BitLocker Filter Driver
Updated: November 30, 2007
Applies To: Windows Server 2008
The BitLocker filter driver is the main component that implements live encryption/decryption functionality. It converts the volume from decrypted to encrypted when BitLocker is set up.
The following is a list of all aspects that are part of this managed entity:
Whenever the operating system or an application attempts to read from or write to a BitLocker-protected volume, the BitLocker filter driver must decrypt or encrypt data in real time, sector by sector. The filter driver writes event log information when it encounters problems, even if the problem is corrected with an automatic retry of the operation.
When a computer protected with BitLocker Drive Encryption is restarted, the early startup components perform a series of integrity checks and, if the system passes, attempts to retrieve the needed key information to unlock any BitLocker-protected volumes. Success depends on the availability of configured key protectors, such as the TPM or a user-supplied PIN, and the existence of volume metadata stored within the encrypted drive.
If Windows cannot unlock the Windows operating system volume, BitLocker enters recovery mode. If the user can supply a recovery password or insert a USB flash drive with a recovery key, BitLocker will unlock the volume.
After the Windows operating system volume has been successfully unlocked, BitLocker uses encrypted information stored in the volume metadata and Windows registry to unlock any data volumes configured for automatic unlocking.
In BitLocker parlance, the term "conversion" refers to either encrypting or to decrypting an entire volume. Encryption of the entire volume occurs when BitLocker is enabled for that volume. Decryption occurs if an administrator chooses the Decrypt the drive option when turning off BitLocker from the BitLocker Control panel or uses the disable option from the manage-bde command-line tool.