Tags:
You can mount a VHD image file as a drive letter and then encrypt the contents of that VHD with BitLocker. This allows multiple users to share a computer and use BitLocker to keep their files secret from each other. When a VHD file using BitLocker is backed up or copied to a plaintext USB drive, the VHD file stays encrypted, which is not not true of the files on a volume using whole drive encryption. If you copy the VHD file to a portable drive, the portable drive can stay in plaintext while the contents of the VHD file will be BitLocker-encrypted, which is nice when you need some regular plaintext portable storage too. You can conveniently mount/unmount VHD drives from within Windows Explorer or from the command line. The following will show you how to do it.
Requirements
To create a BitLocker VHD drive, you must have Windows 7 Enterprise or Ultimate, Windows Server 2008-R2, or later operating systems. (Home and Professional editions of Windows 7 cannot be used to create BitLocker To Go drives, but they can use such drives after they are created on another system.)
You will likely want to install the free VHD Attach utility. It isn't absolutely required, but it makes working with VHD drives much more convenient. With this utility you can simply right-click a VHD file to attach (mount) or detach (unmount) it as a drive letter.
Procedures
Download and install the free VHD Attach utility, if you wish to use it (recommended).
In the Administrative Tools folder of the Start Menu, go to Computer Management > Storage > right-click Disk Management > Create VHD. Create a VHD file larger than 64MB in size.
Scroll down in Disk Management, find the new disk > right-click its box (left side) > Initialize Disk > OK > right-click the disk's partition area (right side) > New Simple Volume > follow the wizard to format the volume using NTFS or one of the FATs (NTFS preferred).
In Windows Explorer, right-click the new drive > Turn On BitLocker. Encrypt the VHD drive with BitLocker To Go in the regular way with a passphrase or smart card. Remember not to store the recovery key file on the same computer as the VHD drive!
(Optional) In Windows Explorer, right-click the new drive > Manage BitLocker > Automatically Unlock This Drive On This Computer. This protects the BitLocker VHD drive with your desktop logon credentials. If you want to be prompted for your BitLocker passphrase whenever you first attach the VHD drive, do not select this option (perhaps because others know your logon password).
In Windows Explorer, if you installed the VHD Attach utility, find the VHD file on the host hard drive (probably C:) > right-click the VHD file > select Detach/Attach/Open. Detach will unmount the drive letter. Attach will mount the VHD file as a drive and then you'll be prompted for your BitLocker passphrase or smart card (or neither, if you enabled the Automatic Unlock feature). Open will show information about the VHD drive such as sector size, volume identifier, vendor ID, etc.
Command-Line Use
The VHD Attach utility installs a binary named VhdAttachExecutor.exe. This supports two command-line switches: /attach vhdfilepath and /detach vhdfilepath. This can be used in custom scripts or desktop shortcuts to simplify the use of VHD drives. You can also use the built-in DISKPART.EXE tool, but this is much less convenient.
Concealment
If you want to try to conceal the fact that you have a BitLocker-encrypted VHD file, keep in mind that VHD files have a binary signature which can be scanned-for and identified. However, you might try this: 1) Install the VHD Attach tool on another computer, 2) copy the VHD Attach program files to a flash drive, 3) create a BitLocker-encrypted VHD file on the desired machine, 4) detach or unmount the VHD drive, 5) rename the VHD file and its filename extension to something which will not draw attention, e.g., like a paging file, memory dump, temp file, etc., perhaps moving and hiding the file as well, 6) use a shortcut or batch script on the flash drive to run VhdAttachExecutor.exe to mount the renamed VHD file when desired.
Keep in mind that installing the VHD Attach tool modifies the registry, and so does running the tool, even from a flash drive, so you cannot easily conceal its usage. Mounting VHD drives also leaves forensic traces that are difficult or impossible to erase. Your custom attachment script on the flash drive would have to try to scrub these traces. Hence, the above concealment steps are just for a bit of weak obscurity.
Other BitLocker Tricks: RAM Disks and Virtual Machines
And for inquiring minds that want to know, the answer is: Yes, you can use BitLocker to encrypt a RAM disk, at least with Dataram's RAMDisk freeware (I haven't tried it with any other products). Why you would do this is another question, but there are creative uses for the restless...
You can also use BitLocker inside of a virtual machine to encrypt the boot partition (the partition with the Windows folder in the VM) but you'll need to turn off BitLocker's default TPM requirement in the VM first. The hard part is tricking your VM software into mounting the USB flash drive with the BitLocker key during boot-up, and, if you can't get your VM to do this, you'll have to type in the BitLocker recovery PIN each time you reboot the VM (resuming a suspended VM, as opposed to rebooting, does not prompt for the recovery PIN if you really want to play around with this "feature"). Encrypting the VM's files on the host OS with EFS is possible too and certainly less of a hassle.
And you can encrypt a physical USB drive mounted from within a virtual machine too of course, then move that USB drive around to other physical and virtual machines running Windows 7/2008-R2 or later.
Finally, if you install Microsoft's System Center Virtual Machine Manager (VMM), you will get PowerShell support for managing (and mounting) VHD files from the command line and from within your scripts too.
Conclusion
A common question is "How can I use BitLocker to keep my files secure from other people who share my computer?" Using BitLocker-encrypted VHD files is one possibility. But you should also investigate using the NTFS Encrypting File System (EFS), which also supports smart card key storage, encryption of external USB drives, and encryption of VHD files with- or without BitLocker. All this is covered in the six-day Securing Windows track (SEC505) at SANS of course. Good luck!