Our primary use case for this solution is encryption. The solution is deployed on-premises.
IT Specialist at ITE Corp
A scalable solution useful for encryption and integration with other solutions
Pros and Cons
- "The ease of administering and integrating the solution is great."
- "The integration between Active Directory and BitLocker could be better."
What is our primary use case?
What is most valuable?
The ease of administering and integrating the solution is great.
What needs improvement?
The product could be improved by simplifying the implementation process and the integration between Active Directory and BitLocker could be better.
For how long have I used the solution?
We have been using this solution for two years and are currently using the latest version.
Buyer's Guide
Microsoft BitLocker
March 2025
Learn what your peers think about Microsoft BitLocker. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,592 professionals have used our research since 2012.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable. Currently, we have approximately 800 users using this solution, and six people are required for maintenance.
How are customer service and support?
We don't have experience with customer service and support.
How was the initial setup?
The initial setup is easy and takes approximately one to two days. A day for implementation and a second day for compliance.
What about the implementation team?
The solution was implemented in-house.
What's my experience with pricing, setup cost, and licensing?
We use the System Center Configuration Manager, which is free. So we don't need a license for BitLocker.
What other advice do I have?
I rate this solution an eight out of ten. The solution is good but can be improved by simplifying the implementation process. I recommend it to people who may not be able to afford high license costs.
Disclosure: My company has a business relationship with this vendor other than being a customer:
Associate at a insurance company with 10,001+ employees
Data protection and encryption solution that offers excellent customer support and performance stability
Pros and Cons
- "Being able to encrypt an entire hard disk has been most valuable."
- "The solution could be improved if it was more user friendly."
Buyer's Guide
Microsoft BitLocker
March 2025
Learn what your peers think about Microsoft BitLocker. Get advice and tips from experienced pros sharing their opinions. Updated: March 2025.
842,592 professionals have used our research since 2012.
Info Sec Consultant at Size 41 Digital
Real User
Top 5Mar 13, 2017
Bitlocker - defence in depth
Understanding your responsibilities for disaster recovery at a departmental level can be difficult; IT departments are holistic entities. We deal with systems, people, security, servers and infrastructure... but we also need to think about things at a granular level so we can ready ourselves for when a terrible system failure occurs - it always will.
My problem was that we needed to ensure we had a very basic form of disaster recovery for our staff who were planning an event that gave us the biggest turnover of our year. Okay, so, our staff needed to take business critical information out of the office on something they could access individually. Yes, we could have used cloud storage but the staff needed full portability and access with or without the internet. Not to make a mountain out of a mole hill - USB keys.
I know. USB keys. Oddly they seem very fond of train seats and restaurant chairs because we keep hearing about them being found everywhere with private information on them.I think we're all agreed that - in the wrong hands - USB keys can be a bit of a nightmare. Of course, in the right hands they can be a nifty thing but the password must be strong enough,. It also shouldn't be able to be changed by staff.
Here we have a solution to the problem of securing drives in easy reach - Bitlocker. I literally can't think of an easier product to use. Click. Choose a couple of options or leave them as the default. Save. Done. I’m not underplaying this, it really is simple.
The aim of the game is to provide security against thefts that are spur of the moment, or people finding items that are lost; no-one wants to be the government department that loses a USB key full of people's NI numbers. We need to show due diligence in securing the storage devices that will be leaving the office.
How does it all work?
Bitlocker uses TPM (Trusted Platform Module) but can be used without it via a small change from the sys admin of your org (probably you)
And it really is quite simple:
It comes with a recovery key that the IT dept can keep a hold of in case the password is forgotten.To reiterate, it's included in some Windows software so free. When working for charities this is a great bonus especially if they insist on USB drives even though we all know they are a real risk to info getting out into the open.
So, Bitlocker is designed to secure your drives (even removable ones) in an easy fashion. Does it do that? Yes, very much so. Is it easy to use? I’m not sure they could have made it easier.
Is it secure? Secure enough from situational thieves and unskilled (in hacking) malicious current/ex-staff.
Did I find any bad points? To be honest, no. Job done. Bitlocker for securing drives, especially USB drives that leave the office. If you need something stronger then the drive probably shouldn't be leaving the office in the first place.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Expert at a tech company with 10,001+ employees
Vendor
Aug 20, 2013
IronKey verses BitLocker-To-Go with smart cards (part 1)
This post originally appeared on the Random Oracle blog at https://randomoracle.wordpress.com/2013/03/02/ironkey-verses-bitlocker-to-go-with-smart-cards-part-1/
IronKey is one of the better known examples of “secure flash drive,” a category of products targeted at enterprises and security-conscious users for portable storage with hardware encryption. From a certain perspective, this entire category owes its existence to a failure of smart card adoption in the same target market. All of the functionality of dedicated hardware encryption products can be implemented with equal or better security, at much lower cost and greater flexibility using general purpose smart cards and off-the-shelf software.
Case in point: BitLocker-To-Go (“B2LG” for short) available in Windows 7 and later versions, provides full disk encryption for any old USB drive, with keys managed externally. B2LG is closely related to the original Bitlocker feature introduced in Vista, which protected boot volumes with the help of a trusted platform module. The latter is a more difficult proposition, as booting a modern OS involves several stages, each depending on executing code from the encrypted disk. Maintaining integrity of this code loaded during boot is as much of a concern as confidentiality, because altering the operating system can be an avenue of bypass against disk encryption. By contrast B2LG is concerned strictly with reading data after the OS has been already booted into a steady state.
Context menu on a removable drive, showing the option to enable BitLocker
BL2G can be configured to use either passwords or smart card for encryption:
Choosing between passphrase and smart card, when enabling BitLocker.
The first configuration is susceptible to the usual offline guessing attacks, much like Android disk encryption, because keys are derived from a low-entropy secret chosen by the user. In the second configuration, the bulk-data encryption key is randomly and sealed using a public-key associated with the smart card. Unsealing that to recover the original key can only be done by asking the card to perform a private key operation, which is what smart cards are designed to implement with high security.
PIN dialog during private key operation to unlock a volume protected by BitLocker To Go.
Comparing a USB drive with built-in encryption with B2LG coupled to smart cards card, these solutions achieve similar but not identical, security profiles:
- In both cases, bulk data encryption key is not derived from user-entered PIN or pass-phrase. A key based on “12345678″ is not any more likely than one based on “c8#J2*}ep
- In both cases there is a limit to online guessing attacks by trying different PIN/password choices. For dedicated drives, the retry count is typically fixed by the manufacturer. For BL2G, it depends on the application installed on the card, translating into more flexibility.
- BitLocker defaults to AES with 128-bit keys, along with a home-brew diffuser to emulate a wide-block cipher operating on sectors. Dedicated flash drives typically boast slightly more modern cryptography, with 256-bit AES in standardized XTS mode. (Not that any practical attacks exist against 128-bit keys or the custom diffuser. But one can imagine that manufacturers are caught in a marketing arms race: as soon as one declares support for the wider key length and starts throwing around “256″ as magic number, everyone else is required to follow suit for the sake of parity.)
- For those comforted by external validation, there are many smart cards with FIPS 140 level 3 certification (as well as Common Criteria EAL 5+) in much the same way that many of the drives boast FIPS compliance. Again BL2G provides for greater choice here: instead of being stuck with the specific brand of tamper-resistant hardware the drive manufacturer decided to use, an enterprise or end-user can go with their own trusted card/token model.
- BL2G has better resilience against physical theft: an attacker would have to capture the drive and the card, before they get to worrying about user PIN. If only the drive itself is lost, any data residing there can be rendered useless by destroying the cryptographic keys on the smart card. By contrast a lost IronKey is a permanent liability, just in case the attackers discover the password in the future.
- Neither approach is resilient against local malware. If the drives are unlocked while attached to a compromised machine, all stored data is at risk. Some smart cards can support external PIN entry, in which case local malware can not observe the PIN by watching keystrokes. But this is little consolation, as malware can request the card to perform any operation while connected. Similarly while the IronKey PIN must be collected on PC and subject to interception, there are other models such as Aegis Secure Key with their own integrated PIN pad.
- BitLocker has one convenience feature that may result in weaker configuration. There is an option to automatically unlock drives, implemented by caching the key after successful decryption. Once cached, the smart card is no longer required to access the same drive in the future, because the key is already known. If the user makes an unwise decision to use this feature on a laptop which is stolen (or equivalently, remotely compromised) the persisted key can be used to decrypt the drive. Meanwhile the proprietary software accompanying IronKey does not provide an option to cache passwords. (That said, nothing stops a determined user from saving it to a local file.)
The second part of this post will look at other dimensions, such as performance, cost effectiveness and scaling, where BitLocker & smart card combination enjoys a decisive advantage over dedicated hardware.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
IT manager at Milan Turinič
A High-Performing Solution to mitigate Unauthorized Data Access on lost or Stolen Computers
Pros and Cons
- "It is an encryption tool and provides security."
- "They can improve the security of the application and include an encryption disk in the next feature."
Manager - ICT at a insurance company with 51-200 employees
Free to use with Windows 10 and easy to set up but needs to be easier to manage
Pros and Cons
- "It's my understanding that the initial setup is straightforward."
- "At the end of it all, we are looking for something that can be easier to manage."
Comes bundled with other Microsoft products, offers good encryption, and is reliable
Pros and Cons
- "It comes bundled with other Microsoft solutions."
- "They should offer better login capabilities that are more secure."
Buyer's Guide
Download our free Microsoft BitLocker Report and get advice and tips from experienced pros
sharing their opinions.
Updated: March 2025
Popular Comparisons
Digital Guardian
ESET Endpoint Encryption
Symantec Endpoint Encryption
McAfee Complete Data Protection
Trend Micro Endpoint Encryption
Voltage SecureData Enterprise
Sophos SafeGuard
Oracle Advanced Security
WinMagic SecureDoc
Check Point Full Disk Encryption Software Blade
ZENworks Suite
Boxcryptor
Fortanix Data Security Manager
Ivanti Device Control
Buyer's Guide
Download our free Microsoft BitLocker Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are Pros and Cons of Microsoft BitLocker?
- What should one take into account when replacing PGP with Microsoft BitLocker?
- How does ESET Endpoint Encryption compare to BitLocker?
- What are the main pros and cons of the various Endpoint Encryption solutions on the market?
- How can I tell if there is encryption on?
- Would you choose Microsoft BitLocker or McAfee Complete Data Protection?
- How does Microsoft BitLocker compare with Symantec Endpoint Encryption?
- Which full disk encryption software should we chose?
- What is the difference between "data protection in transit" vs "data protection at rest"?
- What is the best email encryption software for small enterprises using Office 365?
By Darren Chaker : I would extend full drive encryption for not only USB, but also external drives too. Simply imagine whatever data you have is lost or subject to a competitors possession, and the residual harm that would ensue. Information security must be part of the work environment, and being proactive is the only way to accomplish this.