I think you'd best decrypt Bitlocker files before doing that otherwise Windows will continue to index them after they are gone, assuming it will allow you to shred them in the first place.
When you right-click the Bitlocker encrypted item does the Shred option show?
According to the Help files Shredder wont do "system files" and I would imagine Bitlocker encrypted files are regarded as System files - at least until they are decrypted.
Once decrypted I would imagine the behaviour is as with any normal file or folder.
Remember - once shredded they can not be retrieved.
- Log on to the computer as Administrator.
- From Control Panel, open BitLocker Drive Encryption.
- To temporarily disable BitLocker by using a clear key, click Suspend Protection andthen click Yes. To disable BitLocker permanently, click Turn Off BitLocker and then clickDecrypt Drive.
Thanks very much for your reply.
"When you right-click the Bitlocker encrypted item does the Shred option show?"
Supposedly the way BitBlocker works, is that it's "transparent" to the user and to programs. When the volume is "unlocked," you can do anything you would normally do to the contents; they can be edited, copied, moved, and deleted. They drag-and-drop in and out of the protected volume. You can do "properties" on them and so on.
In other words, when you "open" a volume, it doesn't immediately decrypt the entire contents. It transparently decrypts any file or folder when you need it.
I want to know does this include shredding. The only time this is a concern is when you shred the contents of the Recycle Bin. Some content is in ordinary volumes, but other content may be in a protected volume. You don't want to have to decrypt the entire volume just to shred your Recycle Bin.
Thanks very much for your comments. I would like to have a better understanding of this.
I'm afraid the technicalities are all beyond me. I'll try to get someone in the know to explain it better.
By the way, the simple answer to your original question would be yes. If the Shred option is there then it will work. I'm just afraid that Windows keeps tabs on Bitlocker usage and may malfunction or leave you with orphaned shortcuts or something similar.
Peter has asked me to look into this, so I'm going to see if I can get any additional information for you from our Dev team.
Meanwhile, I'd like ot verify a couple of things. I assume as per Bitlocker requirements, you have (as you aluded to) at least 2 partitions,; the first for the OS and the second one, let's call it "Data", is formatted with NTFS and the entire partition is encrypted?
You are correct, at least as I understand BitLocker, it decrypts on the fly i.e. decrypting and opening individual files as you access them.
You said "no practical reason to shred something within an encrypted volume" - agreed, assuming you're only storing data files on that partition, and haven't set the system to drop temp files etc. on the encrypted volume.
My understanding (to be confirmed) is that Shredder rides "on top of" BitLocker and the file ssytem, allowing shredding of any non-system files that you as a user have access to. IOW, Shredder can't delete anything that you (or more accurately, another user) can't open.
Please reply, letting me know if I've addressed your question(s), and we'll take it from there.
Again, I believe I am correct about the above, but I can double-check along with getting answers any other questions or concerns.
Thank you for looking into this.
In answer to your questions: There are two disks and 6 partitions on the machine. The first drive (Disk 0) contains the Win7 recovery partition, the Microsoft Reserved Parition (MSR), and the System Parition (C) NTFS. Then, there is an extended partition which contains a user partition (D) NTFS which is unencrypted, and another partition which IS encrypted with BitLocker. And some unused space. The second drive (Disk 1) contains one large NTFS partition which is used for backup and misc purposes. Both drives use MBR partitioning style (not GPT.) Although it is possible that the MB may contain UEFI chipsets, it is operating in BIOS mode as far as addressing the disks as MBR style disks.
The reason that I have encrypted an entire parition with BitLocker (and not individual folders) is that when you encrypt an entire partition, Win7 allows you to password protect the partition. If you only encrypt selected folders, BitLocker does not give you the option to use a password; rather, encrypted folders are automatically decrypted when you log in to Windows. Thus, folder-only encryption weakens your protection, in that an adversary who can crack your Windows Log-in password (not a difficult task) will have automatic access to your encrypted folders. Encrypting an entire partition is a much stronger strategy. Because even logged-in users still have to provide a password to open the encrypted partition.
I realize that the option exists to encrypt the entire C volume, but this makes the login process more complex, and requires verification at the MB level before booting. It's often desireable to keep the boot process unencrypted in case it's ever necessary to recover from some corruption problem.
The reason that my question remains relevant is simply that Shredding the recycle bin will necessarily attempt to shred anything that had been deleted from an encrypted partition. You can get around this concern simply by always closing the encrypted partition first before shredding your recycle bin, but that requires extra work and extra vigilance, and it would be good to know in advance whether there is any potential conflict. I would just like to be able to shred my Recycle Bin without wondering about it.
I would propose a simple experiment. On a separate (non production) machine, one could create a small Bitlocker Encrypted partition, and then fill it with monitored files, then shred one of them, and see if there is any observed corruption or altering of data in the remaining files. I may or may not find time to perform this experiment. If you could do this in your organization, you might be better equipped and qualified to observe the results.
Again, thank you very much for your attention to this issue. I will be awaiting any results that you might obtain.