BitLocker is a software constructed into Windows that allows you to encrypt a complete arduous drive for enhanced safety. Right here’s how to set it up.
When TrueCrypt controversially closed up store, they really helpful their customers transition away from TrueCrypt to utilizing BitLocker or Veracrypt. BitLocker has been round in Windows lengthy sufficient to be thought of mature, and is an encryption product typically well-regarded by safety professionals. On this article, we’re going to discuss how one can set it up on your PC.
Observe: BitLocker Drive Encryption and BitLocker To Go require a Skilled or Enterprise version of Windows eight or 10, or the Final model of Windows 7. Nevertheless, beginning with Windows eight.1, the Residence and Professional editions of Windows embody a “System Encryption” function (a function additionally included in Windows 10) that works equally. We suggest System Encryption in case your laptop helps it, BitLocker for Professional customers who can’t use System Encryption, and VeraCrypt for individuals utilizing a Residence model of Windows the place System Encryption gained’t work.
Encrypt an Complete Drive or Create an Encrypted Container?
Many guides on the market discuss making a BitLocker container that works very like the sort of encrypted container you’ll be able to create with merchandise like TrueCrypt or Veracrypt. It’s a little bit of a misnomer, however you’ll be able to obtain an analogous impact. BitLocker works by encrypting whole drives. That could possibly be your system drive, a distinct bodily drive, or a digital arduous drive (VHD) that exists as a file and is mounted in Windows.
The distinction is basically semantic. In different encryption merchandise, you normally create an encrypted container, after which mount it as a drive in Windows whenever you want to use it. With BitLocker, you create a digital arduous drive, after which encrypt it. When you’d like to use a container quite than, say, encrypt your present system or storage drive, try our information to creating an encrypted container file with BitLocker.
For this text, we’re going to focus on enabling BitLocker for an present bodily drive.
How to Encrypt a Drive with BitLocker
To make use of BitLocker for a drive, all you actually have to do is allow it, select an unlock technique—password, PIN, and so on—after which set a number of different choices. Earlier than we get into that, nonetheless, it’s best to know that utilizing BitLocker’s full-disk encryption on a system drive typically requires a pc with a Trusted Platform Module (TPM) on your PC’s motherboard. This chip generates and retailer the encryption keys that BitLocker makes use of. In case your PC doesn’t have a TPM, you should utilize Group Coverage to allow utilizing BitLocker with out a TPM. It’s a bit much less safe, however nonetheless safer than not utilizing encryption in any respect.
You’ll be able to encrypt a non-system drive or detachable drive with out TPM and with out having to allow the Group Coverage setting.
On that observe, you must also know that there are two sorts of BitLocker drive encryption you’ll be able to allow:
- BitLocker Drive Encryption: Generally referred to simply as BitLocker, this can be a “full-disk encryption” function that encrypts a complete drive. When your PC boots, the Windows boot loader hundreds from the System Reserved partition, and the boot loader prompts you in your unlock technique—for instance, a password. BitLocker then decrypts the drive and hundreds Windows. The encryption is in any other case clear—your information seem like they usually would on an unencrypted system, however they’re saved on the disk in an encrypted type. You can even encrypt different drives than simply the system drive.
- BitLocker To Go: You’ll be able to encrypt exterior drives—equivalent to USB flash drives and exterior arduous drives—with BitLocker To Go. You’ll be prompted in your unlock technique—for instance, a password—whenever you join the drive to your laptop. If somebody doesn’t have the unlock technique, they’ll’t entry the information on the drive.
In Windows 7 by way of 10, you actually don’t have to fear about making the choice your self. Windows handles issues behind the scenes, and the interface you’ll use to allow BitLocker doesn’t look any completely different. If you find yourself unlocking an encrypted drive on Windows XP or Vista, you’ll see the BitLocker to Go branding, so we figured it’s best to at the very least learn about it.
So, with that out of the way in which, let’s go over how this truly works.
Step One: Allow BitLocker for a Drive
The best manner to allow BitLocker for a drive is to right-click the drive in a File Explorer window, after which select the “Flip on BitLocker” command. When you don’t see this feature on your context menu, then you definately doubtless don’t have a Professional or Enterprise version of Windows and also you’ll want to search one other encryption answer.
It’s simply that easy. The wizard that pops up walks you thru deciding on a number of choices, which we’ve damaged down into the sections that comply with.
Step Two: Select an Unlock Methodology
The primary display screen you’ll see within the “BitLocker Drive Encryption” wizard permits you to select how to unlock your drive. You’ll be able to choose a number of other ways of unlocking the drive.
When you’re encrypting your system drive on a pc that doesn’t have a TPM, you’ll be able to unlock the drive with a password or a USB drive that features as a key. Choose your unlock technique and comply with the directions for that technique (enter a password or plug in your USB drive).
In case your laptop does have a TPM, you’ll see extra choices for unlocking your system drive. For instance, you’ll be able to configure computerized unlocking at startup (the place your laptop grabs the encryption keys from the TPM and mechanically decrypts the drive). You could possibly additionally use a PIN as a substitute of a password, and even select biometric choices like a fingerprint.
When you’re encrypting a non-system drive or detachable drive, you’ll see solely two choices (whether or not you have got a TPM or not). You’ll be able to unlock the drive with a password or a wise card (or each).
Step Three: Again Up Your Restoration Key
BitLocker offers you with a restoration key that you should utilize to entry your encrypted information must you ever lose your most important key—for instance, for those who overlook your password or if the PC with TPM dies and you’ve got to entry the drive from one other system.
It can save you the important thing to your Microsoft account, a USB drive, a file, and even print it. These choices are the identical whether or not you’re encrypting a system or non-system drive.
When you again up the restoration key to your Microsoft account, you’ll be able to entry the important thing later at https://onedrive.stay.com/recoverykey. When you use one other restoration technique, be certain to preserve this key protected—if somebody features entry to it, they might decrypt your drive and bypass encryption.
You can even again up your restoration key a number of methods if you would like. Simply click on every choice you need to use in flip, after which comply with the instructions. Once you’re accomplished saving your restoration keys, click on “Subsequent” to transfer on.
Observe: When you’re encrypting a USB or different detachable drive, you gained’t have the choice of saving your restoration key to a USB drive. You need to use any of the opposite three choices.
Step 4: Encrypt and Unlock the Drive
BitLocker mechanically encrypts new information as you add them, however you should select what occurs with the information at present on your drive. You’ll be able to encrypt all the drive—together with the free area—or simply encrypt the used disk information to pace up the method. These choices are additionally the identical whether or not you’re encrypting a system or non-system drive.
When you’re establishing BitLocker on a brand new PC, encrypt the used disk area solely—it’s a lot sooner. When you’re setting BitLocker up on a PC you’ve been utilizing for some time, it’s best to encrypt all the drive to guarantee nobody can get better deleted information.
Once you’ve made your choice, click on the “Subsequent” button.
Step 5: Select an Encryption Mode (Windows 10 Solely)
When you’re utilizing Windows 10, you’ll see a further display screen letting you select an encryption technique. When you’re utilizing Windows 7 or eight, skip forward to the subsequent step.
Windows 10 launched a brand new encryption technique named XTS-AES. It offers enhanced integrity and efficiency over the AES utilized in Windows 7 and eight. If you realize the drive you’re encrypting is barely going to be used on Windows 10 PCs, go forward and select the “New encryption mode” choice. When you assume you would possibly want to use the drive with an older model of Windows sooner or later (particularly necessary if it’s a detachable drive), select the “Appropriate mode” choice.
Whichever choice you select (and once more, these are the identical for system and non-system drives), go forward and click on the “Subsequent” button whenever you’re accomplished, and on the subsequent display screen, click on the “Begin Encrypting” button.
Step Six: Ending Up
The encryption course of can take anyplace from seconds to minutes and even longer, relying on the dimensions of the drive, the quantity of information you’re encrypting, and whether or not you selected to encrypt free area.
When you’re encrypting your system drive, you’ll be prompted to run a BitLocker system verify and restart your system. Be certain that the choice is chosen, click on the “Proceed” button, after which restart your PC when requested. After the PC boots again up for the primary time, Windows encrypts the drive.
When you’re encrypting a non-system or detachable drive, Windows doesn’t want to restart and encryption begins instantly.
No matter kind of drive you’re encrypting, you’ll be able to verify the BitLocker Drive Encryption icon within the system tray to see its progress, and you may proceed utilizing your laptop whereas drives are being encrypted—it would simply carry out extra slowly.
Unlocking Your Drive
In case your system drive is encrypted, unlocking it relies upon on the tactic you selected (and whether or not your PC has a TPM). When you do have a TPM and elected to have the drive unlocked mechanically, you gained’t discover something completely different—you’ll simply boot straight into Windows like at all times. When you selected one other unlock technique, Windows prompts you to unlock the drive (by typing your password, connecting your USB drive, or no matter).
And for those who’ve misplaced (or forgotten) your unlock technique, press Escape on the immediate display screen to enter your restoration key.
When you’ve encrypted a non-system or detachable drive, Windows prompts you to unlock the drive whenever you first entry it after beginning Windows (or whenever you join it to your PC if it’s a detachable drive). Sort your password or insert your good card, and the drive ought to unlock so you should utilize it.
In File Explorer, encrypted drives present a gold lock on the icon (on the left). That lock modifications to grey and seems unlocked whenever you unlock the drive (on the best).
You’ll be able to handle a locked drive—change the password, flip off BitLocker, again up your restoration key, or carry out different actions—from the BitLocker management panel window. Proper-click any encrypted drive, after which choose “Handle BitLocker” to go straight to that web page.
Like all encryption, BitLocker does add some overhead. Microsoft’s official BitLocker FAQ says that “Typically it imposes a single-digit share efficiency overhead.” If encryption is necessary to you as a result of you have got delicate knowledge—for instance, a laptop computer stuffed with enterprise paperwork—the improved safety is effectively definitely worth the efficiency trade-off.