14 December 2006 2 Comments

Bitlocker woes…

So I’ve finally gotten some time to muck around with Bitlocker in Vista Enterprise / Business. I didn’t have high expectations, as my company already uses a full disk encryption tool which we’re quite pleased with, but there’s no version available yet for Vista and I wanted to make sure I had implemented some sort of security measures on my machine in case of theft or loss. Basically, IT security would kill me if I didn’t :)

Bitlocker requires a TPM 1.2 chip in order for it to be “seamless” (that is, work without a USB key or smartcard). The only hardware we have with TPM 1.2 are ThinkPad T60′s, which luckily for me, I’m currently using. It required that I upgrade to the latest BIOS revision, something that we’d need to keep in mind for our Vista deployment if we intended on using Bitlocker on re-staged T60′s that were bought in before the BIOS update was released. We don’t tend to update the BIOS unless there’s a known problem with the current one.

The installation from that point, was very straightforward. I just had to shutdown my machine to enable the TPM and that was it. When I powered back up, Bitlocker started encrypting the drive. While the encryption *was* faster than our current disk encryption tool on our standard 60GB drive, there was no way to limit the CPU usage or disk activity. So for the guts of 2 hours, I was reduced to smoking heavily, picking my nose, and annoying my collegues – basically anything to pass the time without trying to use my machine and have it run so slowly that I murder people from frustration.

It also prompted me to store a copy of the recovery code somewhere – which I duly printed out, for fear of something bad happening. In a proper AD / Vista deployment, you can store these recovery codes in AD, which is pretty slick. In fact, everything about Bitlocker is pretty damn slick. Ok, so it needs TPM 1.2 to be of any use, but still – past that it rocks. AND no more PBA screen if you don’t want it. If you do, you can use a PIN. Excellent work Microsoft!
This morning, I powered on my machine and was told that I had installed something that changed my Master Boot Record and that I’d need to supply the recovery key in order to get into the machine. Ehhh… Hang on… All I did was install a definition update for Windows Mail. WTF?!? Worse still, I’d left the printed out recovery password locked away in my desk and I was at home… :(

I did finally get back in and get the key. Everything’s fine now. But I can’t help but wonder when I’ll next be asked to supply the recovery key – and how that’ll affect deployment in corporate environments. Disk encryption tools are bloody tricky to update, generally requiring a full un-encryption/re-encryption to get the benefits of the update. It’s not as if MS would be able to release frequent hotfixes like the rest of their OS.

Anyway, rant over…

Update: Ok. Same thing happened again this morning. I’m gonna uninstall Bitlocker for the moment, until I can figure out what the hell is going on.

Tags: ,

2 Responses to “Bitlocker woes…”

  1. Aaron 14 March 2008 at 3:02 pm #
    You ever find out what the problem was? We are looking at deploying bitlocker here to 2000 seats and things like this scare me. Are you booting with a CD or DVD in your drive especially a bootable one? I have heard some TPM chips interpret this as a hardware change that causes a bitlocker PIN prompt.
    Reply
  2. Dan 14 March 2008 at 3:07 pm #
    Didn’t do much more investigation into it, but a colleague told me that it was a known problem relating to having a bootable DVD in the machine, so you’re right on the money there.
    Reply

Leave a Reply