At this point, after rebooting, you're actually ready to start BitLocker itself and begin the drive encryption...
process. Be prepared for this phase of the setup to take a very long time, possibly several hours depending on how much there is on the drive. However, the computer will still be useable during this time -- it may just function very slowly. My recommendation is not to do anything with the machine until the encryption process is finished.
To start the encryption process:
- Click Start and type BitLocker in the Search box. Select BitLocker Drive Encryption. (You can also launch BitLocker from the Control Panel.)
- You should at this point see a list of all available volumes (typically C:) that can be encrypted with BitLocker. If you see a warning in yellow -- for instance, a warning that there is no TPM hardware present -- then go back and make sure you did the previous setup steps correctly.
- Click Turn on BitLocker for the system drive (again, typically C:) to begin configuring BitLocker for that drive.
- You'll next be presented with a series of options: Use BitLocker without additional keys, Require PIN at every startup and Require Startup USB Key at every startup. Only the last item (Require Startup USB Key) should be highlighted, so click it to begin.
- The Save your Startup Key window should appear. Insert the USB removable drive you will use to store the TPM key and wait for its drive letter to show up in the window. (If no drive letter shows up, it may not be formatted.)
- Click Save to save the startup key.
- You'll then have the option to save the BitLocker recovery password to different places: a folder, a USB drive or as a printed document. Save at least two copies of the recovery password for now; you can always make more backups later, or delete some of the ones you've made now.
Note: You can save the recovery password to the same USB drive you use to store the startup key, but it isn't a good idea. If someone else comes across the drive, the person doesn't even need to boot your machine with the drive anymore to know how to compromise it.
Note #2: Don't use the startup key for anything other than starting up Vista if you can help it. I believe it is possible to write-protect the startup key once it's been created and use it that way with no ill effects. That should further discourage you from using it for something else and then possibly damaging it.
- On the next page you'll be given the option of running a BitLocker Check. This reboots the system and insures that the BitLocker startup key can be read at boot time. If you're not sure if your system supports booting via USB, run this test. The system will reboot, and if the test is unsuccessful, you'll get a warning the next time Vista starts up. If that happens, the only way you'll be able to boot the system after it's encrypted is with the recovery password.
Note: If you fail the BitLocker check and want to encrypt the drive anyway, you'll need to go through the steps in this section again and opt out of running the BitLocker Check. Also, make sure the drive has been connected via a USB port that can be read at boot time in the first place.
- At this point you'll be given the option to actually start the encryption process. When you do, you'll see a progress bar, and you can pause and resume the encryption process if you need to. Don't shut down or reboot the system until the encryption process is finished.
- When the encryption process finishes, you can then reboot the machine. On each subsequent boot, you must have the BitLocker USB key plugged in and visible to the computer at boot time or you'll be prompted to type the recovery password to continue.
Use BitLocker on a non-TPM system
Step 1: Know your hardware
Step 2: Configure the drives
Step 3: Edit the local policy
Step 4: Start the BitLocker encryption process
About the author: Serdar Yegulalp is editor of the Windows Power Users Newsletter. Check it out for the latest advice and musings on the world of Windows network administrators -- and please share your thoughts as well!