BitLocker ToGo Encryption for Windows Server 2008 R2

BitLocker ToGo encryption is a new feature that ships with Windows Server 2008 R2 which provides encryption for removable drives. This is a very important feature for backups as it ensures that backups are protected.

Before using BitLocker ToGo, you will need to add the BitLocker feature to Windows Server 2008 R2. From Server Manager, select the server then click Add Features from the Action menu which will open up the Add Features Wizard. From there, select BitLocker Drive Encryption and you will see the regular BitLocker designed for non-removable drives and uses a TPM (Trusted Platform Module) for encryption, and also the new BitLocker ToGo used for removable drives.

To add BitLocker Drive Encryption from PowerShell, use the below code from an elevated PowerShell command line:

Import-Module ServerManager 
Add-WindowsFeature BitLocker

BitLocker ToGo can be managed by double-clicking the BitLocker Drive Encryption icon in the Control Panel. From there, to enable BitLocker ToGo on a removable drive, click Turn On BitLocker beside the drive icon.

The first time BitLocker or BitLocker ToGo is run on the server, you will see a warning message that this can impact performance, click Yes at this prompt and , the BitLocker Drive Encryption Wizard will start.

Firstly, select how to  unlock the drive by using either a password or  smart card. Next you will be offered a several methods for saving the recovery key, normally it is preferable to use all possible methods – save to a file and keep the file   safe, print the recovery key  and store the printout  in a safe location. Make sure you store the recovery key where it can be easily accessed when you need it.

Once you are confident of proceeding click Start Encrypting to begin the BitLocker encryption process. Once encryption begins, do not remove the drive until the process is fully complete. In the event you need to shut down the computer or remove the drive, first pause the encryption. Encrypting a large drive can take a long time, so try to schedule this procedure to  impact the minimum number of  users. When the drive is fully
encrypted, the performance penalty is usually very small  and un-noticeable for normal use.

Once the encryption is complete,  a padlock icon will be shown on the drive and and a Manage BitLocker option will be shown beside the drive. Clicking Manage BitLocker will allow you to change or remove the password, add a smart card for unlocking the drive, save the encryption recovery keys, or finally to configure the drive to auto-unlock on the current computer. This final option  means that anyone who can access  the server will not need  the key to access the data on it.

Finally, when the drive is plugged  into any computer, you will be prompted for the unlocking key which will be   a password or a smart card. You will not be able to  use the BitLocker ToGo drive until it has been unlocked. Once   the drive has been unlocked on a  computer,   BitLocker ToGo can be configured to always unlock on that same computer without the need of  a password or smart card.

BitLocker ToGo can be used on any drive which is recognized by Windows Server 2008 R2 as removable storage, thus USB drives , eSATA drives, and FireWire drives are all compatible with BitLocker ToGo.