One of the great features of Windows Vista is BitLocker. This allows you to encrypt the system volume and store the keys either on a Trusted Platform Module (TPM) or on a USB fob. This provides a degree of protection for the data on your mobile PC should it be lost or stolen. Personally I've never lost a laptop or a tablet but for enterprises this actually happens with alarming regularity.
In Windows 7 in addition to being able to encrypt the system volume you can encrypt other volumes as well. This will appeal to lots of organisations who continue to persist in having standard operating environments for laptops that have a OS partition and a Data partition.
However, Windows 7 takes the BitLocker concept a bit further and addresses another major source of potential data leakage - USB thumb drives. I selected one of my spares to experiment with.
Encrypting a USB drive with BitLocker is fairly easy. You get the option of securing the drive with a smart card or with a pass phrase. I selected the latter. You can encrypt a drive with data already on it, without losing anything.
Now that my USB drive is encrypted when I plug it into a Windows 7 machine I get a dialogue that prompts me for a pass phrase. Once the pass phrase is entered then you can just use the drive as you would normally.
To see what would happen I tried plugging the USB drive into Windows Vista machines, Windows XP machines and even a Linux machine. With the default settings on the Windows machines the drive appears to have no files on it, but if you check the properties of the drive it is also full. This seems a bit weird until you turn on the setting in Explorer that shows hidden files. This reveals that he whole drive is filled. There is one really big file, a couple of smaller files and a whole bunch of 0 byte files. Working with one of our security gurus at work we cracked open a couple of these files with various editor but the were just gibberish as you would expect.
All of that is really great - but often the people who should be encrypting their thumb drives would never bother. The good news is that according to Mark Minasi Windows 7 is going to have a number of Group Policies for the enhanced group policy. Organisations will even be able to prevent writing to a drive unless it is encrypted. Check out Mark's slides from TechEd Barcelona for more great Windows 7 tips.