Bitlocker To go

Well with Windows 7 coming up, there’s been a bit of talk around Bitlocker To Go.(BTG) BTG is essentially Bitlocker for external drives. It’s full volume encryption for all your USB drives.

Jeffa and I have been talking about it quite a bit recently and there seems to be a lack of understanding on how it works.  So I thought I would post this information.

Technically, you could have bitlockered a USB drive in Vista, but it was NOT a supported scenario. In Windows 7, not only is it supported, but encouraged.

There are even supporting GPO entries that you can set that will require all external drives to be encrypted. More on these in another post.

So back to BTG.

BTG is very similar to Bitlocker on the host. It still uses a 3 key system to protect the drive. so what you end up with is this:

  • The volume is encrypted with AES 128 with a Diffuser as the default (although you can use  256 bit AES) based on a Full Volume Encryption Key (FVEK)
    {NOTE for the real geeks: The full key size is always 512 bits. The AES-CBC Componenet and the Sector Key compoenent are both always provided with 256 bits of key material so the full key is 512 bits.  You can use smaller key sizes and the system will pad them out. This allows the system to accomodate larger key sizes without chaing the key management system.}

  • The FVEK is then encrypted with 256bit AES based on the Volume Master Key (VMK)

  • The VMK is encrypted and protected with a Key Protector that is based on a user defined password.

For more detail see the Bitlocker Architecture article.

Using BTG on a USB drive is really easy. Once you’ve inserted the drive and it’s been recognized by the system, just go to the Bitlocker Drive Encryption in Control Panel.


Just select Turn On Bitlocker next to the external drive you want to encrypt.

When you first set it up, you are presented with a choice on how you want to unlock the drive.


If you are using a Smart Card as your login, you can chose to save the key on there. If you do this, you’ll need your Smart Card every time you want to access the external drive.

In this case I selected ‘Use a password to unlock the drive’

You are presented with the traditional Bitlocker selection on where to save your recovery key.

Don’t worry, it’s smart enough not to let you save the recovery key on the drive you are trying to encrypt.


Once you’ve found a suitable location, you can start the encryption process.


Once you’ve started the encryption process, you can remove the drive before it is complete. However the system does tell you to pause the encryption before removing the drive.  If you don’t…well, let’s just say you’ve been warned.

Once encryption is complete, and you remove, then reinsert the drive you are presented with the password dialog to access the drive.


If you chose to ‘Automatically unlock on this computer from now on’ the system will store your password (the Key Protector password) in an encrypted section of the registry. So the next time the drive is inserted, if you are the person logged on and have access to that registry key, the Key Protector password will be automatically entered for you and the drive will be accessible.

I would strongly suggest actually using the Context menu on the drive and selecting Eject when you want to remove the drive from the machine.  Technically you should be doing this with all your USB drives, but with a Bitlockered one, you really need to get into the habit “just in case”.

But what if you chose not to unlock the drive?

When you try to access it you will get an access denied error. If you try to do a ‘dir’ from an Admin command prompt you’ll see that the volume isn’t even bound to the system.  (go ahead, try it).

Now if you were to set the System Files Visibility on your machine and look at a USB drive protected by BTG, you’ll notice some files on there.





These files are indeed the keys to the drive. It’s the FVEK, and the VMK. You may also notice that they are stored in the unprotected section of the drive.  I’m sure some sensationalist’s our there are freaking out just waiting to break a story on how you can use these keys to decrypt the drive so BTG is broken.  Well, get a grip, that’s not the case.

As I said earlier, the FVEK is encrypted with the VMK, and the VMK is encrypted with the Key Protector which is hopefully locked safely away in the noggin of the user. 

There’s not much point in trying to brute force the keys to get to the data on the drive. They are encrypted with the same strength stuff that’s used on the drive data anyway.  If you are that determined to brute force something you may as well just target the drive data.

Good luck with that. With today’s computing power, and presuming that you have to go through an average of 52% of the keyspace before you find the right key, it’s going to take you about 20,000,000,000,000,000,000 years to do it. I plan on being dead by then do if you get to my data in 20 Quadrillion years, you just have the time of you life.

BTG is a great way to protect all of those external drives you have.  You can protect a USB drive for each client, or account, or just keep your kids pictures safe from prying eyes if you happen to drop your USB key in the parking lot.

No, you probably can’t open it up on the local Wal-mart photo Kiosk.  But you should be able to open it up on any bitlocker capable machine providing you remember the password. Such as Windows Vista or Windows Server 2008

In fact, BTG includes a Bitlocker Reader application on the USB drive. When you open the drive on a Vista machine it looks something like this:


You’ll notice that the drive has the Bitlocker icon on it. If you open it, you see the following:


You can see the BitlockerToGo exe there ready to serve you:


Once you run it you are asked for the password for the drive. If you enter it correctly the BTG Reader starts and presents you with the following dialog.





Now you are ready to access your files. But, you have to drag them to the local computer to use them.  This will allow the on access decryption to decrypt the file as it copies it to your system all ready to use.

So give it a try. I personally use it on my external drives. Especially those that contain my laptop backups, and any client data that I’m working on. I don’t tend to lose drives, but if I ever did, I know that the data on them would be very safe.

Comments (6)

  1. says:

    Tried this out on an old thumb drive of mine and was all set to complain that BtGo really kills the write speed when copying files to the removable device.  Then, after removing the encryption (just a quick format of the drive does the trick as long as the data is backed up elsewhere) I realized it was the drive itself that was slow.

    I’m assuming that you can edit the files on the removable device as long as you’re using Vista Enterprise or Ultimate with Bitlocker available.  I’ll find out for sure this evening.

    Very nice feature which will prove useful for enterprises of all sizes, as well as home users.

  2. RockyH says:

    Yeah the diffuser (as in AES 128 with Diffuser) really helps the performance. Bitlocker is one of the only FVE techs I’ve seen that doesn’t impose a performance hit. Even on USB drives.

  3. bcjohnson37 says:

    Any idea how to fix a corrupted instance of BitLocker to Go on a USB drive?  I am in an endless cycle of being prompted for the password. I ensured that I’m entering the correct password by intentionally entering a bad password (and I got the "Incorrect Password" message), so BTG knows my password, but when I enter it, the password window closes and then reopens 1 second later, prompting me to enter the password. I also tried to run the BTG Repair tool from the command line, but I’m not an IT admin, so it was a bit too complex for me.  HELP!

  4. RockyH says:

    Hi bcjohnson37.

    Can you give me a bit more information?

    What OS are you using?

    Are you trying to open the drive on a different machine than the one you set it up on?

    Was the drive formatted with NTFS when you encrypted it?  (although it should have told you it couldn’t do it if it was FAT formatted)

    Have you successfully accessed the information on the encrypted thumbdrive before?

    Did you format it with NTFS, and are trying to read it from XP with just the reader?

    Also read through this FAQ and see if it helps:

  5. bcjohnson37 says:

    In answer to your questions: I have one Win 7 Ultimate and one Win 7 Professional PC.  I have tried to open the drive on both PCs without success.  I previously was able to unlock and view files on the USB drive from both PCs for months.  I’m fairly confident the USB drive was formatted with NTFS (but I’m not 100% sure). It just seems like something has become corrupted and as a result, I’m in an endless password loop.

  6. bcjohnson37 says:

    Thanks, Rocky.  I tried posting a response about a week ago, but it hasn’t shown up yet.  To answer your questions:

    I am using Windows 7 on all PCs.

    I am trying to open the device on two PCs, one of which is the one I set it up on.

    I’m 99% confident it was NTFS but I can’t be 100% sure.

    I successfully accessed the information for 2-3 months and then over the course of approx 4 hours, it went from occassionally prompting me for the password to putting me into a vicious cycle of prompting me for the password immedicately after having just entered it.  It knows the password, but it’s like it’s not registering.