Hi We are looking to deploy Windows 7 very soon, we need to have an encryption programme that is FIPS 140-2 compliant am i right in the following assumptions with BITlocker 1) I need to Enable FIPS mode to make it FIPS 140-2 compliant 2) Once this is turned on no recovery information can be saved to AD or centrally 3) This means that the only way to get a user thorugh the pre-boot auth if they forgot their PIN or if i needed to decrypt the drive would be to use the recovery key stored on a USB stick? 4) The application that allows users to view files on bitlocker to go encrypted memory sticks on pre Win 7 machines is not FIPS compliant? Thanks in advanced

Hopefully, you can find what you need here: http://technet.microsoft.com/en-us/library/ee449438(WS.10).aspx Why not use hardrives like these? http://www.seagate.com/www/en-us/products/self-encrypting-drives/ Disable removable storage.

Hi R.A.F25, BitLocker Drive Encryption feature uses 1280bit AES encryption together with an additional diffuser. When you enable FIPS, BitLocker uses 256-bit AES encryption without a diffuser. Additionally, recovery passwords are not created or backed up to the Active Directory directory service. Therefoere, you cannot recover from lost PINs or from system changes by typing in a recovery password at the kyeboard. And only members of the Cryptographic Operations group can edit the crypto settings in the IPsec policy of the Windows Firewall. Please refer to this: The effects of enabling the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" security setting in Windows XP and in later versions of Windows Regards, MiyaThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

We are looking to deploy Windows 7 very soon, we need to have an encryption programme that is FIPS 140-2 compliant am i right in the following assumptions with BITlocker 1) I need to Enable FIPS mode to make it FIPS 140-2 compliant Answer: Enable the FIPS Policy To use BitLocker in a FIPS-compliant environment, you must enable the System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Group Policy setting, which can be found in the Local Group Policy Editor under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options, before turning on BitLocker. 2) Once this is turned on no recovery information can be saved to AD or centrally Answer: Your understanding is correct. Only Recovery Key and DRA are FIPS compliant. http://technet.microsoft.com/en-us/library/ee706519(WS.10).aspx 3) This means that the only way to get a user thorugh the pre-boot auth if they forgot their PIN or if i needed to decrypt the drive would be to use the recovery key stored on a USB stick? You can configure the DRA which is feature built in Win7. http://blogs.technet.com/b/askcore/archive/2010/10/11/how-to-use-bitlocker-data-recovery-agent-to-unlock-bitlocker-protected-drives.aspx 4) The application that allows users to view files on bitlocker to go encrypted memory sticks on pre Win 7 machines is not FIPS compliant? Answer: You mean BitLocker to Go reader which allows you to Read encrypted drives on WinXP legacy OS. BitLocker To Go Reader is not a FIPS-compliant application I hope this helps. Manoj Sehgal

Thanks for the replies I know i can use DRA but that requires a DRA to be phsically present at the machine which is not going to possible in most situations. Thanks for confirming, Cheers