vs Bitlocker: What’s the Difference?