BitLocker is an on-disk encryption system that encrypts the computer's boot drive, making the system data on it unreadable to unauthorised users - someone who's just made off with your laptop at the airport, for example. Without a boot key - either a manually entered PIN, a USB flash drive or a secure module on the PC itself - everything on a BitLocker-encrypted drive is indistinguishable from random data.

In the face of any number of news stories about government agencies and businesses losing laptops and the data on them, Microsoft has tried hard to convince users that BitLocker is the best means of preventing data loss through theft or espionage. A lost BitLocker-protected computer, Microsoft argues, can be safely written off without concern that the data on it could be compromised; and, as we are all well aware, the cost of a lost laptop is minor compared with the cost of losing the data on it.

Getting the Goods

Those considering BitLocker for their laptops can only get the technology on Windows Vista Ultimate and Windows Vista Enterprise - the version of the OS designed for large corporations. Also, to get the most out of BitLocker, Microsoft recommends using it on a computer equipped with a Trusted Platform Module (TPM), a microchip embedded in a PC's motherboard that stores passwords, keys and digital certificates.

BitLocker in Action

BitLocker creates a 1.5GB boot partition in front of the system volume to be encrypted that contains decryption and boot data. When Vista was first released, users had to create this partition manually before installing Vista, but after a number of complaints, Microsoft revised the BitLocker setup process so that you can create the partition on an existing system.

One of the Vista Ultimate Extras is labelled 'BitLocker and EFS enhancements', which contains the BitLocker Drive Preparation tool. This program automates the setup process and encrypts an existing drive for BitLocker while the system is running. (It's still always best to have BitLocker set up on a system before it has been personalised for a given user so there is no chance of unencrypted data being stored on it at any time.)

There are three possible ways to implement BitLocker on a given system, each with its own benefits and drawbacks:

On a computer with TPM hardware: The TPM chip stores BitLocker's decryption keys, so any attempt to reverse-engineer a key through tampering will leave the system unbootable (and the drive unreadable). Any attempts to tamper with the unencrypted boot loader will cause the system to fail.

TPM, however, is not something that can be added to a PC after the fact - it's something that has to be included in its design from the ground up. It's difficult to determine exactly how much TPM adds to the cost of a laptop, because TPM hardware is typically offered as part of a bundle of features in 'business-class' machines. But at this point, the cost premium doesn't appear to be a lot.

On a system without TPM hardware that boots from an external USB drive: In this scenario, the system's boot key is stored on an external drive. The system boots from that drive first, which then supplies the decryption key that allows the rest of the system to boot.

However, this plan will not work on a system that does not support booting from a USB device, and by no means do all business-class machines support that capability. The USB boot device itself also can be stolen - and leaving the USB drive plugged in while the system is running (as many people are wont to do) is on the order of unlocking the front door of your house and leaving the key in the lock.

For this reason, using the USB drive method is probably not suitable for most people, although it's a useful way to allow an individual to use BitLocker.