Encrypting the hard disk with Windows Bitlocker 2008 o Windows Vista

This is one of the novelties that presents Windows Server 2008 also available in Windows Vista, the ability to encrypt your hard disk so that it is impossible to draw any type of data, all encryption. We may store this key in a USB pendrive or USB device directly to a diskette, without this, the team can not be deciphered or not to restart the disc. Typical for our team when they boot from a LiveCD tool to get us some data or break Windows password. It is ideal for when you go to USA and take away the laptop at the office, hehehe, q aunq they ask you fixed key or… draw rubber glove ;), but in principle it is information that could not be accessed because it is encrypted.

Optionally uses a trusted platform module (TPM) for enhanced data protection. Yet it can also be used on computers without a compatible TPM, with this, volume encryption but not the added security of validating file integrity prestart offered. For that, we will use a USB drive or diskett validate the user's identity at the beginning. In summary:

TPM have two ways: A, TPM only: It would be transparent to the user and does not change the login mode. Nevertheless, you lack the modified if there TPM, Introduce BitLocker recovery mode and you have a password or recovery key to regain access to data. And two, with Startup Key: You need a startup key to log on to the computer. This key can be physical (a USB flash drive with a key on the computer readable) or personal (an established user key x).

And TPM: (will be the example of this document) It will be by Key USB flash drive. The user inserts a USB drive into the computer before activating, the key Pendrive, He unlocked the team.

Well, we started, to encrypt a disk or BitLocket BitLocker Drive Encryption, first of all, we have to partition your disk before installing the operating system, and quees need two partitions on the disk. The first partition (system volume), information has started in a space no encryption. The second partition (operating system volume) It is encrypted and contains user data and operating system to encrypt. So we create these partitions before installing Windows Server 2008 o Windows Vista.

We boot the computer and enter the Windows CD, We started the installation wizard on it, “Following”,

click on “Repair Your Computer”,


press “Symbol of the system” since from command line will create both partitions.

Good, we must create the two partitions, the first with a minimum of 1.5Gb and the second with the rest of your disk space, because it will be there where Windows is installed and have our encrypted data. From the DOS console, run “diskpart” to enter the partitioning utility Microsoft. Select your hard disk to partition, if we have just one, we wrote “select disk 0” > “clean” > “create partition primary size=1500” > “assign letter=S” > “active” > “create partition primary” > “assign letter=C” > “list volume”. With this, We create a partition with 1.5Gb necessary BitLocker and create a partition C: where we will install Windows, and we checked it out with “exit” del DiskPart,

What we have to do now is to format both partitions with the NTFS format, for it:
“format c: /and / q / fs:NTFS” Y “format s: /and / q / fs:NTFS”

We leave DOS “exit”,

Eye, now we must leave the system recovery options by clicking on the “X” of the window 😉 to continue with the installation of the OS.

We follow the normal wizard to install our team, so click on “Install Now”,

Partitions will we have created since Diskpart and select the large partition that is where we install Windows 2008 o Windows Vista, “Following” and we continue with all Windows Setup Wizard, once we finalize the installation will continue with the document.

Ok, Once installed Windows, let's turn on BitLocker, but before, we install, because it is a new feature in Windows, open the “Server Manager” and we are going to “characteristics” > “Add characteristics”,

mark “BitLocker Drive Encryption” & “Following”,

OK, click on “Install” to install…

Good, we must restart the computer to effect arises which just installed, so click on “Close”,

And restart now or when we can,

After restarting, It will the BitLocker Setup Wizard and confirm to us that the installation was successful. “Close”,

Well, now is activate, for it, we go to “Control Panel” and there you will have in “Security”, click in “BitLocker Drive Encryption”,

It indicates that our team does not have a compatible TPM microchip, so no choice but to use encryption key on a USB device or diskette is us. Ummm.

Well, we will allow BitLocker can be used without a compatible TPM chip, we can do for example by editing the local computer policy, for it: “Start” > “Run” > “gpedit.msc” & “To accept”.

We are going to “Computer Configuration” > “Administrative Templates” > “Windows Components” > “BitLocker Drive Encryption”. And we modify Directive “Control Panel settings: Enable advanced startup options”.

We bring it up and mark “Permit BitLocker without a compatible TPM”, as well as “Configure option TPM startup key” Y “Configure option TPM startup PIN” a “Allow the user to create or omit” if we are interested or not. Of course, This GPO that we are editing, It could also be modified Active Directory level to all our network equipment.

Once modified, We close the MMC and update the Directives “gpupdate /force”,

Once ready, We are returning to “Control Panel” > “BitLocker Drive Encryption” and we can have if we activate BitLocker from “enable BitLocker”,

would click on “Continue with BitLocker Drive Encryption”,

We will store the startup key on a USB device marking “Require USB startup key at every startup”,

We introduce a USB memory on your computer and click on “save”,

Apart from this, we can save the recovery password in the same USB device, in a network folder or print directly, This is why if we block computer startup. In my case I'll mark “Save password on a USB drive”,

IDEM before, We introduce the Pendrive & “save”,

Once saved click on “Following”,

And we could encrypt the volume or partition your disk, marking “Run the BitLocker system check” & “Continue”. In my case I will not do it by passing GUI as we see the commands available for DOS.

In this case to save the password instead of a USB device to save it to a floppy disk, so with this script we will activate encryption begin our record keeping the key on a floppy. “cscript C:WindowsSystem32manage-bde.wsf -on C: -rp -sk A:” (-on indicates the unit to encrypt; -rp indicates that use a numeric key and -sk to indicate the fate of the key),

Once you executed the command and have the key to the diskette, We should now take credit for the password recovery (It is showing that we) there if necessary in case of loss of the startup key. We restart the computer to run the hardware test,

Once the computer has restarted, If you run the script: “cscript C:WindowsSystem32manage-bde.wsf -status” we can check the status of BitLocker encryption, Here we see that the disk is not encrypted yet, which goes by the 47%, we give time runs out…

Ok, ready, 128bit AES encryption with my album!

We can also check from the Disk Manager, indicate that it is “BitLocker encryption”,

And we can also disable BitLocker if we are interested at any time, from the “Control Panel” or command line: “cscript C:WindowsSystem32manage-bde.wsf -protectors -disable C:”

Or we can duplicate both keys, the recovery password or startup key.

Well, Once encrypted disk, when we start asking us see how the startup key that we or USB device or diskette, we introduce and ready, we can start.


If you look with any Linux distro, we no longer mount NTFS partitions automatically as it is unreadable for him,

Or if we try to manually mount, see how failure (in the example it looks like it mounts the disk D: correctly, but C: no, as it is encrypted).

This procedure is fully compatible with virtual machine environment, if we want to encrypt the virtual hard disk of a virtual machine, either in VMware or XenServer or Hyper-V environments.

Latest posts by Hector Herrero (see all)