If you lose or have your PC stolen, replacing it will cost you dearly. Still, that’s nothing compared to what you could lose if the person recovering your device gains access to all of your data. Because even if it fails to log into your Windows account, it could very well boot from an external device and browse the contents of the system disk with impunity.
The best way to prevent this nightmare from becoming a reality is to encrypt the entire device, so its contents are only accessible to you or someone with the recovery key.
Good news: Windows 10 and Windows 11 both have tools to help you do this. So here’s how to make sure your data is protected.
BitLocker
All editions of Windows 10 and Windows 11 include 128-bit XTS-AES device encryption options, strong enough to protect against the most determined attacks. Using management tools, you can increase the encryption strength to XTS-AES 256-bit.
On modern devices, the encryption code also performs pre-boot system integrity checks, which detect attempts to bypass the bootloader.
BitLocker is the brand name used by Microsoft for encryption tools available in professional editions of Windows (desktop and server). A limited, but still effective subset of BitLocker device encryption features is also available in the Home editions of Windows 10 and Windows 11.
1. What hardware requirements are required to use BitLocker?
The primary hardware feature required to support BitLocker Device Encryption is a Trusted Platform Module, or TPM, chip. The device must also support the Modern Standby feature (formerly known as InstantGo).
Virtually all devices originally manufactured for Windows 10 meet these requirements. All devices compatible with Windows 11, without exception, respond to it.
2. How does BitLocker work?
On all devices that meet the BitLocker hardware requirements (see previous section for details), device encryption is automatically enabled. Windows Setup automatically creates the necessary partitions and initializes encryption on the operating system drive with a plaintext key. To complete the encryption process, you must perform one of the following steps:
- Sign in using a Microsoft account that has administrator rights on the device. This action deletes the erase key, uploads a recovery key to the user’s OneDrive account, and encrypts the data on the system drive. Note that this process happens automatically and works on any edition of Windows 10 or Windows 11.
- Sign in using an Active Directory account on a Windows domain or an Azure Active Directory (AAD) account. Either of these configurations requires a professional edition of Windows 10 or Windows 11 (Pro, Enterprise, or Education), and the recovery key is saved in a location accessible to the domain or AAD administrator .
- If you sign in using a local account on a device running a Professional edition of Windows 10 or Windows 11, you must use BitLocker management tools to enable encryption on available drives.
On self-encrypting hard drives that support hardware encryption, Windows will offload the work of encrypting and decrypting data to hardware. Note that a vulnerability in this feature, first disclosed in November 2018, could expose data under certain circumstances. In these cases, you will need a firmware upgrade for the SSD; on older drives where this upgrade is not available, you can upgrade to software encryption by following the instructions in this security advisory from Microsoft.
Note that Windows 10 and Windows 11 still support the much older Encrypted File System feature. It is a file and folder-based encryption system that was introduced with Windows 2000. For virtually all modern hardware, BitLocker is a superior choice.
3. How to manage BitLocker encryption?
In most cases, BitLocker is a set-and-forget feature. Once you enable disk encryption, it requires no maintenance. However, you can use tools built into the operating system to perform various management tasks.
The simplest tools are available in the Windows GUI, but only if you’re using the Pro or Enterprise editions. Open File Explorer, right-click a drive icon, and click Manage BitLocker. You then access a page that allows you to activate or deactivate BitLocker. If the feature is already enabled for the system drive, you can temporarily suspend encryption or back up your recovery key from this page. You can also manage encryption on removable drives and secondary internal drives. On a system running the home edition of Windows, you will find an activation button in Settings. In Windows 10, look under Update & security > Device encryption. In Windows 11, this setting is found under Privacy and Security > Device Encryption. A warning message is displayed if device encryption has not been enabled by signing in to a Microsoft account.
To get a much broader set of tools, open a command prompt and use one of the two built-in BitLocker administration tools, manage-bde Where repair-bde, with one of the available switches. The simplest and most useful of them is manage-bde -status, which displays the encryption status of all available drives. Note that this command works on all editions including Windows 10 and Windows 11 Home.
For a full list of switches, type manage-bde – ? Where repair-bde – ?
Finally, Windows PowerShell includes a comprehensive set of BitLocker cmdlets. Use Get-BitLockerVolume, for example, to find out the status of all fixed and removable drives in the current system. For a complete list of available BitLocker cmdlets, see the BitLocker PowerShell documentation page.
4. How do I register and use a BitLocker recovery key?
Under normal circumstances, you unlock your drive automatically when you log into Windows using an account authorized for that device. If you try to access the system in another way, such as by booting from a Windows 10 or Windows 11 installation drive or a Linux-based USB boot drive, you will be prompted for a recovery key to access the current drive. You may also be prompted for a recovery key if a firmware update has changed the system in a way that the TPM does not recognize.
As a system administrator of an organization, you can use a recovery key (manually or with the help of management software) to access data on any device belonging to your organization, even if the user does not no longer part of the organization.
The recovery key is a 48-digit number that unlocks the encrypted drive under these circumstances. Without this key, the disk data remains encrypted. If your goal is to reinstall Windows to recycle a device, you can avoid entering the key and the old data will be completely unreadable after the installation is complete.
Your recovery key is automatically stored in the cloud if you have enabled device encryption with a Microsoft account. To find the key, go to https://onedrive.com/recoverykey and sign in with the associated Microsoft account. Good to know: this option works on a mobile phone. Expand any device’s listing to see additional details and an option to delete the saved key.
If you enabled BitLocker encryption by linking your Windows 10 or Windows 11 device to an Azure AD account, you’ll find the recovery key in your Azure AD profile. Go to Settings > Accounts > Your information and click on Manage my account. If you’re using a device that isn’t registered in Azure AD, go to https://account.activedirectory.windowsazure.com/profile and sign in with your Azure AD credentials.
Find the device name under the heading Peripheral devicesthen click View BitLocker keys to view the recovery key for this device. Note that your organization must allow this feature for you to access this information.
Finally, on Windows 10 or Windows 11 Professional editions, you can print or save a copy of the recovery key and store the file or print (or both) in a safe place. Use the management tools available in File Explorer to access these options. Use this option if you’ve enabled device encryption with a Microsoft account and prefer the recovery key not to be available in OneDrive.
5. Can I encrypt external drives with BitLocker?
External storage devices must also be encrypted, including USB keys and microSD cards that can be used in some PCs. This is where BitLocker To Go comes in.
To enable BitLocker encryption for a removable disk, you must be using a Professional edition of Windows 10 or Windows 11. You can unlock this device on a device running any edition.
As part of the encryption process, you need to set a password that will be used to unlock the drive. You also need to save the drive’s recovery key. It is not automatically saved to a cloud account.
Finally, you must choose an encryption mode. Use the option New encryption mode (XTS-AES) if you plan to use the device exclusively on Windows 10 or Windows 11. Choose Compatible mode for a drive you might want to open on a device running an earlier version of Windows.
The next time you insert this device into a Windows PC, you will be prompted to enter the password. Click on More options and check the box to automatically unlock the device if you want easy access to its data on a trusted device that you control.
This option is especially useful if you’re using a microSD card to expand the storage capacity of a device like a Surface Pro. Once you’ve logged in, all your data is immediately available. If you lose the removable disk or it is stolen, its data is inaccessible to the thief.
Source: ZDNet.com