Enabling BitLocker Drive Encryption on Additional Data Volumes
There might be situations
when BitLocker Drive Encryption is warranted not only on the volume
containing the operating system files, but also on the data volumes.
This is especially common with domain controllers in branch offices
where a lack of physical security and theft are concerns.
When
encrypting data volumes with BitLocker, the keys generated for the
operating system volume are independent of the drive volume. However,
encryption of a data volume is similar to the encryption process of the
operating system volume.
Follow these steps to enable BitLocker Drive Encryption for server data volumes:
1. | Click Start, Run, and then type cmd. Click OK to launch a command prompt.
|
2. | From within the command prompt, type manage-bde -on <volume>: -rp –rk <removable drive>:\.
|
Note
Replace the <volume>
argument with the desired volume drive letter that you want to encrypt.
In addition, replace the <removable drive> argument with the drive
letter of a USB device. The USB device is utilized to store the
recovery key.
The data volume must be
unlocked each time the server is rebooted. This can be accomplished
through a manual or automatic process. The syntax to manually unlock a
data volume after every restart consists of the following two options:
The first option uses the
recovery password, whereas the second option takes advantage of passing
the recovery key to decrypt the data volume. As mentioned in the
previous paragraph, it is possible to enable automatic unlocking of a
data volume by utilizing the following syntax at the command prompt:
manage-bde –autounlock –enable <volume>:
This command creates a recovery
key and stores it on the operating system volume. The data volume is
automatically unlocked after each system reboot.
Utilizing the BitLocker Recovery Password
There might be situations when
you need to leverage the recovery password to gain access to a volume
that is encrypted with BitLocker. This situation might occur when there
is an error related to the TPM hardware, one of the boot files becomes
corrupt or modified, or if TPM is unintentionally cleared or disabled.
The following instructions outline the recovery steps:
1. | Restart the system and the BitLocker Drive Encryption console will come into view.
|
2. | Insert
the USB device containing the recovery password, and then press Esc. If
the USB device is not available, bypass step 2 and proceed to step 3.
|
3. | Press Enter. You will be prompted to enter the recovery password manually.
|
4. | Type in the recovery password, press Enter, and then restart the system.
|
Scenarios for when the Recovery Password Is Required
There
are a number of different scenarios where a BitLocker recovery would
need to be performed; these include (but are not limited to):
Changing or replacing the motherboard with a new TPM
Changing the status of the TPM
Updating the BIOS and or any other ROM on the motherboard
Attempting to access a BitLocker-enabled drive on a different system.
Entering the wrong PIN information too many times
Losing or damaging the USB startup key
Removing BitLocker Drive Encryption
The course of action for
turning off BitLocker Drive Encryption is the same for both TPM-based
hardware configurations and USB devices. When turning off BitLocker, two
options exist. You can either remove BitLocker entirely and decrypt a
volume or you can temporarily disable BitLocker so changes can still be
made. The following steps depict the process for removing and disabling
BitLocker:
1. | Click Start, Control Panel, and double-click BitLocker Drive Encryption.
|
2. | Turn off BitLocker Drive Encryption by clicking Turn Off BitLocker on the BitLocker Drive Encryption page.
|
3. | The
What Level of Decryption Do You Want dialog box will be invoked. Choose
either Disable BitLocker Drive Encryption or Decrypt the Volume.
|