BitLocker Drive Encryption Step-by-Step Guide for Windows 7

Applies To: Windows 7

This step-by-step guide provides the instructions you need to use BitLocker™ Drive Encryption in a Windows® 7 test environment. We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Windows 7 operating system features without accompanying documentation and should be used with discretion as a stand-alone document.

What is BitLocker Drive Encryption?

BitLocker Drive Encryption is an integral security feature in the Windows 7 operating system that helps protect data stored on fixed and removable data drives and the operating system drive. BitLocker helps protect against "offline attacks," which are attacks made by disabling or circumventing the installed operating system or made by physically removing the hard drive to attack the data separately. For fixed and removable data drives, BitLocker helps ensure that users can read the data on the drive and write data to the drive only when they have either the required password, smart card credentials, or are using the data drive on a BitLocker-protected computer that has the proper keys. If your organization includes computers running previous version of Windows, the BitLocker To Go™ Reader can be used to allow those computers to read BitLocker-protected removable drives.

BitLocker protection on operating system drives supports two-factor authentication by using a Trusted Platform Module (TPM) along with a personal identification number (PIN) or startup key as well as single-factor authentication by storing a key on a USB flash drive or just using the TPM. Using BitLocker with a TPM provides enhanced protection for your data and helps assure early boot component integrity. This option requires that the computer have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM. A compatible BIOS must support the TPM and the Static Root of Trust Measurement as defined by the Trusted Computing Group. For more information about TPM specifications, visit the TPM Specifications section of the Trusted Computing Group Web site (https://go.microsoft.com/fwlink/?LinkId=72757).

The TPM interacts with BitLocker operating system drive protection to help provide protection at system startup. This is not visible to the user, and the user logon experience is unchanged. However, if the startup information has changed, BitLocker will enter recovery mode, and you will need a recovery password or recovery key to regain access to the data.

In this guide

The purpose of this guide is to help IT professionals become familiar with the BitLocker Drive Encryption feature of Windows 7. These steps are for testing only. This guide should not be the only resource you use to deploy Windows Server® 2008 R2 or Windows 7 features. Review the following sections to familiarize yourself with the basic information and procedures that you need to start configuring and deploying BitLocker in your organization.

Requirements for BitLocker Drive Encryption

The hardware and software requirements for BitLocker are:

  • A computer running Windows 7 Enterprise, Windows 7 Ultimate, or Windows Server 2008 R2.

Note

Windows Server 2008 R2 includes BitLocker Drive Encryption as an optional feature.

  • A computer that meets the minimum requirements for Windows 7 or Windows Server 2008 R2.

  • A TPM microchip, version 1.2, turned on for use with BitLocker on operating system drives is recommended for validation of early boot components and storage of the BitLocker master key. If the computer does not have a TPM, a USB flash drive may be used to store the BitLocker key.

  • A Trusted Computing Group (TCG)-compliant BIOS for use with BitLocker on operating system drives.

  • A BIOS setting to start up first from the hard drive, not the USB or CD drives.

Note

For any scenario that includes using a USB flash drive to provide a BitLocker key (such as a startup key or a recovery key), your BIOS must support reading USB flash drives at startup.

Important

We strongly recommend that you do not run a kernel debugger while BitLocker is enabled, because encryption keys and other sensitive data can be accessed with the debugger. However, you can enable kernel debugging before you enable BitLocker. If you enable kernel debugging or boot debugging (kernel debugging with the bcdedit /debug option), after you have enabled BitLocker the system will automatically start the recovery process every time you restart the computer.

Additional resources