Use Bitlocker drive encryption for all your data volumes on Vista
September 23, 2007
Thanks to a comment by Steve Lamb on his blog, I now find out that you can already use Bitlocker to encrypt volumes other than the operating system partition, you just have to do it from the command line.
I was pleasantly surprised to learn this, and it means I don’t have to wait for sp1.
OK, some of you must be thinking I have been hiding under a rock if I did not already know this, but I have found no mention in two books on Vista security (by Mark Minasi / Byron Hynes, and Jesper Johansson / Roger Grimes), nor another fat volume about Vista generally, nor a tome on Windows command line administration.
On the contrary, there are lots of misleading phrases that Bitlocker only encrypts the system volume (because they are trying to stress that it does not encrypt the boot volume, I guess), and even mention that if you use EFS for the additional volumes, and the EFS keys are on the system volume which is Bitlocker encrypted, then this is as good as Bitlocking the whole lot anyway. I can see the logic of that, but a little aside to say that you can use Bitlocker directly would have been helpful.
Will BitLocker encrypt more than just the operating system volume?
BitLocker provides a user interface for the encryption of the entire operating system volume, including Windows system files and the hibernation file. You can optionally use Encrypting File System (EFS) in Windows Vista to protect other volumes. The EFS keys are stored by default in the operating system volume. Therefore, if BitLocker is enabled for the operating system volume, all data that is protected by EFS is also indirectly protected by BitLocker. Additionally, advanced users can encrypt local data volumes using a command-line interface (manage-bde.wsf).
So, a bit of cscript manage-bde.wsf -? and we are on our way. But that’s for another day.