Sunday, January 30, 2011

My BitLocker Moment of Panic

Back in October 2010, when I joined Microsoft, I received my shiny (well, matte) new laptop. Security is of paramount importance around here, and I had to enable BitLocker, included with Windows 7 Ultimate. The encryption process was actually painless. I saw minimum performance degradation, and the only (minor) annoyance was the bootup workflow, which requires a PIN to be entered prior to Windows booting.

Fast-forward 2 months: I decided it was time for a performance boost, so I picked up a 256GB Kingston SSD drive. It came with a copy of Acronis’ disk-cloning software, which made the transfer extremely easy. I contacted Microsoft IT Tech Support before doing the transfer, to see if there were any known caveats; the only thing they suggested was removing encryption prior to cloning. So I did, and the cloning went smoothly. I was back up and running with my new drive in about 2 hours, with BitLocker re-applied.

So there I was, with my new SSD. I was set for Blazing Speed. After 2 weeks, I was only seeing a moderate improvement, certainly not worthy of the high cost of the drive (my disk performance index jumped from about 5.4 to around 5.7). So I went hunting for SSD optimization information. Thanks to a tweet by Brian Prince, I found a few good tips like disabling SuperFetch (which I did), updating the controller driver (which I did), and updating the BIOS (I held off).

So… what about the panic???

My performance index was now at 6.8, with a very noticeable performance improvement. But I wanted more, so I decided to update my BIOS. And that, my friends, did not go as planned.

The BIOS upgrade itself was easy, thanks to Lenovo’s updater tool. It then told me to reboot, which I did. I was taken to the BitLocker PIN Entry screen, and I entered my secret key.  But then… BitLocker told me that something on my computer changed since last booting, and that I needed to enter my recovery key. Oh, you mean that key on my USB drive? That key from when I encrypted my original drive?

Yes, that’s right, I had not backed up my new key after re-encrypting. At this point, I was unable to boot. I was, um, toast.


I know what you’re thinking: Just restore from a backup. Easy enough: I had one handy: my old drive, which had the OS relatively current. And my working files were all backed up to offsite storage. However, I kept thinking there was Some Important File I hadn’t backed up.

On a whim, I decided to download the previous BIOS version from Lenovo. I created a bootable CD on another computer, and booted up. Interestingly, the DOS version of the BIOS updater gave a stern warning a about updating BIOS firmware when BitLocker is enabled (the Windows version has no such warning). I down-rev’d, rebooted, and… just like magic, I was able to boot once again into my SSD.

Lessons Learned

Maybe you’re way smarter than me and will never make this mistake, but I thought it be worth pointing out the obvious anyway:

  • When encrypting with BitLocker, always create a recovery disk afterward.
  • When updating BIOS firmware, be sure to suspend BitLocker prior to the update (you don’t need to unencrypt; you just need to suspend BitLocker).
  • Prior to any type of system update when BitLocker is enabled, be sure to have a backup handy, just in case.

1 comment: