We just raised a $30M Series A: Read our story

Microsoft BitLocker OverviewUNIXBusinessApplication

Microsoft BitLocker is #1 ranked solution in top Endpoint Encryption tools and top Mobile Data Protection tools. IT Central Station users give Microsoft BitLocker an average rating of 8 out of 10. Microsoft BitLocker is most commonly compared to McAfee Complete Data Protection:Microsoft BitLocker vs McAfee Complete Data Protection. Microsoft BitLocker is popular among the large enterprise segment, accounting for 40% of users researching this solution on IT Central Station. The top industry researching this solution are professionals from a computer software company, accounting for 22% of all views.
What is Microsoft BitLocker?

BitLocker is Microsoft's full disk encryption solution, which protects all of your data from theft, hacking or loss. BitLocker does this by encrypting the entire drive that hosts your Windows operating system and all your data.

BitLocker is available for all devices, including portable storage devices (such as external hard drives and USB flash drives). These portable devices are supported by a feature called BitLocker To Go, which is included in Windows 7 and 8, and in Windows Server 2008 R2 and Windows Server 2012. In Windows XP, encrypted devices can be read, but not written to, using the BitLocker To Go Reader program.

Microsoft BitLocker is also known as BitLocker, MS BitLocker.

Microsoft BitLocker Buyer's Guide

Download the Microsoft BitLocker Buyer's Guide including reviews and more. Updated: November 2021

Microsoft BitLocker Customers
ACV, Proaxis Therapy, Choice Hotels International, adnymics GmbH, Intermedia, NMBS/SNCB
Microsoft BitLocker Video

Archived Microsoft BitLocker Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
YB
Senior System Manager at Teganalytics
Real User
Securely encrypts our data, but the process is too slow

What is our primary use case?

We use this solution to encrypt the data on three hard drives.

What needs improvement?

The following areas need improvement: The encryption takes a long time to complete, and our system runs very slowly while it is encrypting. If you lose the data, or it becomes corrupted, then there is no backup for it. There is no way of recovering it. There are no clear guidelines for using this product. Technical support for this solution is poor.

For how long have I used the solution?

Trial / evaluation period (six months).

What do I think about the stability of the solution?

The product is stable.

How are customer service and technical support?

There is no technical support that assists with understanding BitLocker.

Which solution did I use

What is our primary use case?

We use this solution to encrypt the data on three hard drives.

What needs improvement?

The following areas need improvement:

  • The encryption takes a long time to complete, and our system runs very slowly while it is encrypting.
  • If you lose the data, or it becomes corrupted, then there is no backup for it. There is no way of recovering it.
  • There are no clear guidelines for using this product.
  • Technical support for this solution is poor.

For how long have I used the solution?

Trial / evaluation period (six months).

What do I think about the stability of the solution?

The product is stable.

How are customer service and technical support?

There is no technical support that assists with understanding BitLocker.

Which solution did I use previously and why did I switch?

I have used different solutions, personally, but that was while I was at my previous company.

How was the initial setup?

The initial setup for this solution is straightforward. We needed to change the group policy setting.

What about the implementation team?

I handled the installation myself.

We have two people working on the maintenance of the solution.

What other advice do I have?

I would rate this product a five out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Head of Operations (India) at a tech vendor with 51-200 employees
Real User
It is easy to implement and has AD integration

What is our primary use case?

Preventing data loss in stolen/lost laptops was the primary reason we went for it. It does its job adequately.

How has it helped my organization?

Whole disk encryption was what was required from us. Microsoft BitLocker has executed it with minimal effort.

What is most valuable?

Easy to implement AD integration It is a totally free solution. It is tightly integrated with Windows

What needs improvement?

More customization options would have been nice, such as password selection, actions when the screen is locked, etc.

For how long have I used the solution?

One to three years.

What is our primary use case?

Preventing data loss in stolen/lost laptops was the primary reason we went for it. It does its job adequately.

How has it helped my organization?

Whole disk encryption was what was required from us. Microsoft BitLocker has executed it with minimal effort.

What is most valuable?

  • Easy to implement
  • AD integration
  • It is a totally free solution.
  • It is tightly integrated with Windows

What needs improvement?

More customization options would have been nice, such as password selection, actions when the screen is locked, etc.

For how long have I used the solution?

One to three years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Learn what your peers think about Microsoft BitLocker. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
552,027 professionals have used our research since 2012.
it_user757422
Microsoft (Active Directory) Consultant at a logistics company with 5,001-10,000 employees
Consultant
Prevents Unauthorised Access to Corporate Data

What is our primary use case?

Protect corporate data on devices (Laptops, Desktops, Tablets).
every week 100's of corporate devices lost just at airports and every device got personal/corporate data, its very important to protect such data from unauthorised use, hence is the solution to implement Microsoft Bitlocker Administration and Monitoring (MBAM)

How has it helped my organization?

I delivered three projects where the business does not have any encryption mechanism in place if the company or an employee lost any of the device, there are chances someone could view sensitive data. After the Microsoft BitLocker Administration and Monitoring (MBAM) implementation, in such cases, any unauthorised person will not be able to access the data.

If you already have older version of MBAM in place, there is an option to move existing keys over to new server which is great.

What is most valuable?

All keys stored centerally in database (SQL), option to have PIN / Enhanced PIN / USB Drives.

What needs improvement?

Microsoft Bitlocker Administration and Monitoring (MBAM) is one of the best solution available in the marekt to protect corporate data

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

Since it is a Microsoft product, there are no compatibility issues. Once planned well, it is a straightforward implementation.

What do I think about the scalability of the solution?

No issues.

How are customer service and technical support?

There is not much support unless a business has got a Premier support contract in place.

Which solution did I use previously and why did I switch?

MBAM is the only solution that I have used for encryption.

How was the initial setup?

You need to know the technical aspects and have a good understanding of Microsoft Client/Server OS. If you know that, then yes, it is pretty straightforward.

What was our ROI?

Well worth and perfect solution specially align with GDPR.

What's my experience with pricing, setup cost, and licensing?

It is part of Microsoft Desktop Optimization Pack (MDOP) and economical compare to similar products.

Which other solutions did I evaluate?

No, we do not.

What other advice do I have?

Look at TechNet for relevant documentation and test many times before implementing in your production environment.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Raphael Marretti
IT Infrastructure Analyst at a tech services company with 501-1,000 employees
Real User
Provides disk protection while configuration is transparent to user, although implementation is complex

Pros and Cons

  • "Integration with System Center Configuration Manager (C: and D: logical drives are encrypted before installing Windows via SCCM)."
  • "The implementation of BitLocker is not simple. There are many prerequisites and hours of study and testing."

What is most valuable?

  • Integration with System Center Configuration Manager (C: and D: logical drives are encrypted before installing Windows via SCCM).
  • Use of the computer's TMP to not have to request PIN for the user.
  • In Windows 10 (1511) the TPM supports the XTS-AES encryption algorithm.

How has it helped my organization?

Before BitLocker we used the DELL disk protection through the BIOS. This protection is not very efficient and the user needs a PIN to unlock the computer. With BitLocker I guarantee the protection of the disk and the configuration is transparent to the user.

What needs improvement?

The implementation of BitLocker is not simple. There are many prerequisites and hours of study and testing. We have had some communication problems between Windows 10 and TMP and, in some cases, the computer does not work and we need to generate a new key in MBAM.

For how long have I used the solution?

We tested the solution for four months on all computer models we have before placing it in the production environment.

What do I think about the stability of the solution?

Yes. We had communication problems between the OS and TPM 1.2 of the computer. It is best to use computers with TPM 2.0.

What do I think about the scalability of the solution?

No. We have 1200 computers and the environment, with one MBAM server and one SQL, is supporting the environment. I do not know how scalability is using Active Directory to store the encryption keys.

How are customer service and technical support?

There is a lot of documentation in English and Brazilian Portuguese. To date, we have not needed Microsoft technical support.

Which solution did I use previously and why did I switch?

No. Symantec, Dell and McAfee solutions for disk encryption are expensive and some of them use BitLocker behind the solution, but are very expensive.

How was the initial setup?

The initial setup is simple. You have the task of turning on the TPM of all computers before attempting to use the BitLocker. When using MBAM + SCCM + SQL it is important to have a CA root in your environment to issue the digital certificate to the MBAM.

What's my experience with pricing, setup cost, and licensing?

BitLocker is already in Windows 10 and its price has already been "paid". To use another disk encryption solution you have to analyze well the needs of each company and how much data is critical to the business.

Which other solutions did I evaluate?

I evaluated solutions from DELL, Symantec and McAfee. Among all, Symantec has a good solution, but very expensive.

What other advice do I have?

We are using BitLocker for Windows 10 (which depends on TPM 1.2 or greater) being managed by MBAM 2.5 with SQL Server database to store the encryption keys. BitLocker is configured to use Active Directory or SQL to store the encryption keys. When using AD, the keys are stored in an unprotected directory. When using SQL, the stored keys are stored in an encrypted database.

I recommend that you study many hours before you start testing. Take the MBAM test at Microsoft's website.

Study TPM 1.2 and 2.0.

Use SQL to store the encryption keys and not the Active Directory, so you leave the AD free of high processing and add a layer of protection with the encryption of the database.

It is important to test on ALL models of computers, there is always a model that will not work.

Disclosure: My company has a business relationship with this vendor other than being a customer: Microsoft Partner.
Darren Chaker
Operator at Halliburton
Real User
It did not conflict with Windows.

Pros and Cons

  • "Whole Disk Encryption is great. BitLocker runs seamlessly during boot up."
  • "There are options which could be implemented to make it a little more like PGP Whole Disk Encryption."

What is most valuable?

Whole Disk Encryption is great. BitLocker runs seamlessly during boot up. I also liked that it did not conflict with Windows, most likely since it was created by the makers of Windows, Microsoft.

How has it helped my organization?

BitLocker provides the common person with great security to guard against most threats consisting of efforts by unauthorized people who try to gain access to the computer by not allowing it to boot up absent a password.

What needs improvement?

There are options which could be implemented to make it a little more like PGP Whole Disk Encryption, but given the fact BitLocker is readily available, and has no known conflicts, I think it is a great product to secure against unauthorized access.

For how long have I used the solution?

I have used and recommended BitLocker to people in the corporate and high net wealth arena.

What was my experience with deployment of the solution?

Despite some bad press and conspiracy theories, I trust the product, but do recommend using a secondary effort such as encrypting a partition of the drive. This is helpful in the event BitLocker is compromised; using PGP with a different password (at least 20 characters; do not use words, of course).

What do I think about the stability of the solution?

We have not encountered any stability issues. I have heard some computers using other whole disk encryption solutions can freeze up at times; I have not heard of such with BitLocker.

What do I think about the scalability of the solution?

We have not encountered any scalability issues.

How are customer service and technical support?

Customer Service:

I have never needed to use customer service; however, corporate customer care at Microsoft is great at resolving issues.

Technical Support:

I like the domestic support team; have yet to have an issue with them.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

The initial setup was straightforward; very simple to install and modify from 128-bit to 256-bit encryption, 256-bit being the government standard for "Top Secret" information.

What about the implementation team?

I did not use a vendor team to implement it.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Infrastructure Specialist at a healthcare company with 1,001-5,000 employees
Vendor
Protects employee and enterprise data in case of loss of a laptop. Fills in part of an enterprise-wide security strategy.

What is most valuable?

  1. It is integrated with the hardware, via use of TPM
  2. It is also integrated with the Windows operating system and thus:
  3. It is free!

How has it helped my organization?

Protects employee and enterprise data in case of loss of a laptop. Fills in part of an enterprise-wide security strategy.

What needs improvement?

Remote management (e.g., enable/disable, reset, etc.) of PIN codes and recovery keys would be a nice feature.

For how long have I used the solution?

I've used this solution for more than five years.

What do I think about the stability of the solution?

No, very few issues.

What do I think about the scalability of the solution?

No, it is a very light feature towards infrastructure requirements. Having an AD infrastructure is sufficient.

How are customer service and technical support?

Good.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

Engineering and testing took about 10 days and was medium level complexity.

What's my experience with pricing, setup cost, and licensing?

It is free.

Which other solutions did I evaluate?

No. Other options would introduce a licensing cost, extra infrastructure, and operational procedures, so in general, more costly.

What other advice do I have?

It is enhanced in Windows 10, supports PIN self-service and better encryption methods.

Start experimenting in the lab to understand the hardware integration (TPM), encryption methods and (optional) PIN management.

Fix your solution before rolling out, because changing parameters (like encryption) on computers where BitLocker is active is a heavy process in terms of time (decrypt/change/encrypt, etc.).

Disclosure: My company has a business relationship with this vendor other than being a customer:
Aimee White
Info Sec Consultant at Size 41 Digital
Real User
Top 5Leaderboard
Bitlocker - defence in depth
Understanding your responsibilities for disaster recovery at a departmental level can be difficult; IT departments are holistic entities. We deal with systems, people, security, servers and infrastructure... but we also need to think about things at a granular level so we can ready ourselves for when a terrible system failure occurs - it always will. My problem was that we needed to ensure we had a very basic form of disaster recovery for our staff who were planning an event that gave us the biggest turnover of our year. Okay, so, our staff needed to take business critical information out of the office on something they could access individually. Yes, we could have used cloud storage but the staff needed full portability and access with or without the internet. Not to make a…

Understanding your responsibilities for disaster recovery at a departmental level can be difficult; IT departments are holistic entities. We deal with systems, people, security, servers and infrastructure... but we also need to think about things at a granular level so we can ready ourselves for when a terrible system failure occurs - it always will.

My problem was that we needed to ensure we had a very basic form of disaster recovery for our staff who were planning an event that gave us the biggest turnover of our year. Okay, so, our staff needed to take business critical information out of the office on something they could access individually. Yes, we could have used cloud storage but the staff needed full portability and access with or without the internet. Not to make a mountain out of a mole hill - USB keys.

I know. USB keys. Oddly they seem very fond of train seats and restaurant chairs because we keep hearing about them being found everywhere with private information on them.I think we're all agreed that - in the wrong hands - USB keys can be a bit of a nightmare. Of course, in the right hands they can be a nifty thing but the password must be strong enough,. It also shouldn't be able to be changed by staff.

Here we have a solution to the problem of securing drives in easy reach - Bitlocker. I literally can't think of an easier product to use. Click. Choose a couple of options or leave them as the default. Save. Done. I’m not underplaying this, it really is simple.

The aim of the game is to provide security against thefts that are spur of the moment, or people finding items that are lost; no-one wants to be the government department that loses a USB key full of people's NI numbers. We need to show due diligence in securing the storage devices that will be leaving the office.

How does it all work? 

Bitlocker uses TPM (Trusted Platform Module) but can be used without it via a small change from the sys admin of your org (probably you)

And it really is quite simple: 


It comes with a recovery key that the IT dept can keep a hold of in case the password is forgotten.To reiterate, it's included in some Windows software so free. When working for charities this is a great bonus especially if they insist on USB drives even though we all know they are a real risk to info getting out into the open. 

So, Bitlocker is designed to secure your drives (even removable ones) in an easy fashion. Does it do that? Yes, very much so. Is it easy to use? I’m not sure they could have made it easier.

 Is it secure? Secure enough from situational thieves and unskilled (in hacking) malicious current/ex-staff.

Did I find any bad points? To be honest, no. Job done. Bitlocker for securing drives, especially USB drives that leave the office. If you need something stronger then the drive probably shouldn't be leaving the office in the first place.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user8433
Security Expert at a tech company with 10,001+ employees
Vendor
IronKey verses BitLocker-To-Go with smart cards (part 1)
This post originally appeared on the Random Oracle blog at https://randomoracle.wordpress.com/2013/03/02/ironkey-verses-bitlocker-to-go-with-smart-cards-part-1/ IronKey is one of the better known examples of “secure flash drive,” a category of products targeted at enterprises and security-conscious users for portable storage with hardware encryption. From a certain perspective, this entire category owes its existence to a failure of smart card adoption in the same target market. All of the functionality of dedicated hardware encryption products can be implemented with equal or better security, at much lower cost and greater flexibility using general purpose smart cards and off-the-shelf software. Case in point: BitLocker-To-Go (“B2LG” for short) available in Windows 7 and later…

This post originally appeared on the Random Oracle blog at https://randomoracle.wordpress.com/2013/03/02/ironkey-verses-bitlocker-to-go-with-smart-cards-part-1/

IronKey is one of the better known examples of “secure flash drive,” a category of products targeted at enterprises and security-conscious users for portable storage with hardware encryption. From a certain perspective, this entire category owes its existence to a failure of smart card adoption in the same target market. All of the functionality of dedicated hardware encryption products can be implemented with equal or better security, at much lower cost and greater flexibility using general purpose smart cards and off-the-shelf software.

Case in point: BitLocker-To-Go (“B2LG” for short) available in Windows 7 and later versions, provides full disk encryption for any old USB drive, with keys managed externally. B2LG is closely related to the original Bitlocker feature introduced in Vista, which protected boot volumes with the help of a trusted platform module. The latter is a more difficult proposition, as booting a modern OS involves several stages, each depending on executing code from the encrypted disk. Maintaining integrity of this code loaded during boot is as much of a concern as confidentiality, because altering the operating system can be an avenue of bypass against disk encryption. By contrast B2LG is concerned strictly with reading data after the OS has been already booted into a steady state.

Screenshot of the context menu on a removable drive
Context menu on a removable drive, showing the option to enable BitLocker

BL2G can be configured to use either passwords or smart card for encryption:

Choosing between passphrase and smart card
Choosing between passphrase and smart card, when enabling BitLocker.

The first configuration is susceptible to the usual offline guessing attacks, much like Android disk encryption, because keys are derived from a low-entropy secret chosen by the user. In the second configuration, the bulk-data encryption key is randomly and sealed using a public-key associated with the smart card. Unsealing that to recover the original key can only be done by asking the card to perform a private key operation, which is what smart cards are designed to implement with high security.

PIN dialog during private key operation
PIN dialog during private key operation to unlock a volume protected by BitLocker To Go.

Comparing a USB drive with built-in encryption with B2LG coupled to smart cards card, these solutions achieve similar but not identical, security profiles:

  • In both cases, bulk data encryption key is not derived from user-entered PIN or pass-phrase. A key based on “12345678″ is not any more likely than one based on “c8#J2*}ep
  • In both cases there is a limit to online guessing attacks by trying different PIN/password choices. For dedicated drives, the retry count is typically fixed by the manufacturer. For BL2G, it depends on the application installed on the card, translating into more flexibility.
  • BitLocker defaults to AES with 128-bit keys, along with a home-brew diffuser to emulate a wide-block cipher operating on sectors. Dedicated flash drives typically boast slightly more modern cryptography, with 256-bit AES in standardized XTS mode. (Not that any practical attacks exist against 128-bit keys or the custom diffuser. But one can imagine that manufacturers are caught in a marketing arms race: as soon as one declares support for the wider key length and starts throwing around “256″ as magic number, everyone else is required to follow suit for the sake of parity.)
  • For those comforted by external validation, there are many smart cards with FIPS 140 level 3 certification (as well as Common Criteria EAL 5+) in much the same way that many of the drives boast FIPS compliance. Again BL2G provides for greater choice here: instead of being stuck with the specific brand of tamper-resistant hardware the drive manufacturer decided to use, an enterprise or end-user can go with their own trusted card/token model.
  • BL2G has better resilience against physical theft: an attacker would have to capture the drive and the card, before they get to worrying about user PIN. If only the drive itself is lost, any data residing there can be rendered useless by destroying the cryptographic keys on the smart card. By contrast a lost IronKey is a permanent liability, just in case the attackers discover the password in the future.
  • Neither approach is resilient against local malware. If the drives are unlocked while attached to a compromised machine, all stored data is at risk. Some smart cards can support external PIN entry, in which case local malware can not observe the PIN by watching keystrokes. But this is little consolation, as malware can request the card to perform any operation while connected. Similarly while the IronKey PIN must be collected on PC and subject to interception, there are other models such as Aegis Secure Key with their own integrated PIN pad.
  • BitLocker has one convenience feature that may result in weaker configuration.  There is an option to automatically unlock drives, implemented by caching the key after successful decryption. Once cached, the smart card is no longer required to access the same drive in the future, because the key is already known. If the user makes an unwise decision to use this feature on a laptop which is stolen (or equivalently, remotely compromised) the persisted key can be used to decrypt the drive. Meanwhile the proprietary software accompanying IronKey does not provide an option to cache passwords. (That said, nothing stops a determined user from saving it to a local file.)

The second part of this post will look at other dimensions, such as performance, cost effectiveness and scaling, where BitLocker & smart card combination enjoys a decisive advantage over dedicated hardware.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user8433
Security Expert at a tech company with 10,001+ employees
Vendor
IronKey verses BitLocker-To-Go with smart cards (part 2)
This post originally appeared on the Random Oracle blog at http://randomoracle.wordpress.com/2013/03/05/ironkey-verses-bitlocker-to-go-with-smart-cards-part-2/ The first post in this series described how the BitLocker-To-Go feature built into Windows can be used in conjunction with smart cards to encrypt removable drives, and offer an alternative to dedicated hardware such as IronKey devices with comparable security. In this second and final part, we continue the comparison focusing on scaling, cost effectiveness and ease of deployment. From a cost perspective, BL2G wins hands down: BL2G works for any external drive, as well as logical volumes and non-bootable partitions of internal drives. There is no need to acquire new hardware. Existing plain USB drives can be leveraged,…

This post originally appeared on the Random Oracle blog at http://randomoracle.wordpress.com/2013/03/05/ironkey-verses-bitlocker-to-go-with-smart-cards-part-2/

The first post in this series described how the BitLocker-To-Go feature built into Windows can be used in conjunction with smart cards to encrypt removable drives, and offer an alternative to dedicated hardware such as IronKey devices with comparable security. In this second and final part, we continue the comparison focusing on scaling, cost effectiveness and ease of deployment.

From a cost perspective, BL2G wins hands down:

  • BL2G works for any external drive, as well as logical volumes and non-bootable partitions of internal drives. There is no need to acquire new hardware. Existing plain USB drives can be leveraged, avoiding new capital spending.
  • Even when buying new drives,  there is a huge premium for models with built-in encryption.  Data point from March 2013: 16GB model of IronKey Basic S250 retails for around $300. By comparison a plain USB thumb drive at that capacity costs less than $20, or one-fifteenth the price. Not to mention those vanilla drives boast USB 3.0 support, unlike the IronKey stuck with slower USB v2. The price discrepancy only gets worse with increasing capacity– a phenomenon that can only be explained by wide profit margins, considering that the addition of secure element to vanilla drive is fixed overhead.
    • For BL2G there is the additional expense of card and reader. Basic contact-only readers can be had for less than $20. (On the splurge side, even fanciest dual-interface readers with contact and NFC  retail top out around $130.) The cost of the card itself is noise; plastic cards cost around $10 in volume. Alternatively one can opt for USB tokens such as GoldKey that function as combined card-in-reader.
    • It is also worth pointing out that card and reader are not unique to a drive: the same combination can protect any number of drives. Not to mention, enable other useful scenarios including machine logon,  secure email and remote authentication. In short the one-time investment in issuing cards and readers is far more economical than buying dedicated drives.
  • Speaking of space, BL2G scales better to large capacities because it operates on commodity hardware. IronKey comes in different sizes but the largest ones in thumb-drive form factor max out at 64GB currently. Meanwhile plain 256GB drives have reached market, and are starting their inevitable drop in price. Because BL2G effectively implements the ”bring-your-own-drive” approach, it is not constrained by any particular manufacturer’s offerings.

From an administration perspective, the MSFT focus on enterprise scenarios leads to a more manageable solution:

  • The IronKey requires yet one more password to remember and does not fit into any existing enterprise authentication infrastructure. (For users with drives, consider the challenge of updating the password on all of them.) By contrast the same smart card used for logon to Active Directory can be used for BL2G encryption if provisioned with a suitable certificate. The user experience is one versatile credential, good for multiple scenarios.
  • Basic IronKey models can not recover from a forgotten PIN, unless the user activated an online account. Not even if the user is willing to lose all data and start from a clean slate with blank drive. (This conveniently translates into more sales for the manufacturer, so there is not exactly a lot of economic incentive to solve the “problem.”)  BL2G volumes have no such constraint. They can be wiped clean and reformatted as plain drives if desired.
  • BL2G can be integrated with Active Directory in managed environments. Group policy can be configured to back up encryption keys to AD, to allow for data recovery by IT administrators in case the primary (smart card) and secondary (printed key) unlock mechanisms both fail.

On the downside, there are deployment challenges to using smart cards:

  • BitLocker remains a Windows-only solution, while IronKey and its brethren have decent cross-platform support. In principle there is no reason why software could not be written to mount such volumes on OS X and Linux. (It is not clear Wine emulation will help. While there is a reader application available downlevel for XP,  recognizing BL2G volumes is part of core system functionality. There is no stand-alone executable to run in emulation mode to get same effect.)
  • BL2G requires smart card and card reader, or equivalent combined form factor as USB token. While plug-and-play support and developments in the Windows smart card stack for recognizing common cards has made this simpler, it is one more piece of hardware to consider for deployment.
  • Cards need to be provisioned with a suitable certificate. BitLocker can use self-signed certificates obviating the need for CA, but that assumes the card can support user-driven provisioning. This is true for GIDS for example, but not PIV which requires administrative privilege for card management and more suitable for enterprise setting.

Finally it is worth pointing out some options that try to integrate removable storage with a smart card reader. For example the @Maxx Prime combines a SIM-sized smart card reader with a slot that can accommodate microSD drives. Typically that SIM slot would be permanently occupied by a small form-factor card with support for certificates and public-key cryptography. Then interchangeable microSD cards can go in the microSD side to provide access to encrypted data, with the entire rig connected to a USB port.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user8433
Security Expert at a tech company with 10,001+ employees
Vendor
Using cloud services as glorified drive: BitLocker-To-Go (part III)
This post originally appeared on the Random Oracle blog at https://randomoracle.wordpress.com/2013/07/29/using-cloud-services-as-glorified-drive-bitlocker-to-go-part-iii/ The second post in this series described how to map storage at an arbitrary cloud storage provider as an ordinary local drive in Windows, using virtual hard disks. This post will look at how to encrypt that drive such that any information data backed up to the cloud remains private under the worst-case scenario: the service provider going rogue and deciding to rifle through user data. While there are many ways to encrypt storage locally, we are primarily interested in options supported out-of-the-box on common operating systems such as Windows. It turns out that there is a built-in feature with exactly the right…

This post originally appeared on the Random Oracle blog at https://randomoracle.wordpress.com/2013/07/29/using-cloud-services-as-glorified-drive-bitlocker-to-go-part-iii/

The second post in this series described how to map storage at an arbitrary cloud storage provider as an ordinary local drive in Windows, using virtual hard disks. This post will look at how to encrypt that drive such that any information data backed up to the cloud remains private under the worst-case scenario: the service provider going rogue and deciding to rifle through user data. While there are many ways to encrypt storage locally, we are primarily interested in options supported out-of-the-box on common operating systems such as Windows. It turns out that there is a built-in feature with exactly the right properties for this job: BitLocker-To-Go disk encryption or BL2G for short.

BitLocker and BitLocker-To-Go

Some context is required to distinguish BL2G from its better known cousin, BitLocker for boot volumes. There is plenty in common as the shared branding suggests. Both variants are full-disk encryption schemes; they operate at the level of an entire drive. This is contrast with a much older Windows feature called Encrypting File System, which operates at the level of files and directories. With EFS it is possible to designate particular directories or even individual files for encryption. For BitLocker that choice is made at the granularity level of a complete drive. (Strictly speaking these are logical drives, rather than physical instances. A single physical drive may be formatted with multiple partitions, each appearing as independent logical volumes.)

Both vanilla BitLocker and BL2G use similar formats and cryptographic primitives such as AES block cipher. Where they differ is the way encryption keys are derived, a difference rooted in the usage scenarios. Ordinary BitLocker protects boot volumes and is often used in conjunction with a built-in TPM that is part of that machine. One interesting corollary is that BitLocker can not encrypt everything. At least part of the boot-loader and core filesystem code responsible for decrypting the rest of the drive must be accessible in the clear. This poses a problem, since an attacker could then replace these pieces with a malicious bootloader/OS combination to obtain the. To thwart such attacks, BitLocker requires a verified boot process, where disk encryption keys are derived as a function of the code executed during the boot sequence. If any of those pieces change– such as the OS bootloader– TPM will generate different keys and disk can not be encrypted. Implicit in this design is the assumption that decryption only needs to happen locally. There is no expectation that the same drive can be removed from that laptop, popped into a different one– which contains a different TPM– and successfully decrypted on that new host.

BitLocker-To-Go is specifically aimed at solving that mobility scenario. While internal drives are rarely migrated between machines, USB thumb-drives are frequently used as low-tech high-latency network to carry data around. Unfortunately their size and mobility also makes them frequent subjects of theft or accidental loss. This is where BL2G comes in, providing full-disk encryption on removable media. In many ways BL2G has a simpler design because there is no boot sequence to worry about. On the other hand the mobility requirement rules out using an on-board TPM as the source of encryption keys, since TPM is bound to a single machine by design.

Encryption options

Instead BL2G gives users the option of a passphrase or smart cards. Ordinary BitLocker can also work with passphrases in the absence of a TPM but that leads to a situation where the burden is placed on users to pick “good” passwords. The difficulty of recovering the key is a function of user’s ability to pick random sequences of letters. This is exactly the weakness in SpiderOak client-side encryption described earlier. The same problem plagues OS X FileVault design, since Apple never quite figured out how to incorporate TPMs into their hardware. (Making matters worse FileVault uses the same secret for disk encryption as login to the OS. That means the secret will be typed often, for unlocking the screen for example, further discouraging choice of high-entropy ones.)

On Windows the smart card option is only available for BL2G. This is because the operating system is fully booted and running with all bells and whistles. By contrast ordinary BitLocker decryption takes place early on in the boot sequence, before smart card functionality has been initialized. Using this option requires a suitable “card” and/or reader combination but the options are quite diverse. Most common are plastic cards requiring insertion into a card reader, but contactless cards using NFC, USB tokens with embedded card or even an Android phone with embedded secure element can function as smart card as far as Windows is concerned. To confuse matters, starting in Windows 8 it is also possible to create a virtual smart card out of the TPM but doing that would break roaming.

One catch is that BL2G can not be applied to any old drive. For example SMB network shares can not be encrypted this way because such shares are not addressed as raw devices at the block level. Access to network drives is mediated by a remote server which presents a high-level abstraction of a file system, instead of a physical storage medium divided up into sectors. By contrast when a flash drive is attached, the OS takes direct control over its filesystem and manipulates the underlying media directly.

Enabling BitLocker-To-Go

Luckily VHD file mounted as local drive looks very much like that removable USB drive as far as the operating system is concerned. BL2G is enabled in exactly the same way: right-clicking on the mounted VHD image shows a context menu with the option to turn on BitLocker:

Manage_Bitlocker_menu
Enabling BitLocker-To-Go

As the shield icon suggests, the command requires administrator privileges. Selecting that and confirming the UAC prompt leads to a wizard walking the user through the steps of encrypting the drive and backing up the encryption key:

EnableBitlocker BackupRecoveryKey ReadyToEncrypt

When the smart card option is selected, the wizard will require that a card is already inserted in the reader and search for a certificate with suitable properties. After encryption is complete, the drive icon changes to show a gray open padlock superimposed. This signals that the volume is protected by BL2G and that it is currently unlocked to allow access to the data.

AfterEncryption

Once BL2G encryption is complete, all data written to the virtual disk– which is represented by a single VHD file as far as the cloud service goes– is protected. There is no user chosen passphrase that can be brute-forced. (There is a usually a PIN set on the card for additional security but this PIN is only known to the card; it is never part of the encrypted disk image or shared with the cloud.)

The next post in the series will look at the experience of accessing that data from another machine, and some important limitations of this approach which make it impractical for large volumes.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
IT Administrator at a tech services company with 51-200 employees
Consultant
Easy to set up and good performance.
BitLocker is easy to setup, it will automatically enable the TPM chip for you and prompt to save/print the recovery key. The biggest advantage I have seen is performance when compared with other whole disk encryption technologies. In my own studies, comparing BitLocker with another well known competitor, BitLocker encrypted drives have seen almost zero performance impact. Drives encrypted with the competition literally dropped in read/write performance by 50%. BitLocker is used in my environment for laptop drives and it meets our Coporate security compliance needs. If you try to reboot to safe mode or swap the hard drives, the laptop will prompt for the key to be entered before booting to Windows.

BitLocker is easy to setup, it will automatically enable the TPM chip for you and prompt to save/print the recovery key. The biggest advantage I have seen is performance when compared with other whole disk encryption technologies. In my own studies, comparing BitLocker with another well known competitor, BitLocker encrypted drives have seen almost zero performance impact. Drives encrypted with the competition literally dropped in read/write performance by 50%.
BitLocker is used in my environment for laptop drives and it meets our Coporate security compliance needs. If you try to reboot to safe mode or swap the hard drives, the laptop will prompt for the key to be entered before booting to Windows.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user8262
Systems Analyst at a tech company with 10,001+ employees
MSP
TrueCrypt vs Bitlocker
BitLocker uses your computer's TPM device, if it has one. If it does not, you'll be forced to use a USB memory stick to keep your key on. You can choose to use the USB option instead of the TPM. - Pro for TPM - easy to use. turn the PC on and it's ready to use. - Con for TPM - windows is super easy to get into even when a password is used. attacker can steal your whole computer and get into your system if they know what they're doing. it's not an advanced attack. - Pro for USB - take the drive with you wherever you go, attacker can't get in if you shutdown your PC when you leave your place. - Con for USB - if you lose the drive, you lose the key. you could, of course, print the key and keep it in a fireproof box. if you leave the USB drive with the PC, then it's like the "Con for…
BitLocker uses your computer's TPM device, if it has one. If it does not, you'll be forced to use a USB memory stick to keep your key on. You can choose to use the USB option instead of the TPM. - Pro for TPM - easy to use. turn the PC on and it's ready to use. - Con for TPM - windows is super easy to get into even when a password is used. attacker can steal your whole computer and get into your system if they know what they're doing. it's not an advanced attack. - Pro for USB - take the drive with you wherever you go, attacker can't get in if you shutdown your PC when you leave your place. - Con for USB - if you lose the drive, you lose the key. you could, of course, print the key and keep it in a fireproof box. if you leave the USB drive with the PC, then it's like the "Con for TPM" scenario. [tin-foil-hat] "We have been able to provide police, law enforcement, and private investigators with a tool that allows bypassing BitLocker encryption for seized computers.” source: http://www.thetechherald.com/articles/New-software-will-break-BitLocker-encryption/8538/ [/tin-foil-hat] edit: Volume-level encryption, which BitLocker employs and so can TrueCrypt (in addition to containers and partition-level encryption), is not as good as Full Disk Encryption, but still good. The most popular use of TrueCrypt is creating encrypted containers within unencrypted (or encrypted) partitions. - Pro's to TrueCrypt - it's vetted and regarded as one of the best platforms to use. good, long passwords stored in your brain are hard to brute force. - Con's to TrueCrypt - don't forget your password. theoretically, and especially if a short password is in use, the container can be brute-forced fairly easily. Longer passwords are better than more complicated passwords when it comes to encrypted containers. (see *However* below) *However* TrueCrypt also supports the use of keyfiles, which means you can create an encrypted volume, partition, or container, store the keyfile on a USB memory stick, and store a good, long password in your brain. the container in this scenario can't be brute-forced without the keyfile, but you need the keyfile and the corresponding password to unlock the container.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Infrastructure Expert at a tech services company with 1,001-5,000 employees
Consultant
User friendly encryption solution

Valuable Features:

Bitlocker has its good points, mainly that its included in Windows and it encrypts an entire drive, regardless of the type of drive or its location (internal or external) in the system. Bitlocker also works with TPM keys and chips to add a hardware component to the encryption.

Room for Improvement:

Any software encryption will take up additional space on your hard drive or storage device, and Bitlocker is no exception. Also, Bitlocker is only available on Windows 7 Ultimate and Enterprise editions, not Professional which most small and medium business users use.

Other Advice:

From my own personal experience, Bitlocker is one of the easier ways to encrypt a drive. The inclusion of TPM and hardware support is a definite plus, as it allows it to work with smart cards and PIV cards from a government perspective.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user1035
Developer at a tech vendor with 51-200 employees
Vendor
A simple tool, but very useful to secure data

Valuable Features:

1. Very easy to use. It can be done in a few steps in a wizard. 2. It is a free product that comes with Microsoft Windows. 3. It encrypts your whole drive, no matter if it is external or internal. 4. Recovery files can either be saved to a drive or printed to a paper.

Room for Improvement:

1. It is available for Microsoft Windows Ultimate and Enterprise editions only. 2. It takes a long time to encrypt and decrypt a drive.Bitlocker is a very user friendly tool, which can encrypt our data within a few clicks. There is no hard work to do. Because of that, I prefer to use it. It has no big steps and is also a very light tool. A major thing is that it is a free tool that comes with Microsoft Windows.

Other Advice:

As a student, I use flash drives frequently. Sometimes my colleagues borrow my flash and could potentially delete my important data. By encrypting my flash drive, I can avoid it. However, there are still a few problems with it. It comes only with the windows Ultimate and Enterprise editions, so the users who use other editions cannot use this tool. It takes a long time to encrypt a drive.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user1011
Manager of Data Center at a insurance company with 51-200 employees
Vendor
Bitlocker made us believe that having physical possession of a system is not total possession of the data.

Valuable Features:

1. Bitlocker is easy to use. You start the wizard by right-clicking the drive and selecting “Turn on Bitlocker”. 2. Bitlocker encrypts the content of any drive and makes your data secure and safe. 3. The option of using either strong passphrase or smartcard to encrypt/decrypt the drive bring flexibility in terms of choice 4. Bitlocker recovery key can either be printed and stored in a secure place or stored in a drive. 5. In a Windows server environment, the combination of Bitlocker and Group Policy enforces the encryption of removable drives across the network. 6. It is free to Windows users provided your OS supports it.

Room for Improvement:

1. Although, drive encryption could be running in the background, it took a long time to encrypt a drive. 2. Bitlocker is available to Windows Ultimate / Enterprise edition only. Other edition of Windows should enjoy this facility My job functions involve writing scripts that I mostly apply to client’s computers both standalone and networked. I store most of these scripts in a flash drive to reduce the task of writing it at the client end. My major challenge was in securing the flash drive. In the past I had a case where a staff member wiped most of his important files, by unknowingly clicking on one of the scripts in the flash drive he collected from me. This incident almost caused me to lose my job.

Other Advice:

In order to avoid such an experience in the future, I was forced to search for a free tool that would help me encrypt my drive. Bitlocker was all we needed. To be sincere, I am not disappointed deploying the tool. All my drives are now encrypted. There is no fear of losing my job as a result of unauthorized access to my flash drives, and any other drives. Bitlocker also enabled us to encrypt the drive hosting the operating systems of our mobile users. All that the PC needs, is to be Trusted Platform Module (TPM) compliant, or rather, have a USB stick that contains the keys. This provides additional security to the systems.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Microsoft BitLocker Report and get advice and tips from experienced pros sharing their opinions.