Tip: Enable BitLocker on USB Flash Drives to Protect Data
Encrypting USB flash drives protects the data stored on the volume. Any USB flash drive formatted with FAT, FAT32, or NTFS can be encrypted with BitLocker. The length of time it takes to encrypt a drive depends on the size of the drive, the pro¬cessing power of the computer, and the level of activity on the computer.
Follow Our Daily Tips
Tell Us Your Tips
Before you enable BitLocker, you should configure the appropriate Removable Data Drive policies and settings in Group Policy and then wait for Group Policy to be refreshed. If you don’t do this and you enable BitLocker, you might need to turn BitLocker off and then turn BitLocker back on because certain state and manage¬ment flags are set when you turn on BitLocker.
To be sure that you can recover an encrypted volume, you should allow data-recovery agents and store recovery information in Active Directory. If you use a flash drive with earlier versions of Windows, the Allow Access To BitLocker-Protected Removable Data Drives From Earlier Versions Of Windows policy can ensure that you have access to the USB flash drive on other operating systems and computers. Unlocked drives are read-only.
To enable BitLocker encryption on a USB flash drive, do the following:
1. Insert the USB flash drive, click Start, and then click Computer.
2. Right-click the USB flash drive, and then click Turn On BitLocker. BitLocker initializes the drive.
3. On the Choose How You Want To Unlock This Drive page, choose one or more for the following options, and then click Next:
- Use A Password To Unlock This Drive Select this option if you want the user to be prompted for a password to unlock the drive. Passwords allow a drive to be unlocked in any location and to be shared with other people.
- Use My Smart Card To Unlock The Drive Select this option if you want the user to use a smart card and enter the smart card PIN to unlock the drive. Because this feature requires a smart card reader, it is normally used to unlock a drive in the workplace and not for drives that might be used outside the workplace.
4. On the How Do You Want To Store Your Recovery Key page, click Save The Recovery Key To A File.
5. In the Save BitLocker Recovery Key As dialog box, choose a save location, and then click Save.
6. You can now print the recovery key if you want to. When you have finished, click Next.
7. On the Are You Ready To Encrypt This Drive page, click Start Encrypting. Do not remove the USB flash drive until the encryption process is complete. How long the encryption process takes depends on the size of the drive and other factors.
The encryption process does the following:
1. Adds an Autorun.inf file, the BitLocker To Go reader, and a Read Me.txt file to the USB flash drive.
2. Creates a virtual volume with the full contents of the drive in the remaining drive space.
3. Encrypts the virtual volume to protect it.USB flash drive encryption takes approximately 6 to 10 minutes per gigabyte to complete. The encryption process can be paused and resumed provided that you don’t remove the drive.
As a result, when AutoPlay is enabled and you insert the encrypted drive into a USB slot on a computer running Windows 7, Windows 7 runs the BitLocker To Go reader, which in turn displays a dialog box. When you are prompted, enter the password, smart card PIN, or both to unlock the drive. Option¬ally, select Automatically Unlock On This Computer From Now On to save the password in an encrypted file on the computer’s system volume. Finally, click Unlock to unlock the volume so that you can use it.
From the Microsoft Press book Windows 7 Administrator’s Pocket Consultant by William R. Stanek.
Looking for More Tips?
For more tips on Windows 7 and other Microsoft technologies, visit the TechNet Magazine Tips library.