BitLocker Drive Encryption Design Guide for Windows 7

Applies To: Windows 7, Windows Server 2008 R2

This document describes the various aspects of planning for deploying BitLocker™ Drive Encryption on computers running Windows Server® 2008 R2, Windows® 7 Enterprise, or Windows® 7 Ultimate in an organization. To plan your organization's deployment of BitLocker, you must first understand how your current policies and procedures will be affected by a BitLocker deployment. This guide provides a systematic approach of presenting questions that you should consider before deploying BitLocker to help you frame your decision-making process and establish a BitLocker design strategy. This guide contains the following topics:

After you finish gathering and documenting your organization's requirements, you will have the information necessary to begin deploying BitLocker. For deployment-specific guidance, see the BitLocker Drive Encryption Deployment Guide for Windows 7 (https://go.microsoft.com/fwlink/?LinkID=140286).

BitLocker and BitLocker To Go minimum requirements

The following table identifies the minimum requirements for using either BitLocker or BitLocker To Go with specific types of drives on your computer.

BitLocker

Operating system drive

BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, so you must have either a computer with a Trusted Platform Module (TPM), which is a special microchip in many computers that supports advanced security features, or a removable USB memory device, such as a USB flash drive. Either of these hardware devices can be used to store the BitLocker keys. If your computer was manufactured with a TPM version 1.2 or higher, BitLocker will store its key in the TPM. If your computer does not have a TPM version 1.2 or higher, BitLocker will store its key on the USB flash drive. Using a USB flash drive to store the BitLocker keys is an option that is only available if your system administrator has configured the BitLocker Group Policy settings to allow the use of a startup key when a TPM is not available.

The computer must have been configured with an additional separate, active partition to be used as a system partition. The system partition will contain the files needed to start your computer. The operating system partition, which contains Windows 7 or Windows Server 2008 R2, will be encrypted by BitLocker. The system partition will remain unencrypted so your computer can start. If your computer does not have an additional separate, active partition, BitLocker will create it for you. Both the system partition and the operating system partition must be formatted with the NTFS file system.

The computer firmware, which can be either BIOS or Unified Extensible Firmware Interface (UEFI), must be compatible with the TPM or support USB devices during computer startup. If the computer firmware does not meet this requirement, you will need to update the firmware before using BitLocker.

BitLocker

Fixed data drive

The drive must be formatted by using either the exFAT, FAT16, FAT32, or NTFS file system.

The drive must have at least 64 MB of available disk space.

The operating system drive must be protected by BitLocker if you want the drive to be unlocked automatically.

BitLocker To Go

Removable data drive

The drive must be formatted by using either the exFAT, FAT16, FAT32, or NTFS file system.

The drive must have at least 64 MB of available disk space.

The operating system drive must be protected by BitLocker if you want the drive to be unlocked automatically.

BitLocker To Go Reader (bitlockertogo.exe) may be used to unlock FAT-formatted removable drives accessed using a computer running Windows Vista or Windows XP. Once unlocked by the BitLocker To Go Reader you will have read-only access to the files stored on the removable drive. This means you will not be able to modify the drive by adding new files to it or changing the contents of the existing files on the drive. If you plan on using the BitLocker To Go Reader you must use a password as one of your BitLocker key protectors. The BitLocker To Go Reader cannot use credentials from a smart card or from a TPM.

FIPS settings

You can configure the Federal Information Processing Standard (FIPS) Group Policy settings in Windows 7 to require FIPS compliance. However, the BitLocker To Go Reader is not a FIPS-compliant application. If your organization is FIPS-compliant, BitLocker-protected removable drives cannot be opened by computers running Windows XP or Windows Vista.

To use BitLocker in a FIPS-compliant environment, you must enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, which can be found in the Local Group Policy Editor under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, before turning on BitLocker.

Note

Modifying Group Policy settings requires that you can provide administrative credentials.

As an effect of FIPS compliance, users cannot create recovery passwords for use with BitLocker. Additionally, if a data drive is password-protected, it can be accessed by a FIPS-compliant computer after the password is supplied, but the drive will be read-only. When in FIPS compliance mode, users can still create a recovery key and data recovery agents can be used for certificate-based recovery.

Note

If you have also configured the Group Policy setting to require that all removable drives be protected by BitLocker, recovery keys cannot be used. In this situation, recovery must be accomplished by using data recovery agents.
If you enable FIPS compliance, users will be unable to save a recovery password to any location. This includes saving passwords to Active Directory® Domain Services (AD DS) and network folders. Because recovery passwords cannot be saved to AD DS when FIPS is enabled, Windows 7 will display an error if AD DS backup is required by Group Policy.

When FIPS is disabled, based on the existing Group Policy, users must create and save a recovery key or recovery password while enabling BitLocker by using the user interface.