Walkthrough: Build a BitLocker Drive Encryption Solution

This topic highlights the requirements for deploying a BitLocker Drive Encryption solution. For a complete description and step-by-step instructions on using BitLocker, see BitLocker Drive Encryption on the Microsoft TechNet Web site. For a complete set of hardware and firmware requirements to support BitLocker, see Windows Vista Bitlocker Client Platform Requirements.

What is BitLocker Drive Encryption?

BitLocker Drive Encryption is a new feature in the Windows Vista operating system that provides considerable offline data and operating system protection for your computer. BitLocker helps to ensure that data that is stored on a computer running Windows Vista is not revealed if the computer is tampered with when the installed operating system is offline. It uses a Trusted Platform Module (TPM) to provide enhanced protection for your data and to assure early boot component integrity. This can help to protect your data from theft or unauthorized viewing by encrypting the entire Windows volume.

BitLocker is designed to offer the most seamless end-user experience with computers that have a compatible TPM microchip and BIOS. A compatible TPM is defined as a version 1.2 TPM with any appropriate BIOS modifications required to support the Static Root of Trust Measurement as defined by the Trusted Computing Group. The TPM interacts with BitLocker to help provide seamless protection when the computer restarts.

BitLocker is available in Windows Vista Enterprise and Windows Vista Ultimate editions and in Windows ServerĀ® 2008.

To add the TPM driver to Windows PE, see Add a Device Driver to an Online Windows PE Image. The path to the TPM driver is %WINDIR%\Inf\Tpm.inf.

BitLocker Drive Encryption Partitioning Requirements

BitLocker requires a separate active partition from the Windows Vista partition. When BitLocker is enabled, the entire Windows Vista partition is encrypted.

The separate active partition contains critical Windows boot files and must have the following properties:

  • Be at least 1.5 gigabytes (GB)
  • Not be encrypted or used to store user files

Only a small portion of the space on the active partition is used to store Windows boot files. The unused space supports the setup, upgrade, and servicing of Windows.

Recovery files can share the active partition with existing Windows boot files. When sharing this partition, keep at least 700 megabytes (MB) of free space available for use by Windows. For more information on disk configurations, see Preinstallation Design.

See Also


Preinstallation Design