Vista disk encryption: very damn fast

Send to a friend Print
Paul Schnackenburg22 August 2006, 2:23 AM

We benchmarked Vista's full-disk encryption with surprising results: the speed drop was very minimal even on a system with an old Pentium 4 2GHz CPU. This could actually be useful, even for personal laptops.


Physical theft of hard drives is a rising problem, both in servers sitting in less-fortified branch offices and in the growing number of corporate laptops that may be lost or stolen.

Microsoft's answer is full-disk encryption in Vista and Longhorn Server, dubbed "BitLocker". The software giant believes IT managers will be prepared to pay good money for this protection.

It's certainly a substantial improvement over the Encrypting File System in Windows Server 2000 and 2003, which only encrypts data files and not the whole drive. BitLocker's full disk encryption makes it impossible to access any data on a drive even if it is taken out and installed in another PC.

But will BitLocker run fast enough to justify the added security, or will it be such a CPU drain that IT managers will think twice before deploying it onto busy servers?

That's what we set out to establish. But first, why you might consider using BitLocker, and how tricky is it to set up?

Configuring BitLocker

There are two ways to configure BitLocker, either using a Trusted Platform Module (TPM) chip on your motherboard (rare today but expected to be commonplace in the next few years) or storing the key on a USB flash drive.

You also need two partitions on your hard drive; the second (smaller, about 1.5 GB) must be set as “active”. At the moment (beta 2 Vista and Longhorn server) BitLocker is a beast to configure, you have to setup the partitions when you install the OS; you can’t do it afterwards. And you have to use the command line tool Diskpart to do it.

This messy configuration will hopefully be remedied in newer releases.

bitlocker1sml.png

Configuring BitLocker it is done in the Control Panel. If you haven’t followed the steps for configuring the partitions during installation all you’ll see is your second partition listed with an “off” next to it. With the right configuration however “Turn on bitlocker” appears and you can proceed through the wizard.

bitlocker2sml.png

If you don’t have a TPM chip have your USB key ready.

bitlocker3sml1.png

The wizard creates a recovery password for you; and a startup key (stored on the USB key).

bitlocker4sml.png

The actual encryption took about 40 minutes on our test PC which had 6.3 GB on C:.

bitlocker5sml.png

If the PC is part of a domain Group Policy can be used to allow or disallow BitLocker. Your BIOS needs to be fairly new if you’re using the USB Key option as Longhorn needs to be able to access it as a drive before the OS starts. If this isn’t the case BitLocker will enter into recovery mode and you’ll have to type the recovery key in manually.

BitLocker6sml.png

The benchmark results

Our test machine was an ageing “server” with a Pentium 4 2GHz with 512 MB memory and a 20 GB PATA 5400 RPM hard drive, running Windows Longhorn Server beta 2. Before enabling BitLocker the hard drive clocked in at 33 MB/s with a 10 ms random access time in the filesystem benchmark in Sisoftware Sandra Lite 2007 SP1.

After BitLocker had encrypted the entire drive the result was 29 MB/s with a 5 ms random access time.

So, although setup today was a real pain, the 12% penalty in disk speed could well be worth it for laptops and sensitive servers.

Of course, performance could actually improve from these figures -- this is still beta software.

LINKS

RELATED ARTICLES


Post your comment



Comments

 RSS feed Email alert

Kon:

How does this compare against a free, open source solution found here - http://www.truecrypt.org/ ?

Truecrypt will encrypt partitions on Windows 2000/XP. Its free and you know there are no back doors as you have access to the source code and can compile it yourself.

Would we good to see some comparitive performance testing with the Vista option.

29 February 2008, 8:28 PM (2 years ago)report abuse Send to a friend reply

Scott:

I too would prefer truecrypt. There is no need to wait for Vista -- you can get disk-level encryption today. It has heaps of options on the type of cipher you want to use. Open source. Can create encrypted volumn on partition or file. Linux support, and Mac support planned.

29 February 2008, 8:28 PM (2 years ago)report abuse Send to a friend reply

SecuritySkeptic:

Existing solutions (e.g., DriveCrypt Plus Pack from www.securstar.com, which I've used for years) do this just as well, just as fast, and with more flexibility. There is nothing special about BitLocker except that it's still beta and you'll never be able to get it for Windows XP!

29 February 2008, 8:28 PM (2 years ago)report abuse Send to a friend reply

David, CISSP:

Thanks for the article. Also thanks to the reference for truecrypt. I am also looking at the PGP Pro package.

29 February 2008, 8:28 PM (2 years ago)report abuse Send to a friend reply

Paul Schnackenburg:

Thanks Scott, David and Kon for your comments.
While it's certainly true that competing products are out there (and has been for years), either as commercial software or open source, the bottom line is that when MS includes a new technology in their product line more businesses are likely to pay attention. Be aware that I'm talking about businesses here, home tech enthusiasts will find alternative products and usually don't mind spending hours on setting something up.
In the businesses space they're not just looking for the "best" technology, in this case full disk encryption but also for reliability, support and manageability. The fact that you can control Bitlocker with Group Policy is a big drawcard. The fact that you can get support from MS directly for BitLocker is another. IT departments will find it hard to justify selecting a third party product over a built in (in a sense "free") technology.
It's not always the best technology that "prevails" but the one that promises least hassles.

29 February 2008, 8:28 PM (2 years ago)report abuse Send to a friend reply

Hunter Bryce:

Good Point Paul. People do pay for well supported products like bitlocker even if theres better stuff like truecrpypt out there for free. Although I would like to point out that I have used truecrpyt and,from the articles describing the configration hastles of bitlocker, I'd encourage the use of truecrypt to everyone I know. It is really easy to use, and free!!

29 February 2008, 8:28 PM (2 years ago)report abuse Send to a friend reply

PL:

Truecrypt does not offer true hd encryption with pre-boot authentication.

All it can do is startup within windows and encrypt partitions or separate containers, not the same thing at all.

Drivecrypt PlusPack is the same thing, but that is a commercial solution as well.

29 February 2008, 8:28 PM (2 years ago)report abuse Send to a friend reply

Paul Schnackenburg:

Thanks PL for those comments. I haven't tried either of the mentioned solutions so thanks for clarifying this.
Bitlocker is really intended for the "stolen HDD" scenario (as well as lost laptop). If I take a bitlocked (?) HDD and put it into another PC I won't be able to see anything on that drive.

29 February 2008, 8:28 PM (2 years ago)report abuse Send to a friend reply

A Kookla:

Did you notice that random access seek times were cut in half, from 10 ms to 5 ms?

Isn't that seek times twice as fast, not slower?

29 February 2008, 8:29 PM (2 years ago)report abuse Send to a friend reply

Paul Schnackenburg:

Hi A Kookla,

Yes I did notice that figure. I don't trust Sandra's figures 100% but I did notice the same trend in all my runs of the benchmark. Not quite sure why this is though.
It doesn't really make sense, encrypting the hard drive shouldn't make seek times faster.
I'll check with my colleagues and see if anyone else can come up with an explanation.

29 February 2008, 8:29 PM (2 years ago)report abuse Send to a friend reply

Paul Misner:

Everybody does disk encryption. In an enterprise, you need other things, like management, redundancy, password/key management, and an audit trail. Take a look at Mobile Armor. It's a suite of products that provide full disk and file encryption with centralized management. I have a couple of webcasts at www.smartchive.com that might be of interest.

29 February 2008, 8:29 PM (2 years ago)report abuse Send to a friend reply

Paul Schnackenburg:

Hi Paul,

Thanks for your information. I had a look at your site and watched the video on Mobile Armor. As I said above there certainly are robust third party products out there and this one looks very comprehensive. The fact that it does PDAs and other platforms as well is a strong point.
However I think Bitlocker (as I mentioned above), built into the OS itself will make "whole disk" encryption available to a much larger audience. This will make this technology more adapted in the marketplace.
Bitlocker is controlled by Group Policy, recovery keys can be stored in AD and it takes advantage of TPM if present. Whilst not as comprehensive as Mobile Armor I still think Bitlocker will have it's place in small and medium businesses.

29 February 2008, 8:29 PM (2 years ago)report abuse Send to a friend reply

Not signed in
anonymous user Anonymous user


Tags