BitLocker ToGo Encryption for Windows Server 2008 R2
BitLocker ToGo encryption is a new feature that ships with Windows Server 2008 R2 which provides encryption for removable drives. This is a very important feature for backups as it ensures that backups are protected.
Before using BitLocker ToGo, you will need to add the BitLocker feature to Windows Server 2008 R2. From Server Manager, select the server then click Add Features from the Action menu which will open up the Add Features Wizard. From there, select BitLocker Drive Encryption and you will see the regular BitLocker designed for non-removable drives and uses a TPM (Trusted Platform Module) for encryption, and also the new BitLocker ToGo used for removable drives.
To add BitLocker Drive Encryption from PowerShell, use the below code from an elevated PowerShell command line:
BitLocker ToGo can be managed by double-clicking the BitLocker Drive Encryption icon in the Control Panel. From there, to enable BitLocker ToGo on a removable drive, click Turn On BitLocker beside the drive icon.
The first time BitLocker or BitLocker ToGo is run on the server, you will see a warning message that this can impact performance, click Yes at this prompt and , the BitLocker Drive Encryption Wizard will start.
Firstly, select how to unlock the drive by using either a password or smart card. Next you will be offered a several methods for saving the recovery key, normally it is preferable to use all possible methods – save to a file and keep the file safe, print the recovery key and store the printout in a safe location. Make sure you store the recovery key where it can be easily accessed when you need it.
Once you are confident of proceeding click Start Encrypting to begin the BitLocker encryption process. Once encryption begins, do not remove the drive until the process is fully complete. In the event you need to shut down the computer or remove the drive, first pause the encryption. Encrypting a large drive can take a long time, so try to schedule this procedure to impact the minimum number of users. When the drive is fully
encrypted, the performance penalty is usually very small and un-noticeable for normal use.
Once the encryption is complete, a padlock icon will be shown on the drive and and a Manage BitLocker option will be shown beside the drive. Clicking Manage BitLocker will allow you to change or remove the password, add a smart card for unlocking the drive, save the encryption recovery keys, or finally to configure the drive to auto-unlock on the current computer. This final option means that anyone who can access the server will not need the key to access the data on it.
Finally, when the drive is plugged into any computer, you will be prompted for the unlocking key which will be a password or a smart card. You will not be able to use the BitLocker ToGo drive until it has been unlocked. Once the drive has been unlocked on a computer, BitLocker ToGo can be configured to always unlock on that same computer without the need of a password or smart card.
BitLocker ToGo can be used on any drive which is recognized by Windows Server 2008 R2 as removable storage, thus USB drives , eSATA drives, and FireWire drives are all compatible with BitLocker ToGo.