Windows 7 and BitLocker to Go

Here is the second of my posts on BitLocker under Windows 7. While not strictly deployment focused I found these points of interest. We all tend to use USB disks for moving data around and securing these is becoming more important. For example how many people have a deployment point on their USB stick that might have user names and passwords in clear text?

BitLocker to Go and legacy versions of Windows

When using BitLocker to Go you can encrypt removable drives with NTFS, but you won’t be able to read them on a down level OS i.e. Windows XP or Windows Vista. However if you encrypt a FAT (or exFAT, FAT32) formatted drive, you will see the BitLocker to Go Reader when you plug it into a down level machine, which will allow read access to your files.

When considering the usage of BitLocker to Go it’s worth noting that you can configure whether or not the BitLocker to Go Reader is included on the removable drive when you encrypt it using Group Policy – Run GPEdit > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Drives > Allow access to BitLocker-protected removable data drives from earlier versions of Windows.

BitLocker to Go, Certificates and Smart Cards

If anyone has tried out Bitlocker to Go you will have seen the option to encrypt an external disk using your smart card. However not all certificates are suitable for this use.

A certificate is considered valid for BitLocker to Go if the following conditions are met for Key Usage:

No KU is present

KU is present and contains one of the following keyEncipherment bits:

CERT_DATA_ENCIPHERMENT_KEY_USAGE

CERT_KEY_AGREEMENT_KEY_USAGE

CERT_KEY_ENCIPHERMENT_KEY_USAGE

A certificate is considered valid for BitLocker to Go if the following conditions are met for Extended Key Usage:

No EKU is present

EKU is present and contains BitLocker™ OID

EKU is set to anyExtendedKeyUsage

NOTE: The BitLocker OID is configurable in group policy

 

Disclaimer: The information on this site is provided "AS IS" with no warranties, confers no rights, and is not supported by the authors or Microsoft Corporation. Use of included script samples are subject to the terms specified in the Terms of Use .

This post was contributed by Richard Trusson , a Senior Consultant with Microsoft Consulting Services - U.K.