BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost or stolen devices. It is an encryption feature built into computers running Windows 10 Pro. If you’re running Windows 10 Home you will not be able to use BitLocker. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. See this guide for information on Full Disk Encryption with PBA / without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption, and Container Encryption.
The TPM is a hardware component installed in many newer computers by computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline. See the following guides on how to enable FileVault disk encryption on a Mac device, BitLocker Drive Encryption architecture, and implementation scenarios. and the concept of DriveLock with a focus on encryption. On devices without TPM version 1.2 and above, you can still use BitLocker to encrypt the Windows OS drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation or enter a Password.
Note: In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key or enter a password. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
Part A – Enable BitLocker Drive Encryption: Let’s walk through the needed steps to enable data encryption on Windows 10. There are different ways to launch the Bitlocker in Windows 10. Note: Administrative privilege is required to have this done.
– I will proceed by typing “BitLocker” in the Windows search box as shown below
– Click on Open or press Enter to launch the BitLocker Driver Encryption window.
This will open the BitLocker Drive Encryption window as shown below.
You can also access BitLocker via the Control Panel "Control Panel\System and Security\BitLocker Drive Encryption"
Alternatively, you can turn on BitLocker by launching the File Manager by pressing the “Windows key + E” to open it.
Right-click on your removable storage device that you want to encrypt as shown above.
– Select Turn on Bitlocker.
Note: You may get an error as shown below if your device cannot use the Trusted Platform Adapter (TPM).
– To fix this, you will have to “allow BitLocker without a compatible TPM” via the group policy. See this guide “how to fix your device cannot use a Trusted Platform Module: Allow BitLocker without a compatible TPM”.
– There is no dare consequence of having BitLocker without a TPM, the difference here is that the encryption key will be saved to a USB instead of being stored on the chip itself.
Upon clicking on “Turn on BitLocker”, Bitlocker will verify if your device meets the system requirements as shown below.
When this step is finished, click on Next to continue as shown below
Also click on the Next to proceed. As you can see below, there is a warning suggesting that yo back up critical files and data before continuing. If you desire to do this, please click on the “Use File History to perform a backup”. I do not want this at the moment, so I will ignore it.
Continue through the BitLocker Drive Encryption process by clicking on “Next” as shown below.
Next, you will be prompted to choose how you would like to unlock your drive at startup. Since we do not have the TPM chip inbuilt, we will have to decide on any of the options below. To either use a USB flash drive or Enter a password.
– Note: If you provide on using a USB flash drive, you will need to have the flash drive connected to your device each time you boot up your device in order to be able to access the device.
You will be required to create a password to access in order to unlock this Drive in the future.
– When you are done, click on Next as shown below.
There are multiple different ways to back up the BitLocker recovery key. BitLocker gives you three different options for backing up your recovery key, save to USB Drive, Save to a file, or print the recovery key.
– I have decided to save this recovery key to a USB flash drive.
You will be prompted to click on save as shown below in rder to save the recovery key unto the USB Flash Drive..
Note: You can save to a file and print the recovery key as well. If you decide to save your BitLocker recovery key to a file or print it, ensure it is kept in a safe place that’s not on the encrypted device. Without your BitLocker key, all data on your device will remain completely inaccessible.
– Click on Next when you are done.
Next, you will have to decide on how much data you would like to encrypt as shown below.
– Since this is a new VM, I will be selecting the first option.
– Click on Next to proceed
Select the encryption mode to use. I will be selecting the first option as shown below.
– Click on Next to continue
You can choose to either start encryption of your drive or run a BitLocker system check first. As you can see below, I have selected the option to run the BitLocker system check and this is recommended by Microsoft.
– This ensures that BitLocker can read the Recovery Key before encrypting the drive.
BitLocker will require a restart of your computer before encrypting, but you can continue to use it while your drive is encrypting.
– As you can see below, the device is encrypted and a restart is required. Please proceed and restart your device.
Once encryption is complete you will be prompted to unlock the Drive. Enter the Bitlocker password you created previously.
Now you should be able to log into your device as usual. BitLocker will work unobtrusively in the background.
Login successful as shown below
Since I have tested an FDE solution with PBA, kindly take a look at these guides “Important DriveLock components to master and how to download DriveLock software and install DriveLock“.
Part B – Disable BitLocker: If you ever wish to disable BitLocker on your Windows 10 device, the steps are pretty straight forward.
– Launch control Panel and navigate to the following location
"Control Panel\System and Security\BitLocker Drive Encryption"
Alternatively, you can search for Bitlocker from the Windows search box or from launch the run dialog boy and type BitLocker. You will arrive at the same destination :)
Select “Turn off BitLocker”
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.