HowTo: Enabling BitLocker in Windows Vista Ultimate
Posted by Jaymz, December 24th, 2006 in Software, Tech, WindowsDo you have embarrassing chatlogs on your machine? Don’t want anyone to discover your secret stash of erotic Cars fanfiction and fanart? Are you afraid that your mother may rip the hard drive out of your machine and discover your shameful interests in music from Guns N’ Roses and Poison? Fear no longer, for I will now unlock the secret art of enabling BitLocker for Windows Vista Ultimate, on machines without a TPM.
Disclaimer: This guide is written for the purpose of maintaining privacy on people’s personal computers , and not for the encryption of materials that may be illegal in your country or state. Remember folks:
Now, with that out of the way, here’s what you’re going to need to get started.
-
Windows Vista Ultimate (or Enterprise, if you’re a corporate office worker who’s been given a flash new notebook with a legit Enterprise install, and not some juarezing scumbag who downloaded it from The Pirate Bay and used some KMS server in China).
-
A USB key. Doesn’t matter if it has data on it or not, I believe. This will essentially be the “key” that unlocks your computer’s hard drive, so you’re going to want to keep this safe. If your machine has a TPM chip in it, it can use this instead and just have a passphrase. Personally, I prefer the USB key idea due to the physical security aspect and you can use that method regardless of whether you have a TPM chip or not.
-
A backup of your current boot drive, because you’re going to need to reinstall. It sucks, I know, but BitLocker is picky about the drive configuration, and requires one small unencrypted boot drive (1.5GB), and the actual Windows install goes on the larger encrypted partition. Don’t worry - Windows will still retain its C drive.
-
Naturally, due to the nature of BitLocker’s anal retentiveness, this most likely won’t work in dual boot or other crazy disk configuration settings. This guide assumes you have a single boot drive, with the first partition devoted to your Windows install.
-
I’m going to assume some form of familiarity on installing Windows based operating systems, and that you know how to do stuff like start your machine from a CD or DVD, for example. If you need to know the bare basics on how to install Windows, Google up another guide. Sorry.
So now we have the requirements out of the way, lets get started on installing this mofo.
First, we start the machine by the Windows Vista installation DVD. Instead of clicking the nice friendly “Install Now” button, we go elsewhere instead. Click on Repair your computer, and follow the prompts by clicking Next (or Load drivers if your machine requires special RAID drivers to boot). If you don’t know if you need to Load Drivers or not, then you probably don’t, and clicking Next to continue should be fine from here.
You should be presented with the System Recovery Options screen. From here, we select Command Prompt way down the bottom.
And now we have your typical Command Prompt. From here, we type the voodoo magic required to make things run. For your benefit, the commands you need to type are in bold, and are followed by an explanation of what the command means, or is for.
-
diskpart
DiskPart is a handy console based disk partitioner for Windows, much akin to Linux tools such as fdisk or parted. We use this to create BitLocker’s required special partition scheme because the graphical partition editor during setup is too simplified, and because we want to ensure that Windows retains its “C” drive for compatibility’s sake. -
select disk 0
This selects our primary boot disk. In my case, my machine acts a little weird, and my boot disk isn’t always considered to be “disk 0″. What I usually do when installing Windows is unplug all drives except the one I’m installing it on, and just plug those drives back in later. It’s also handy if you accidentally select yourlolikonimportant data drive instead of the install drive, and wind up nuking it, instead. -
clean
As the name suggests, this wipes all partition information from your drive. Once you’ve reached this step, you can’t go back. Be sure you’re doing this to the correct drive, and take my advice on unplugging ALL drives except the one you’re installing to before doing this. - create partition primary size=1500
Now that the drive is clean, this is the part where we create the first partition on the drive. For a simplified setup, we can have a 1.5GB boot drive, and leave the rest of the drive for Windows. If this isn’t to your liking, I can explain how to make it a little more complicated in future. - assign letter=S
Now we assign our new partition a drive letter. For now, it’s S, but when you boot into Windows, it may be D, or any other first available letter. The point is, despite being the boot partition, and the first partition on the disk, this won’t be your C drive, and Windows will be happy. - active
This sets our boot partition to be the active partition. Partitioning 101: An active partition is the partition that your BIOS looks at first to boot the OS from. - create partition primary
Now this is out of the way, we create our second partition where Windows will actually reside. This command tells DiskPart to use the remainder of the disk for the second partition. If you don’t like that idea, you can append size=81920 to it, to just give Windows an 80GB partition, and you can always fix up the rest later after installing Windows (which this guide won’t get into). The size parameter is how many megabytes said partition will occupy. I recommend giving Vista at least 80GB to stretch its legs around, even if you do keep your data elsewhere. - assign letter=C
This sets our big partition to C: drive, and keeps Windows and co happy. Technically, Windows should be able to operate normally on any drive, regardless of the letter, but experience in the past has shown what should happen and what does happen to generally be completely different. - list volume
Now we need to look back and ensure our partitioning scheme is the way it should be. This command displays the partition information, and all other volumes currently attached (ie, DVD drives, other hard drives that you should have unplugged before doing all this, etc, etc). If you followed my instructions to the letter, it should look something like this:Volume ### Ltr Label Fs Type Size Status Info ---------- --- ----------- ----- ---------- ------- --------- -------- Volume 0 D LRMCFRE_EN_ UDF DVD-ROM 2555 MB Healthy Volume 1 S RAW Partition 1500 MB Healthy * Volume 2 C RAW Partition 63 GB Healthy
- exit
This should be self explanatory. We now exit out of the DiskPart program, but we don’t close down the Command Prompt yet - we can do a couple of things to save some time from here. - format c: /y /q /fs:NTFS
Now we format C:, we don’t prompt for confirmation (/y), we do it as quick as possible via QuickFormat (/q), and we use NTFS as our file system (/fs:NTFS). - format s: /y /q /fs:NTFS
We also format S:, same as above. - exit
..and that’s all we need from the command prompt.
Now, we need to exit from the System Recovery Options window. We do this by clicking the X in the top right hand corner of the window or pressing ALT+F4. We do NOT click on either “Shutdown” or “Restart”, or it’ll undo all that hard work above.
Now we should be back at the install screen once more. From here, we now select Install Now, and go about installing Vista the usual way (again, it’s beyond the depth of this guide), with one small exception..
..we (naturally) install to the big ass partition we created earlier. Please keep in mind that if you fiddled with the drive sizes or configuration, please remember which one is the boot drive (the active partition) and which is the volume you intend to encrypt.
So, that’s everything you need for setting up a BitLocker happy configuration. Now once you’ve got Vista installed, and are ready to rock, there’s only one thing left to do to enable BitLocker on your PC. You need to go to the Start Orb, and under the Start Search prompt, type gpedit.msc.
From here, we go to Administrative Templates, Windows Components, BitLocker Drive Encryption, and double click on Control Panel Setup: Enable advanced startup options.
From here, we select change the default of “Not Configured” to Enabled, and we ensure that Allow BitLocker without a compatible TPM is selected. Then we select OK, and we can close down Group Policy Editor. The change should be pretty much instantaneous, and if it’s not, just reboot and everything should be fine. It should then allow you to setup BitLocker with your USB key of choice. Don’t worry if you’re afraid that for some reason, it won’t be able to read from your USB key once you’ve encrypted the drive - BitLocker will check to ensure whether or not it can do this before any encryption occurs.
Enjoy, and with any luck, you mightn’t nuke your boot drive!
Search
About
Hello and welcome to Respect Sakura, yet another shitty blog under the premise of being an animu blog, when it's really just about Jaymz's tech leanings, spending habits and crack-inspired ramblings on topics noone cares about. Oh, and that other guy posts stuff sometimes, too.
Please be warned that this site may contain strong language, adult themes, and sexual discussion about characters that may appear underage but are really over 18, and anything that may look or sound illegal really isn't, you just imagined it because your mind is sick and twisted, and it ain't my fault so don't you dare blame that shit on me son.
GamerTags
For those wondering what ever happened to “part 2″ of this, I decided that there didn’t really need to be much more past what’s written here, and just reworded the gpedit.msc bit instead. Yes, I did run this on both my notebook and home PC, and yes, it works fine. Only issue right now is that BitLocker ONLY encrypts the Windows drive and not additional drives - making it somewhat useless for a desktop PC - at least for me, because experience with Windows 2000 and XP has taught me to never put anything I care about on the Windows drive.
In any case, it’s pretty handy for notebook installs, at least. I can now freely do up “Important Passwords Go Here.txt” files and throw them all over my notebook without worry.
I should also mention that I used this TechNet guide as a basis for my guide, only I tried to make it somewhat more user friendly and understandable (ie, more description on what those commands actually did).
I found the builtin help to be extremely unhelpful. It stated that you need a small 1.5GB or so primary volume, and Windows on the larger volume, but didn’t specify anything about how to go about it like my guide, and it also stated that instead of requiring a TPM, you could use a USB key, but BitLocker seems to be configured to require a TPM - needing you to change its settings in Group Policy to allow for just a USB key. That’s what inspired me to write this guide, as opposed to sending people straight to the TechNet article, and having them come back and go :hurr:
Fantastic blog, keep posting!
thankyou for saying
Hey,
Interesting howto, definitely makes the setup process clearer.
Might be worth noting that SP1 for vista is supposedly going to alter the behavior of bitlocker a bit, so that you can encrypt more than just the startup partition (C:)
Should make it a bit more useful for systems with larger disks that you want to split up, etc, although SP1’s not due out till next year or something.
Great guide, all I had to do was to follow your steps - thanks!
But I would also like to mention that I don’t understand why Microsoft does not offer option USB keyphrase. Than I would feel secure, now you just need USB which can be easily stolen. :-(
Microsoft released BitLocker preparation tool and you can use this to prepare partition without reinstalling Windows.