I recently installed Windows 7 Ultimate (32 bit) on my brand new HP Mini 110 (it ships with XP). The Windows 7 distribution included all the drivers needed to get the system up and running, including the WiFi drivers, making it a very painless process.  Once running, it automatically downloaded the vendor-specific video driver, resulting in a fully operational system.  The only driver I had to manually install was for the touchpad. The Windows 7 driver worked fine, but I couldn’t use functions like vertical scrolling until I downloaded the software from Synaptics.

I’m a strong proponent of whole disk encryption, especially on portable computers.  The small size and weight of the HP Mini 110 make it an easier target for thieves. However, by default Windows 7 creates two hard drive partitions, a hidden one for boot and recovery, and a second main partition for the operating system. My favourite open source encryption software, TrueCrypt, won’t do whole hard drive encryption on Windows 7…at least not yet. So I decided to give Microsoft’s BitLocker a try.

BitLocker is designed to work on PCs that include a Trusted Platform Module (TPM) chip on their motherboard. BitLocker essentially stores the hard drive encryption key on the TPM and the system can be configured so that users must authenticate to the TPM using a pin in order to boot their computer.

While that’s a nice plan, it doesn’t help those of us who have purchased a computer that doesn’t include a TPM, and I was somewhat disappointed to learn that the HP Mini 110 falls into that category. But searching the web I quickly learned that BitLocker can be used without a TPM chip by making a group policy change. (Detailed information can be found here.) Once the feature is enabled, the BitLocker key can be stored on a USB flash drive.

This scenario is not ideal because the key is not protected – anyone who gets their hands on the USB key can duplicate the key and use either it or the duplicate to boot the computer.  However, it’s certainly better than the alternative, which is to not use hard drive encryption until third-party products catch up with Windows 7. If you protect your USB key like you protect your car keys, it does provide a practical defence against a thief accessing your data.

But if you’re like me, you probably keep your USB flash drive in your briefcase, making it vulnerable to theft along with your laptop.  It’s like leaving your car keys sitting on top of the hood. I mentioned this challenge to a few colleagues, and one of them introduced me to a very cool product from Verbatim, the TUFF-‘N’-TINY™ USB flash drive.

96816_03_c

Image courtesy of Verbatim

In addition to having the smallest form factor I’ve seen in a USB flash drive, the Tuff-‘N’-Tiny is dust, water, and static discharge resistant.  It also includes a short key ring lanyard, which I highly recommend you use.

BitLocker only requires the USB key during the initial boot sequence, after which it tells you to remove the key, so the Tuff-‘N’-Tiny soon hung on my keychain as the “ignition key” for my HP Mini.

The Tuff-‘N’-Tiny also includes Verbatim’s V-Safe encryption software.  Unlike many USB devices that mount both a public (unencrypted) and secure (encrypted) partition, V-Safe switches the user between the unencrypted and encrypted partition on the same driver letter.  At first this seemed a bit unusual, but I quickly realized that, in addition to requiring only one drive letter for the device, this scheme also prevents the user from accidentally saving sensitive files to the unencrypted partition. Once you’ve entered your passphrase, only the encrypted partition is available.

Getting back to BitLocker, I think we’ll all agree that it is best used with a TPM chip.  However, while not perfect from a security perspective, it is possible to use Windows 7 BitLocker for pratical whole hard drive encryption without a TPM chip provided that you store the USB key separate from the computer. And so far, at least for me, attaching a small USB flash drive to my keychain appears to be the best option.

One Response to Windows 7 BitLocker, a practical solution

Leave a Reply