Since BitLocker won’t encrypt additional hard drive volumes, whether they’re logical partitions on the same physical disk or additional disks, you must use EFS to encrypt those volumes by selecting all the folders and files from the root.
I said to myself. “Surely this must be wrong, Microsoft would never do anything like that….” So I set about Googling and I discovered that I was in fact, wrong. According to the technical overview of BitLocker on technet (Section 3.4.1):
Volumes other than the operating system volume and the system volume are called “data volumes”. BitLocker encryption of data volumes is only supported in Windows Server “Longhorn” in v1.
We’ve now confirmed that BitLocker only works on the system volume. This makes it completely useless for a huge chunk of corporate America. Why? Because in most companies tend to configure their machines with at least two partitions, a systems partition where all of the OS and software goes and a data partition where all documents, emails and what not are stored. This is done for both ease of backup as well as giving IT the ability to reinstall the operating systems without the worry of overwriting users’ data. Additionally, companies are increasingly giving users external hard drives of one variety or another so that they can do their own backups.
So either companies won’t use BitLocker because it doesn’t give them anything, or worse will deploy BitLocker and think they are protected when they aren’t. I’ve already harassed Adam about this, but I’m curious about why this design decision was made.
Update: Sean from MS provided a link in the comments to the command line magic incantation to enable BitLocker on any NTFS volume. Thanks Sean!