BitLocker is a built-in Windows tool that allows you to encrypt an entire hard drive for enhanced security. Here is how to install it.
During TrueCrypt's controversial closure, TrueCrypt recommended that users change from TrueCrypt to BitLocker or Veracrypt . BitLocker has been in Windows long enough to be considered mature, and is a encryption product generally well regarded by security professionals. In this article we will talk about how you can configure it on your PC.
Note: BitLocker Drive Encryption and BitLocker To Go require a version Professional or Enterprise of Windows 8 or 10 or the Ultimate version of Windows 7. However, from Windows 8.1, Home and Pro of Windows includes a "Device Encryption" feature (a feature also included in Windows 10) that works in the same way. We recommend device encryption if your computer supports it, BitLocker for Pro users who can not use device encryption and VeraCrypt for people using a Home version of Windows where encryption of device will not work.
Encrypt an entire drive or create an encrypted container?
Many guides talk about creating a BitLocker container that works as the type of encrypted container that you can create with products such as TrueCrypt or Veracrypt. This is a bit misleading, but you can get a similar effect. BitLocker works by encrypting entire drives. This can be your system drive, a different physical drive, or a virtual hard disk (VHD) that exists as a file and is mounted in Windows.
The difference is largely semantic. In other encryption products, you usually create an encrypted container, and then mount it as a drive in Windows when you need to use it. With BitLocker, you create a virtual hard disk and then encrypt it. If you want to use a container rather than, for example, encrypting your existing system or storage drive, see our guide to create an encrypted container file with BitLocker .
For this article, we will focus on enabling BitLocker for an existing physical drive.
How to encrypt a drive with BitLocker
To use BitLocker for a player, simply activate it, choose an unlock method, a PIN code, and so on, then set other options. Before discussing this topic, you should be aware that using BitLocker full encryption on a system drive usually requires a computer with a Trusted Platform Module (TPM) on your motherboard computer. This chip generates and stores the encryption keys used by BitLocker. If your PC does not have TPM, you can use Group Policy to enable the use of BitLocker without TPM . This is a little less secure, but even safer than not using encryption.
You can encrypt a non-system drive or a removable drive without TPM and without having to enable the Group Policy setting.
On this note, you should also know that there are two types of BitLocker drive encryption that you can enable:
BitLocker Drive Encryption : Sometimes called BitLocker, it is a "full disk encryption" feature that encrypts an entire drive. When your computer boots, the Windows boot loader loads the system partition from and the boot loader prompts you for your unlock method, such as a password. BitLocker then decrypts the drive and loads Windows. Encryption is also transparent: your files normally appear on an unencrypted system, but they are stored on the disk in encrypted form. You can also encrypt other drives than the system drive only.
BitLocker To Go : You can encrypt external drives, such as USB flash drives and external hard drives, with BitLocker To Go. You will be prompted for your unlock method, such as a password , when you connect the player to your computer. If somebody does not unlock the method, it can not access the files on the drive.
Under Windows 7 to 10, you really do not have to worry about making the selection yourself. Windows handles things behind the scenes, and the interface you use to activate BitLocker does not look any different. If you end up unlocking an encrypted drive under Windows XP or Vista, you will see the BitLocker to Go brand, so we thought you should at least know that.
So, with that, let's see how it works.
First step: enable BitLocker for a drive
The easiest way to activate BitLocker for a drive is to right click on the drive in a File Explorer window and then choose the "Enable BitLocker" command. If you do not see this option in your context menu, you probably do not have Pro or Windows Enterprise Edition and you will need to look for another encryption solution.
This is as simple as that. The wizard that appears guides you through the selection of several options, which we have broken down into sections that follow.
Step Two: Choose an unlock method
The first screen you will see in the "BitLocker Drive Encryption" wizard lets you choose how to unlock your player. You can select several ways to unlock the player.
If you encrypt your system drive on a computer that does not have a TPM, you can unlock the drive with a password or a USB drive that functions as a key. Select your unlock method and follow the instructions for this method (enter a password or plug in your USB key).
If your computer has a secure platform module, additional options for unlocking the system drive will display. For example, you can configure automatic unlock at startup (where your computer retrieves the TPM encryption keys and automatically decrypts the disk). You can also use a PIN instead of a password, or even choose biometric options like a fingerprint
If you are encrypting a non-system drive or a removable drive, you will see only two options (whether you have a TPM or not). You can unlock the drive with a password or a smart card (or both).
Step Three: Save your Recovery Key
BitLocker provides you with a recovery key that you can use to access your encrypted files if you ever lose your master key, for example if you forget your password or if the PC with TPM dies and you need to access drive from another system.
You can save the key of your Microsoft account a USB stick, a file or even print it. These options are the same whether you are encrypting a system drive or not.
If you back up the recovery key to your Microsoft account, you can access the key later at address https://onedrive.live.com/recoverykey . If you are using another recovery method, be sure to keep this key safe: if someone has access to it, it could decrypt your drive and bypass the encryption.
You can also back up your recovery key in several ways if you want. Just click on each option you want to use in turn, then follow the instructions. When you have finished saving your recovery keys, click "Next" to continue.
Note: If you encrypt a USB drive or other removable drive, you will not be able to save your recovery key to a USB drive. You can use any of the other three options.
Fourth step: encrypting and unlocking the drive
BitLocker automatically encrypts new files as you add them, but you must choose what happens with the files on your player. You can encrypt the entire disk, including free space, or simply encrypt the disk files used to speed up the process. These options are also the same whether you are encrypting a system drive or not.
If you are configuring BitLocker on a new PC, only encrypt the used disk space, it is much faster. If you are configuring BitLocker on a PC that you have been using for some time, you must encrypt the entire disk to make sure that nobody can recover deleted files.
When you have made your selection, click on the "Next" button.
Step five: Choose an encryption mode (Windows 10 only)
If you are using Windows 10, you will see an additional screen allowing you to choose an encryption method. If you are using Windows 7 or 8, go to the next step.
Windows 10 introduced a new encryption method called XTS-AES. It offers improved integrity and performance compared to the AES used in Windows 7 and 8. If you know that the drive you encrypt will only be used on Windows 10 PCs, choose the option " New encryption mode ". If you think you need to use the drive with an older version of Windows at some point (especially if it is a removable drive), choose the "Compatible Mode" option.
Whichever option you choose (and again, these are the same for system and non-system drives), click the "Next" button when you're done and click the "Next" button. Next screen, click "Start Encryption" button
Step Six: Finish
The encryption process can take from a few seconds to a few minutes or even longer, depending on the size of the disk, the amount of data you are encrypting and whether you have chosen to encrypt the free space.
If you encrypt your system drive, you will be prompted to run a BitLocker system check and restart your system. Make sure the option is selected, click the "Continue" button, and then restart your computer when prompted. After the PC is restarted for the first time, Windows encrypts the disk.
If you encrypt a non-system or removable drive, Windows does not need to restart and the encryption begins immediately.
Whichever type of drive you encrypt, you can check the BitLocker Drive Encryption icon in the system tray to see its progress and you can continue to use your computer while encrypting disks
Unlock your player
If your system drive is encrypted, unlocking depends on the method you choose (and whether or not a TPM is present on your PC). If you have a TPM and chose to have the drive unlocked automatically, you will not notice anything different – you will simply start directly in Windows as always. If you chose another unlock method, Windows prompts you to unlock the drive (by entering your password, connecting your USB key, etc.)
If you have lost (or forgotten) your unlock method, press Esc on the prompt to enter your recovery key .
If you have encrypted a non-system or removable drive, Windows prompts you to unlock the drive when you access it for the first time after you start Windows (or when you connect it to your PC's s & It is a removable drive). Type your password or insert your smart card, and the drive should unlock so you can use it.
In the File Explorer, the encrypted drives display a gold lock on the icon (left). This lock becomes gray and appears unlocked when you unlock the drive (right).
You can manage a locked drive: change the password, disable BitLocker, back up your recovery key, or perform other actions in the BitLocker Control Panel window. Right-click an encrypted drive and select "Manage BitLocker" to go directly to this page.
Like all encryption, BitLocker adds some overhead. The official Microsoft BitLocker FAQ says that "Generally, it imposes a percentage of one-digit performance." If encryption is important to you because you have sensitive data such as a laptop filled with professional documents is well worth the performance compromise.