So, you want to BitLocker an existing computer?

The other day I decided, probably against better judgement, to turn on BitLocker on my laptop running Windows Vista RC1+. There were several concerns about doing that though:

  1. What if you do not have a TPM chip of any kind. In that case, your only option is to use a USB key for BitLocker.
  2. When I installed my machine I let the Windows Vista installer partition the drive for me. That means I had one large partition covering the whole drive
  3. You mean you are turning on whole hard disk encryption on a beta OS? What are you thinking?

Let’s ignore number three for a moment. Number 1 is simple to solve:

  1. Go to Start:Run, and type gpedit.msc to open the Group Policy Editor.
  2. Select “Computer Configuration:Windows Components:BitLocker Drive Encryption”.
  3. Double-click the “Control Panel Setup: Enable advanced startup options” entry in the right-hand pane.
  4. Check the “Enable” radio button and then check the box for “Allow BitLocker without a compatible TPM.”

Next we need to solve the partition problem. BitLocker requires a 1.5 GB partition as the system partition (the one you boot from) so that it can boot in the clear and decrypt the boot partition (the one that has the operating system files). If you do not have two partitions already, you need to create another one. There is a great walk-through on how to use BitLocker on the Microsoft site, but it presumes you are starting from scratch, which I was not. To do that, take the following steps:

  1. Open an elevated command prompt (right-click the command prompt shortcut and select "Run as administrator")
  2. Run the diskpart command
  3. Select your disk. Normally it is disk 0, but you may have a couple of disks, although if you do, you should consider using one of the other disks for your system partition. If you want to see the disks, type “list disk”. To select your disk, type “select disk 0”, where 0 is the number of your disk (from now on, all the directions will assume you have a single-disk, single-partition setup).
  4. Select your partition. Normally it would be partition 1, assuming there is only one partition on the disk. If you are not sure, type “list partition” to see what you have. Then select it using the command “select partition 1”
  5. Use the shrink command to shrink it. DO NOT JUST TYPE SHRINK! That would shrink the partition so that all the available free space is made available for a new partition. If you need help on the command type “help shrink”. In this case we need to shrink it by 1.5 GB. To do that type “shrink desired=1500”. Note that this may not give you exactly 1.5 GB. In my test it gave me 1.496. I have run into problems with that such as upgrading one Vista install to another. The installer looks for more than 1.5 GB on the system partition and if that space is not there it fails. You may want to overshoot a little to make sure you get at least 1.5 GB.
  6. Open Computer Management and select “Disk Management”
  7. Format the new empty space on your disk using NTFS. If you label it something like “boot” it will be easier to find it later.

Now you need to set this partition up to be bootable. First go into Computer Management to format it with NTFS. Next you need the boot files. To copy the boot files over you actually have to boot into a neutral installation. The operating system holds the files open while the machine is running so you cannot copy them. The easiest way to resolve this is to boot into the Windows Vista Recovery Console:

  1. Put the Windows Vista DVD into the drive and reboot the computer. Select to start from the DVD. On many computers you have to hit F12 to get the boot menu
  2. When the Windows Vista locale selection screen comes up pick your locale
  3. When the Windows Vista installation screen comes up, select “Repair your computer”. It may not be broken yet, but we are working on that.
  4. Select your Windows Vista partition and click “Next >”
  5. Select “Command Prompt”
  6. In the resulting command prompt, figure out which drives are which. Most likely your boot partition (the one with the OS) is C: and the new one you just created is D:. You can use diskpart to figure it out. Launch diskpart and type “list volume”
  7. Copy the boot directory. Use this command
    xcopy c:\boot d:\boot /h /e
    This will copy the whole directory structure and all the hidden files, which they are all hidden. You will probably get a prompt asking whether boot is a directory or a file on the target. It is a directory
  8. Copy the boot manager using this command:
    xcopy c:\bootmgr d:\bootmgr /h
    In the prompt whether bootmgr is a directory or a file on the target, select file
  9. Finally, we need to set the new partition active. To do so launch diskpart again. Select your disk. It is probably disk 0, but you can always list the disk to be sure
  10. List your partitions to determine which partition is the new boot partition. Then type select it using “select partition 2”, where 2 is the number of your partition
  11. Make it active by typing “active”
  12. Exit diskpart and reboot the system. To do so, type exit twice

At this point you have a system that can run BitLocker. You can now boot it and go into the BitLocker control panel and turn it on, and of course, submit any bugs you find to Microsoft so they can fix them before they release this to the rest of the world. Wink

Published Wed, Sep 27 2006 3:13 PM by jesper
Filed under: ,

Comments

# Stephen Edgar said on 28 September, 2006 12:07 AM
There is also some great step-by-step guides for various TPM or Non-TPM instalations and FAQ's over at Technet. http://www.microsoft.com/technet/windowsvista/security/bitlockr.mspx
# Aaron said on 17 April, 2007 05:06 AM

Thank you sooooo much Jesper! You have done users worldwide a great service. Two days ago, I upgraded my OS from Vista Business to Ultimate, expressly for the purpose of using BitLocker. After the upgrade completed, I discovered that BitLocker would not install since I had only one partition. Instead, BitLocker insisted that re-install Vista. However, since I had done a Vista Upgrade, the only install option available was a CLEAN INSTALL! I hit the fan. I ran in circles. I prayed. And then.... I read your post. Your solution worked perfectly within minutes. Thank you so very much!

# steve said on 13 May, 2007 01:31 PM
The Bitlocker drive preparation tool can be downloaded and makes this much easier.
# Adrian Pavone said on 12 September, 2008 11:05 PM

Just thought I would let you know, 1.5GB is actually 1536MB, which is why your drive was not quite 1.5G, and why you were having the issues described.

This is because 1GB is really 1024MB, not 1000MB as so many people seem to think. Part of the problem is that marketting tries to convince us that 1000 is correct (cheaper for them), whereas the computer uses the real 1024.

Otherwise, brilliant instructions, worked a treat.

# Garrett said on 30 October, 2008 07:45 AM

I use BitLocker (w/o a TPM) and it works great. However, I'm baffled as to how to "change my password," so to speak. I tried disabling BDE and then re-enabling. I then produced a new startup key, but it was identical to the old one. I didn't see any helpful cmd line options when using the manage-bde.wsf tool either.

Am I missing something? There's gotta be a way to change the startup key w/o having to decrypt and then re-encrypt the whole drive. Thanks for any input you can provide on this.

# Garrett said on 19 November, 2008 02:10 PM

FYI - In regards to my previous question, VistaGuy (at vistaheads.com) responded with the following (helpful) post:

-- snip --

You have to recreate the startup key for BitLocker. Assuming you encrypted

the C-drive, these two commands should do the job:

manage-bde -protectors -delete C: -Type ExternalKey

manage-bde -protectors -add C: -StartupKey <USBDrive>:

-- end --