Me: I live in Silicon Valley with my wife, child and cat. I have worked at Microsoft since I graduated from College, both in the Macintosh Business Unit on products such as Outlook Express, Entourage, IE, and Virtual PC and in Windows Live on Hotmail, Calendar and People. I am currently a Principal Lead Program Manager on the Windows Live Social Networking team. I basically manage a team of Program Managers responsible for delivering features to support our web and client applications. I've been blogging since 2001 and like to play around with .NET in my spare time working on projects such as dasBlog (the blog that powers this site) and Send to SmugMug (an application for uploading photos to SmugMug). I blog about a number of technology and productivity related topics.
Powered by: newtelligence dasBlog 2.3.9074.18820
Disclaimer The posts on this weblog are provided "AS IS" with no warranties, and confer no rights. The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
© Copyright 2010, Omar Shahine
E-mail
I have been meaning to blog about BitLocker since I set it up on my new ThinkPad T60. Why did I use BitLocker? In case my laptop is stolen then my hard drive will just look like a bunch of unintelligible 1s and 0s. I would not use BitLocker on a desktop machine, but for a Laptop, especially one with confidential Microsoft info it's a no brainier.
BUT WHERE WAS THE BIG FAT EASY BUTTON?
Setting up BitLocker was a PITA for me. I followed the step by step instructions to enable BitLocker but each time I installed Vista I was told my drive configuration was not suitable. Finally I gave up, created a big fat partition and installed Vista. I then got the new Windows Vista Ultimate Extras BitLocker enhancement and it did all the dirty work for me. Why oh why didn't I know about this first? It would be nice if the Technet article mentioned this easy tool.
Anyhoo, I write this today because Lifhacker has an article comparing BitLocker to Apple's FileVault. Now I dig and respect Lifehacker but Gina totally missed the most important aspect of BitLocker. YOU DON'T NEED A USB Key to use BitLocker. My Laptop came with a Trusted Platform Module (TPM Chip). Most PCees come with one these days. They are usually disabled in the BIOS so you must turn them on (not sure why they are disabled as they are pretty benign when not being used). In fact I would never have considered BitLocker if I had to use a USB key (BitLocker does allow to you use a PIN and or USB Key in addition to the TPM Chip).
Anyway, with a TPM chip the "key" is essentially a chip on the motherboard. However, if the system detects and significant change it will force you to manually enter the key and disable/re-enable BitLocker. This ensures that if some one lifts your laptop and takes out your hard drive it won't be readable. This mode of operation is called Transparent Operation Mode:
Transparent operation mode: This mode leverages the capabilities of the TPM 1.2 hardware to provide for a transparent user experience – the user logs onto Windows Vista as normal. The key used for the disk encryption is sealed (encrypted) by the TPM chip and will only be released to the OS loader code if the early boot files appear to be unmodified. The pre-OS components of BitLocker achieve this by implementing a Static Root of Trust Measurement – a methodology specified by the Trusted Computing Group.
I had to experience this fist hand the other day when some kind of change caused my BIOS to think that my machine changed enough to require me to enter my key (I suspect it was one of the early boot files being modified by an OS update). Now you can insert a USB KeyChain with your key (which didn't work for me, not sure why, need to muck with the bios to find out) or enter it in manually from a print out or in my case the key that was backed up to the Windows MarketPlace Digital Locker (another Vista Ultimate Extra).
So, while it's nice that Gina gave BitLocker the win over FileVault, she neglects the two coolest features:
BTW, if you do use BitLocker with a TPM I highly recommend that you have a copy of your key somewhere you can get to if all you have is your laptop. In my case I store the key on my Samsung Blackjack using eWallet. I would be pissed if I were on a plane, tried to boot my laptop and I was locked out.