Are You using some methods of securing data on Yours laptop hard drive? EFS anyone? I'm curious how many of readers are using TrueCrypt?
Until today I've used TrueCrypt as a solution for secure file storing on my laptop machine. TrueCrypt is really cool tool. It gives You good usability, strong encryption and ability to easily transfer encrypted files between different machines. Now with Vista I've decided to switch (not completely (1) ) to BitLocker which gives possibility to encrypt whole volume and my Tecra laptop is equipped with TPM module which gives me possibility to store keys in a secure way. So few things which I want to share with others after enabling BitLocker.
1'st – initial setup.
I choose to store my recovery keys on USB device (of course I also have sealed and stored in the box deep under the building printed copy of recovery password). After initial configuration Vista gives You option to test Your recovery device before encrypting volume. I choose to use this option and for few times I had to reboot and read message that my USB device wasn't accessible after reboot and BitLocker has aborted encryption. Unfortunately in such case You have to repeat whole procedure from the scratch. It found out at the end that it is caused by my USB stick. After reboot this was in some kind of disabled state and I had to remove it for a while after initiation reboot to make it visible for machine BIOS. Maybe somebody will look for solution for similar problem.
There is another thing connected to this problem. When You choose to store also printed version of Your recovery key, for the first time You are printing this page You will get Your volume recovery password and TPM owner password on Your copy. If for some reason Your procedure will fail (like for example problem with USB device like it was in my case) You will have to print this password page once again – but this time You will get only volume recovery password. So if You want to keep TPM owner password You have to keep both printed pages and mark volume recovery password on first page as invalid. Little annoying. OK, annoying for me.
2'nd – disk partitioning for BitLocker.
When You will read BitLocker step-by-step guide for drive partitioning You will read that You need 1.5 GB partition for boot partition (2). I've created 1 GB (and my friend told me that he managed to run it with 350 MB) and right now, after enabling BitLocker I still have most of it unused.
With laptop's hard drive which is not from the big once every space counts, so spending 1.5 GB might be a little expensive.
3'rd – initial encryption.
Second – initial encryption. It takes a little time. For me, on 78 GB volume with 26 GB of free space (remember that BitLocker also encrypts free space) it took a little more than 3 hours to perform complete initial encryption. Fortunately during this process You can shutdown Your machine or put it into hibernation. On shutdown or hibernation BitLocker pauses encryption process and automatically resumes it when system is back again operational.
There is one more thing related to initial encryption which I can't find in documentation. It requires a lot of free space on Your hard drive. My colleague from MCS has also 80 GB volume with only 9 GBs of free space and BitLocker setup is failing with "not enough free space message". In may case (volume 80GB\26 GB free) during initial encryption process system reported only 6 GB of free space on this volume. I can't find any information how much free space is required in documentation, so You will have to find your own value. But You have to be prepared that You might need to free some space during initial encryption process.
4'th – work with BitLocker
Besides requirements to enter PIN on startup (which isn't mandatory but I choose so) working with BitLocker enabled on Vista machine isn't different from working on volume without BitLocker. I haven't noticed significant impact on performance, and I don't observer any hard drive usage. It looks like Vista is operating normally. And I hope it will continue to work in this way 🙂 …
(1) – I haven't abandoned TrueCrypt completly. With my bit paranoid approach – how to secure data about recovery passwords for my volume :). The ultimate answer is … put it into TrueCrypt volume :).
(2) – I was asked how to enable BitLocker if drive was already partitioned and single volume was created. There is KB 930063 which describes tool which can help in such case.