34,333
edits
Changes
no edit summary
BitLocker Drive Encryption requires that there be two partitions on the hard disk drive. The first partition is referred to as the system volume and contains the unencrypted boot information. The second partition is referred to as the operating system volume. This is the volume which will be encrypted and contains the operating system and user data.
The system volume must be at least 1.5GB in size and must be created before proceeding with the BitLocker Drive Encryption process. This volume can be created either by using unallocated space on a drive, taking space from an existing volume, or the boot files can be merged into an another existing volume (other than the operating system volume). In order to ease the process of creating the system volume Microsoft provides a tool called the BitLocker Driver Preparation Tool. Previously, this tool had to be downloaded and installed from the Microsoft web site but is now pre-bundled with Windows Server 2008 R2. The executable is called BdeHdCfg.exe and is located in ''%SystemDrive\Windows\System32''.
The BitLocker Drive Preparation Tool is a command-line utility and, as such, must be run from a command prompt window.
Once the system volume has been created and the system restarted the next step is to enable BitLocker support. The preparedness of the system and the option to enable BitLocker support are controlled from the BitLocker control panel which is accessed from the system Control Panel (Start->Control Panel).
If the Control Panel is in Classic View mode simply double click on the BitLocker Drive Encryption icon. Alternatively, if the Control Panel is in Control Panel Home mode, select ''System and Security '' followed by ''BitLocker Drive Encryption''. Once selected, a screen similar to the following should appear:
To enable BitLocker, click on the ''Turn On BitLocker '' option. If the system on which Windows Server 2008 R2 is running has TPM support the drives suitable for BitLocker encryption will be listed together with the option to activate the encryption. If, on the other hand, the hardware does not have TPM support a warning message is displayed stating:
<pre>
== Regenerating BitLocker Startup Keys and Recovery Passwords ==
To regenerate previously generated startup keys and recovery passwords, enter the BitLocker Drive Encryption control panel (Start -> Control Panel -> Security -> BitLocker Drive Encryption) and click on ''Manage BitLocker Keys''. The resulting screen will provide options to ''Duplicate the recovery password '' and ''Duplicate the startup key''. The recovery key may be written to a USB drive or to a folder. The startup key must be saved to a USB memory device.
== Disabling BitLocker Drive Encryption ==
BitLocker Drive Encryption may be disabled on either a temporary or permanent basis. To temporarily turn off encryption open the BitLocker control panel (Start -> Control Panel -> Security -> BitLocker Drive Encryption) and select ''Turn off BitLocker Drive Encryption '' under the desired volume and select ''Disable BitLocker Drive Encryption '' in the resulting screen.
To turn off BitLocker and decrypt a system volume repeat the above steps, selecting ''Decrypt the volume '' when asked to specify the level of decryption.
