How to Set Up BitLocker Encryption on Windows

BitLocker is a tool built into Windows that lets you encrypt an entire hard drive for enhanced security. Heres how to set it up.

When TrueCrypt controversially closed up shop, they recommended their users transition away from TrueCrypt to using BitLocker or Veracrypt. BitLocker has been around in Windows long enough to be considered mature, and is anencryption product generally well-regarded by security pros. In this article, were going to talk about how you can set it up on your PC.

RELATED: Should You Upgrade to the Professional Edition of Windows 10?

Note: BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 8 or 10, or the Ultimate version of Windows 7. However, starting with Windows 8.1, the Home and Pro editions of Windows include a Device Encryption feature(a feature also included in Windows 10) that works similarly. We recommend Device Encryption if your computer supports it, BitLocker for Pro users who cant use Device Encryption, and VeraCrypt for people using a Home version of Windows where Device Encryption wont work.

Many guides out there talk about creating a BitLocker container that works much like the kind of encrypted container you can create with products like TrueCrypt or Veracrypt. Its a bit of a misnomer, but you can achieve a similar effect. BitLocker works by encrypting entire drives. That could be your system drive, a different physical drive, or a virtual hard drive (VHD) that exists as a file and is mounted in Windows.

RELATED: How to Create an Encrypted Container File With BitLocker on Windows

The difference is largely semantic. In other encryption products, you usually create an encrypted container, and then mount it as a drive in Windows when you need to use it. With BitLocker, you create a virtual hard drive, and then encrypt it. If youd like to use a container rather than, say, encrypt your existing system or storage drive, check out our guide to creating an encrypted container file with BitLocker.

For this article, were going to concentrate on enabling BitLocker for an existing physical drive.

RELATED: How to Use BitLocker Without a Trusted Platform Module (TPM)

To use BitLocker for a drive, all you really have to do is enable it, choose an unlock methodpassword, PIN, and so onand then set a few other options. Before we get into that, however, you should know that using BitLockers full-disk encryption on a system drive generally requires a computer with a Trusted Platform Module (TPM) on your PCs motherboard. This chip generates and store the encryption keys that BitLocker uses. If your PC doesnt have a TPM, you can use Group Policy to enable using BitLocker without a TPM. Its a bit less secure, but still more secure than not using encryption at all.

You can encrypt a non-system drive or removable drive without TPM and without having to enable the Group Policy setting.

On that note, you should also know that there are two types of BitLocker drive encryption you can enable:

In Windows 7 through 10, you really dont have to worry about making the selection yourself. Windows handles things behind the scenes, and the interface youll use to enable BitLocker doesnt look any different. If you end up unlocking an encrypted drive on Windows XP or Vista, youll see the BitLocker to Go branding, so we figured you should at least know about it.

So, with that out of the way, lets go over how this actually works.

The easiest way to enable BitLocker for a drive is to right-click the drive in a File Explorer window, and then choose the Turn on BitLocker command. If you dont see this option on your context menu, then you likely dont have a Pro or Enterprise edition of Windows and youll need to seek another encryption solution.

Its just that simple. The wizard that pops up walks you through selecting several options, which weve broken down into the sections that follow.

The first screen youll see in the BitLocker Drive Encryption wizard lets you choose how to unlock your drive. You can select several different ways of unlocking the drive.

If youre encrypting your system drive on a computer thatdoesnt have a TPM, you can unlock the drive with a password or a USB drive that functions as a key. Select your unlock method and follow the instructions for that method (enter a password or plug in your USB drive).

RELATED: How to Enable a Pre-Boot BitLocker PIN on Windows

If your computer does have a TPM, youll see additional options for unlocking your system drive. For example, you can configure automatic unlocking at startup (where your computer grabs the encryption keys from the TPM and automatically decrypts the drive). You could alsouse a PIN instead of a password, or even choose biometric options like a fingerprint.

If youre encrypting a non-system drive or removable drive, youll see only two options (whether you have a TPM or not). You can unlock the drive with a password or a smart card (or both).

BitLocker provides you with a recovery key that you can use to access your encrypted files should you ever lose your main keyfor example, if you forget your password or if the PC with TPM dies and you have to access the drive from another system.

You can save the key to your Microsoft account, a USB drive, a file, or even print it. These options are the same whether youre encrypting a system or non-system drive.

If you back up the recovery key to your Microsoft account, you can access the key later at https://onedrive.live.com/recoverykey. If you use another recovery method, be sure to keep this key safeif someone gains access to it, they could decrypt your drive and bypass encryption.

You can also back up your recovery key multiple ways if you want. Just click each option you want to use in turn, and then follow the directions. When youre done saving your recovery keys, click Next to move on.

Note: If youre encrypting a USB or other removable drive, you wont have the option of saving your recovery key to a USB drive. You can use any of the other three options.

BitLocker automatically encrypts new files as you add them, but you must choose what happens with the files currently on your drive. You can encrypt the entire driveincluding the free spaceor just encrypt the used disk files to speed up the process. These options are also the same whetheryoure encrypting a system or non-system drive.

RELATED: How to Recover a Deleted File: The Ultimate Guide

If youre setting up BitLocker on a new PC, encrypt the used disk space onlyits much faster. If youre setting BitLocker up on a PC youve been using for a while, you should encrypt the entire drive to ensure no one can recover deleted files.

When youve made your selection, click the Next button.

If youre using Windows 10, youll see an additional screen letting you choose an encryption method. If youre using Windows 7 or 8, skip ahead to the next step.

Windows 10 introduced a new encryption method named XTS-AES. It provides enhanced integrity and performance over the AES used in Windows 7 and 8. If you know the drive youre encrypting is only going to be used on Windows 10 PCs, go ahead and choose the New encryption mode option. If you think you might need to use the drive with an older version of Windows at some point (especially important if its a removable drive), choose the Compatible mode option.

Whichever option you choose (and again, these are the same for system and non-system drives), go ahead and click the Next button when youre done, and on the next screen, click the Start Encrypting button.

The encryption process can take anywhere from seconds to minutes or even longer, depending on the size of the drive, the amount of data youre encrypting, and whether you chose to encrypt free space.

If youre encrypting your system drive, youll be prompted to run a BitLocker system check and restart your system. Make sure the option is selected, click the Continue button, and then restart your PC when asked.After the PC boots back up for the first time, Windows encrypts the drive.

If youre encrypting a non-system or removable drive, Windows does not need to restart and encryption begins immediately.

Whatever type of drive youre encrypting, you can check the BitLocker Drive Encryption icon in the system tray to see its progress, and you can continue using your computer while drives are being encryptedit will just perform more slowly.

If your system drive is encrypted, unlocking it depends on the method you chose (and whether your PC has a TPM). If you do have a TPM and elected to have the drive unlocked automatically, you wont notice anything differentyoull just boot straight into Windows like always. If you chose another unlock method, Windows prompts you to unlock the drive (by typing your password, connecting your USB drive, or whatever).

RELATED: How to Recover Your Files From a BitLocker-Encrypted Drive

And if youve lost (or forgotten) your unlock method, press Escape on the prompt screen to enter your recovery key.

If youve encrypted a non-system or removable drive, Windows prompts you to unlock the drive when you first access it after starting Windows (or when you connect it to your PC if its a removable drive). Type your password or insert your smart card, and the drive should unlock so you can use it.

In File Explorer, encrypted drives show a gold lock on the icon (on the left). That lock changes to gray and appears unlocked when you unlock the drive (on the right).

You can manage a locked drivechange the password, turn off BitLocker, back up your recovery key, or perform other actionsfrom the BitLocker control panel window. Right-click any encrypted drive, and then select Manage BitLocker to go directly to that page.

Like all encryption, BitLocker does add some overhead. Microsofts official BitLocker FAQ says that Generally it imposes a single-digit percentage performance overhead. If encryption is important to you because you have sensitive datafor example, a laptop full of business documentsthe enhanced security is well worth the performance trade-off.

Read more:
How to Set Up BitLocker Encryption on Windows

Related Post

Comments are closed.