Undo Bitlocker Drive Preparation Tool

[Paul Baker [MVP, Windows - SDK]]

I read in the BitLocker ReadMe that a TPM was recommended, but not required.
So I ran the BitLocker Drive Preparation Tool and let it add a new boot
partition. So now I have an extra volume, S:.

I then saw a message that a TPM is required. Upon further reading, I
discovered that the requirement can be turned off, but the alternative is to
use a USB flash drive as a key. The inconvenience of this solution is not
worth it for me, so I will use Ecrypting File System (EFS) instead. Had I
known this in the first place, I would not have ran the Bitlocker Drive
Preparation Tool.

System Restore changed the drive letter of the volume, but nothing else
changed.

How can I undo what Bitlocker Drive Preparation Tool did? I know that in
general, I need to move boot files and change the active partition, but I am
afraid of making my systen non-bootable.

Thanks,

Paul

 

[Kerry Brown]

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=1312214&SiteID=17

Be sure you understand EFS, have an offline copy of the encryption
certificate, and know how to use it to recover data. Test copying an
encrypted file to another computer and using the certificate to decrypt it
before you encrypt your actual data. Make sure that the test computer is not
in the same domain as the source computer. It is very easy to lose data when
using EFS.

http://groups.google.com/groups?hl=en&q=efs+lost+data&um=1&ie=UTF-8&sa=N&tab=wg

 

[Paul Baker [MVP, Windows - SDK]]

Kerry,

Thanks! I will let you know how it goes.

I am still trying to decide whether or not to use EFS. I probably will, as I
did backup my key, I don't think I'll be changing my password and I
regularly backup all my files (except program files).

Paul

 

[Kerry Brown]

Make sure you test decrypting files on another computer that is not joined
to the same domain. It is not a trivial process. As long as you can do this
EFS is safe. If you can't you will eventually lose the data.

--
Kerry Brown
Microsoft MVP - Shell/User
http://www.vistahelp.ca/phpBB2/

 

[Paul Baker [MVP, Windows - SDK]]

Kerry,

Thanks, I got rid of that pesky partition. This is how:

- Change the C: partition to the Active partition.
- Reboot from the Windows DVD and let Startup Repair find the OS on C:
- Reboot from the Windows DVD and let Startup Repair replace BOOTMGR.EXE.
- Use Disk Management to delete the unwanted partition and resize the C:
partition.

Paul

 

[Joe Morris]

[Bitlocker issues]

I then saw a message that a TPM is required. Upon further reading, I
discovered that the requirement can be turned off, but the alternative is
to use a USB flash drive as a key. The inconvenience of this solution is
not worth it for me, so I will use Ecrypting File System (EFS) instead.
Had I known this in the first place, I would not have ran the Bitlocker
Drive Preparation Tool.

An addition to other responses about EFS: one of the gotchas about it is
that you can copy EFS-encrypted files to a volume which does not support
EFS, and the system will cheerfully store an unencrypted copy of the file on
the target volume without warning you. This issue is possible with both the
swap file and any temporary files created by your applications, as well as
any external devices such as a USB key. It's not insurmountable if you
ensure that all candidate volumes (or at least all target folders) support
EFS encryption, but it's a potential problem if you're not aware of it.

Also, if you're using EFS you want to check to make sure that your backup
program is EFS-aware. An EFS-aware backup program will store files on the
backup media in their EFS-encrypted form, even if the backup media does not
support EFS.

Alternatively, there are third-party products which can be used to encrypt
entire volumes; this might be an option for your to consider, especially if
you are the only person who will be accessing the protected data.

Question: is the data which you're trying to protect personal, or is it
related to your job? If the latter, and you aren't the owner, you need to
spend a few minutes talking to your manager and/or the IT manager about
ensuring that the company has the key (or EFS certificate) so that it can
recover the encrypted files if you get hit by a bus.

If the data is personal and someone in your family would need to access it,
you need to remember to provide for what happens after the bus with your
name on it arrives. One way to handle this might be to place a CD in a bank
box or in a locked drawer in your office desk, and tell someone where to
find it.

Joe Morris

 

[Paul Baker [MVP, Windows - SDK]]

Joe,

It is for personal data. My wife knows my password that can be used to logon
to my account and to use the certificate.

Paul

[Bitlocker issues]

I then saw a message that a TPM is required. Upon further reading, I
discovered that the requirement can be turned off, but the alternative is
to use a USB flash drive as a key. The inconvenience of this solution is
not worth it for me, so I will use Ecrypting File System (EFS) instead.
Had I known this in the first place, I would not have ran the Bitlocker
Drive Preparation Tool.

An addition to other responses about EFS: one of the gotchas about it is
that you can copy EFS-encrypted files to a volume which does not support
EFS, and the system will cheerfully store an unencrypted copy of the file
on the target volume without warning you. This issue is possible with
both the swap file and any temporary files created by your applications,
as well as any external devices such as a USB key. It's not
insurmountable if you ensure that all candidate volumes (or at least all
target folders) support EFS encryption, but it's a potential problem if
you're not aware of it.

Also, if you're using EFS you want to check to make sure that your backup
program is EFS-aware. An EFS-aware backup program will store files on the
backup media in their EFS-encrypted form, even if the backup media does
not support EFS.

Alternatively, there are third-party products which can be used to encrypt
entire volumes; this might be an option for your to consider, especially
if you are the only person who will be accessing the protected data.

Question: is the data which you're trying to protect personal, or is it
related to your job? If the latter, and you aren't the owner, you need to
spend a few minutes talking to your manager and/or the IT manager about
ensuring that the company has the key (or EFS certificate) so that it can
recover the encrypted files if you get hit by a bus.

If the data is personal and someone in your family would need to access
it, you need to remember to provide for what happens after the bus with
your name on it arrives. One way to handle this might be to place a CD in
a bank box or in a locked drawer in your office desk, and tell someone
where to find it.

Joe Morris

 

[Paul Baker [MVP, Windows - SDK]]

Joe,

I don't think I have any sensitive files right now. I just don't want any
prying eyes on my personal stuff. I want to "set it and forget it" so that I
know anything I put there is safe. I am encrypting all of C:\Users.

Also, should a bus have my name on it and my wife can't remember my password
or has a problem with EFS, or if I get in trouble with EFS for that matter,
I have backups on DVD. I use Microsoft Backup. I would think that is EFS
aware.

Paul

Joe,

It is for personal data. My wife knows my password that can be used to
logon to my account and to use the certificate.

Paul

[Bitlocker issues]

I then saw a message that a TPM is required. Upon further reading, I
discovered that the requirement can be turned off, but the alternative
is to use a USB flash drive as a key. The inconvenience of this solution
is not worth it for me, so I will use Ecrypting File System (EFS)
instead. Had I known this in the first place, I would not have ran the
Bitlocker Drive Preparation Tool.

An addition to other responses about EFS: one of the gotchas about it is
that you can copy EFS-encrypted files to a volume which does not support
EFS, and the system will cheerfully store an unencrypted copy of the file
on the target volume without warning you. This issue is possible with
both the swap file and any temporary files created by your applications,
as well as any external devices such as a USB key. It's not
insurmountable if you ensure that all candidate volumes (or at least all
target folders) support EFS encryption, but it's a potential problem if
you're not aware of it.

Also, if you're using EFS you want to check to make sure that your backup
program is EFS-aware. An EFS-aware backup program will store files on
the backup media in their EFS-encrypted form, even if the backup media
does not support EFS.

Alternatively, there are third-party products which can be used to
encrypt entire volumes; this might be an option for your to consider,
especially if you are the only person who will be accessing the protected
data.

Question: is the data which you're trying to protect personal, or is it
related to your job? If the latter, and you aren't the owner, you need
to spend a few minutes talking to your manager and/or the IT manager
about ensuring that the company has the key (or EFS certificate) so that
it can recover the encrypted files if you get hit by a bus.

If the data is personal and someone in your family would need to access
it, you need to remember to provide for what happens after the bus with
your name on it arrives. One way to handle this might be to place a CD
in a bank box or in a locked drawer in your office desk, and tell someone
where to find it.

Joe Morris