Monday, August 28, 2006 2:34 AM bart

Talking about Windows Vista BitLocker Drive Encryption - important installation notes

The story

In the beta 2 ages of Windows Vista, I decided to give BitLocker Drive Encryption a try. It turned out to be pretty straightforward to turn this feature on (using a USB key for key storage as my laptop lacks a TPM) by just going to the Control Panel, Security and the BitLocker Drive Encryption "snap-in":

A few weeks later however I found myself cleaning my whole harddisk, kicking out the Windows XP installation that was still there on another partition and which was barely booted after my Vista Beta 2 installation, and installing build 5472 (which I'm still posting this blog entry in). Switching on BitLocker wasn't so easy this time however, Vista kept complaining about my harddisk partitioning.

So what's the problem? On my beta 2 installation I had a separate (unencrypted) partition with Windows XP and another one with Windows Vista. During installation, the (new) boot loader ended up on the XP partition. When turning on BitLocker, the entire Vista partition is encrypted and the bootloader is able to detect that booting Vista requires the BitLocker key to be loaded (in my case from USB as there is no TPM in the machine to get the key from).

However, on my 5472 installation, I didn't create such a partition and allocated the entire disk for Vista. So, there was no (unencrypted) place left on the harddisk to put the boot loader in and BitLocker refused to work.

Installing Vista with BitLocker in mind

Check out the following page for more information: http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx#BKMK_S1. It guides you through the diskpart work you have to do prior to setup in order to get BitLocker to work properly. Notice that the Windows Vista setup is fully Windows-based (thanks to Windows PE) and things such as recovery are now fully GUI-based. Vista brings clarity, even to the setup :-). To go short, this is what you should do:

  • Make one primary partition for the Vista installation and assign it drive letter C
  • Shrink that partition with 1.5 GB (wonder why this should be so much)
  • Make a second primary partition on the 1.5 GB of free space and assign it drive letter S
  • Format both partitions as NTFS
  • Install Vista on C

Turning on BitLocker should now be as easy as clicking through a few dialogs and waiting for disk encryption to complete (in the meantime you can just continue to work).

Check out the BitLocker team blog on http://blogs.technet.com/bitlocker/ too. There is some very good news in there on the field of this partitioning need. It appears the team is working on a (re-)partitioning tool to make the system BitLocker ready after installation. Fingers crossed to see the result in a later build...

You might wonder what goes on the S: partition. The answer is the boot loader, which is completely revampes compared to Windows NT <= 5.2. No boot.ini anymore. This is what my S drive looks like:

S:\>dir /a /S
 Volume in drive S has no label.
 Volume Serial Number is 78B8-4F3A

 Directory of S:\

26/07/2006  01:17    <DIR>          Boot
14/07/2006  08:40           432.696 bootmgr
26/07/2006  01:17             8.192 BOOTSECT.BAK
               2 File(s)        440.888 bytes

 Directory of S:\Boot

26/07/2006  01:17    <DIR>          .
26/07/2006  01:17    <DIR>          ..
27/08/2006  23:36            24.576 BCD
27/08/2006  23:36            21.504 BCD.LOG
26/07/2006  01:17                 0 BCD.LOG1
26/07/2006  01:17                 0 BCD.LOG2
14/07/2006  15:25             1.024 bootfix.bin
26/07/2006  01:17            65.536 bootstat.dat
26/07/2006  01:17    <DIR>          en-US
14/07/2006  08:22           219.648 fixfat.exe
14/07/2006  08:22           231.936 fixntfs.exe
26/07/2006  01:17    <DIR>          Fonts
14/07/2006  08:37           381.512 memtest.exe
               9 File(s)        945.736 bytes

 Directory of S:\Boot\en-US

26/07/2006  01:17    <DIR>          .
26/07/2006  01:17    <DIR>          ..
14/07/2006  15:25            61.440 bootmgr.exe.mui
14/07/2006  15:26            35.840 memtest.exe.mui
               2 File(s)         97.280 bytes

 Directory of S:\Boot\Fonts

26/07/2006  01:17    <DIR>          .
26/07/2006  01:17    <DIR>          ..
06/07/2006  17:16         3.694.184 chs_boot.ttf
06/07/2006  17:16         3.876.932 cht_boot.ttf
06/07/2006  17:16         1.984.144 jpn_boot.ttf
06/07/2006  17:16         2.371.272 kor_boot.ttf
06/07/2006  17:16            47.556 wgl4_boot.ttf
               5 File(s)     11.974.088 bytes

     Total Files Listed:
              19 File(s)     13.458.233 bytes
              18 Dir(s)   1.522.487.296 bytes free

A few interesting things are the memtest.exe that can test your RAM memory for problems (which used to be a Microsoft Online Crash Analysis tool in the past, see http://oca.microsoft.com/en/windiag.asp for a free download of it), the fixntfs.exe program (what's in a name?) and the directory structure as a whole. This whole thing listens to the name "Boot Configuration Data Store" or BCD store. More information on the BCD and the bcdedit tool that comes with Vista (as a replacement for the boot.ini-related recovery console tools in the past) can be found on http://www.microsoft.com/technet/windowsvista/library/85cd5efe-c349-427c-b035-c2719d4af778.mspx.

On to Windows Vista RC1. Last week I've downloaded build 5536 which is still pre-RC1 which I intend to install on my second machine. Once the final RC1 build hits the roads, it will become my day-to-day OS on this machine.

Have fun!

Del.icio.us | Digg It | Technorati | Blinklist | Furl | reddit | DotNetKicks

Filed under: ,

Comments

# re: Talking about Windows Vista BitLocker Drive Encryption - important installation notes

Friday, October 13, 2006 2:30 PM by Green_Monkey23

Sorry for your time.... Why i can't see images on this resource?
My Browser is: Opera.
Thank you.

# re: Talking about Windows Vista BitLocker Drive Encryption - important installation notes

Sunday, October 15, 2006 8:48 PM by bart

No idea; images are just plain .jpg files available via HTTP directly - http://www.bartdesmet.net/images/bitlocker.jpg

-Bart