Bitlocker Drive Encryption

Windows 7 Enterprise, Windows 7 Ultimate, Windows 8 Pro, Windows 8 Enterprise, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 comes with a feature called BitLocker Drive Encryption. BitLocker Drive Encryption is designed to protect the data on lost, stolen, or inappropriately decommissioned computers.Only the operating system drive or internal hard drives can be encrypted,files on other type of drives must be encrypted with Bitlocker To Go.Bitlocker uses a Trusted Platform Module version 1.2 or higher to store the security key.If the TPM discovers a potential security risk such as a disk error or changes made to the BIOS,hardware,system files or startup components,the system drive will not be unlocked until you enter the 48 digit Bitlocker recovery password or use a USB drive with the recovery key as a recovery agent.

New features in Windows 2012

BitLocker Provisioning

In previous versions of BitLocker the BitLocker provisioning was completed during the post installation of the BitLocker utility. The BitLocker provisioning was done either through the command line interface or the Control Panel. In the Windows 8 and Windows Server 2012 version of BitLocker, an administrator can choose to provision BitLocker before the operating system is even installed. Administrators have the ability to enable BitLocker, prior to the operating system deployment, from the Windows Preinstallation Environment. BitLocker is applied to the formatted volume and BitLocker encrypts the volume prior to running the Windows setup process. If an administrator wants to check the status of BitLocker on a particular volume, the administrator can view the status of the drive in either the BitLocker control panel applet or Windows Explorer.

Used Disk Space Only Encryption

Windows 7 BitLocker has a requirement that all data and free space on the drive has to be encrypted. Because of this, the encryption process can take a very long time on larger volumes. In Windows 8 BitLocker, administrators have the ability to encrypt either the entire volume or just the space being used. When you choose to encrypt the Used Disk Space Only option, only the section of the drive that has data will be encrypted.

Standard User PIN and Password Change

One issue that BitLocker has had is that you need to be an administrator to configure BitLocker on operating system drives. Administrative privileges are still needed to configure BitLocker, but now your users have the ability to change the BitLocker PIN for the operating system or change the password on the data volumes.

Network Unlock

One of the new features of BitLocker is called Network Unlock. Network Unlock allows administrators to easily manage desktop and servers that are configured to use BitLocker. Network Unlock allows an administrator to configure BitLocker to unlock automatically an encrypted hard drive during a system reboot when that hard drive is connected to their trusted corporate environment. For this to function properly on a machine, there has to be a DHCP driver implementation in the system’s firmware. If your operating system volume is also protected by the TPM + PIN protection, the administrator has to be sure to enter the PIN at the time of the reboot. This protection can actually make using Network Unlock more difficult to use, but they can be used in combination.

Support for Encrypted Hard Drives for Windows

One of the new advantages of using BitLocker is Full Volume Encryption.BitLocker provides built-in encryption for Windows data files and Windows operating system files. The advantage of this type of encryption is that encrypted hard drives that use Full Disk Encryption get each block of the physical disk space encrypted. Because each physical block gets encrypted, it offers much better encryption. The only down side to this is because each physical block is encrypted, it adds some degradation to the hard drive speed.

Enabling BitLocker in Windows Server 2012

1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe.

2. Select Add Roles and features.

3. Select Next at the Before You Begin pane (if shown).

4. Select Role-Based or Feature-Based installation, and select Next to continue.

5. Select the Select A Server From The Server Pool option and click Next.

6. At the Select Server Roles screen, click Next.

7. At the Select Features screen, click the check box for BitLocker Drive Encryption. When the Add Roles And Features dialog box appears, click the Add Features button. Then click Next.

8.Select the Install button on the Confirmation pane of the Add Roles and Features Wizard to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the Restart The Destination Server Automatically If Required option in the Confirmation pane will force a restart of the computer after installation is complete.

9. If the Restart The Destination Server Automatically If Required check box is not selected, the Results pane of the Add Roles and Features Wizard will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.

You also can install BitLocker by using the Windows PowerShell utility. To install BitLocker, use the following PowerShell commands: Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools –Restart