windows  bitlocker featured

For all its new security bells and whistles, such as facial and fingerprint login, Windows 10 is, by default, relatively weak against in-person data stealing. This is because BitLocker, Windows 10’s encryption, isn’t applied to your drives by default.

This means that a person doesn’t need to log in to your PC to steal your information. If your laptop gets stolen, they can simply use a bootable USB drive to take the data directly from your disks and view it on another PC. In some cases, drives that don’t use Windows BitLocker contain personal photos and information that can be used for identity theft. Depending on your browser configuration, they can also store passwords for your online accounts.

Thankfully, BitLocker setup in Windows 10 isn’t difficult and you don’t even need to download BitLocker separately. Despite this, Microsoft doesn’t prompt you to create a BitLocker encrypted drive during setup or even explain what BitLocker does. We’re going to explain the benefit and show you how to password protect enable Bitlocker for your system drive with or without TPM. We’ll also be covering the use of BitLocker To Go to password protect an external drive in Windows 10, encrypt a USB drive, or encrypt a non-system partition on the main drive.

What is BitLocker?

BitLocker is a proprietary encryption program for Windows 10 that prevents unauthorized access to your drives and can protect against malware. When you perform BitLocker encryption on a drive, it’s transformed into random numbers and letters until you enter your BitLocker password or a USB key, which decrypts the drive.

BitLocker in Windows 10 has three ways of usage

  • BitLocker for system drives  makes use of the TPM chip or an optional unlock-screen to ensure integrity during boot and protect against malware that attacks the boot sector.
  • BitLocker for non-system disks for any drive or partition other than the system partition. It doesn’t use TPM and doesn’t require an unlock at boot.
  • BitLocker to go – a variant of BitLocker for non-system disks that is optimized for external drives connected via USB or other methods.

Though there have been a few successful attempts to bypass BitLocker, Microsoft has generally been quick to respond to them and has denied intelligence services a backdoor. As of Windows 10 1511, it comes with an XTS-AES encryption algorithm, further increasing security over Windows 8.1.

As a result, it’s pretty much a no-brainer to use BitLocker drive encryption. It’s only going to increase security, and the downsides are small: the inability to access that data from non-Microsoft OS’, a very minor hit to disk performance, and loss of access to the data if you don’t back up your recovery key properly. Let’s get started with the tutorial:

How to Check for Trusted Platform Module

Trying to enable encryption on Windows 10 will net you with a TPM BitLocker error if you don’t own a motherboard with a TPM chip. To check if we have one or not, we can use Device Manager.

  1. Open Device Manager


    Press “Windows + X” and click “Device Manager”.

    Windows 10 - Open Device Manager

  2. Check for Security Devices


    In Device Manager, scroll down the list and look for the “Security devices” heading. If your motherboard has a TPM chip, it will show up under the sub-heading.

    Windows 10 - Device Manager - Trusted Platform Module

How to Allow BitLocker for Windows 10 Without a Compatible TPM via Group Policy Editor

A Trusted Platform Module (TPM) chip will provide hardware-level tamper protection and can partially store the encryption key, making you safer. Though you can allow BitLocker without a compatible TPM, you should know that you aren’t getting the same level of security. That said, it’s still a lot better than nothing if you don’t have a TPM, so here’s how to edit the group policy:

  1. Open Group Policy Editor


    Press “Start” and type “gpedit”, then click “Edit group policy” in the Start menu.

    Windows 10 - Start - Edit Group Policy

     

  2. Browse to the “Require additional authentication at startup” policy


    You can use the side-bar to navigate to the BitLocker policy folder, which is found in Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.

    Double-click the “Require additional authentication at startup” policy.

    Windows 10 - Local Group Policy Editor - Require additional authentication at start-up

     

  3. Enable the Policy and the “Allow BitLocker Without a Compatible TPM” option

    Set “Require additional authentication at startup” to “Enabled”, then tick “Allow BitLocker Without a Compatible TPM”. Click “OK”. Go back to Step 1 of ‘How to Turn on and Set Up BitLocker Drive Encryption’.
    Windows-10-encrypted-How-to-encrypt-and-protect-your-whole-Windows-10-system-with-bitlocker-6_winbuzzer

     

How to Encrypt System Drive with BitLocker

You can access your BitLocker encryption settings via the legacy control panel.

  1. Open the Control Panel


    Press “Start” and type “Control Panel”, clicking on the top result.

    Windows 10 - Search - Control Panel

  2. Click on “System and Security”


    Windows 10 - Control Panel

  3. Click on “BitLocker Drive Encryption”


    Windows 10 - Control Panel - System and Security

  4. Encrypt your system drive with BitLocker


    Under the BitLocker Drive Encryption settings, look for the “Operating system drive” heading and click “Turn on BitLocker” next to the C: drive.

    Windows 10 - Control Panel - BitLocker

  5. Wait for BitLocker to start the encryption process


    If you see a BitLocker TPM error at this point, go back to the previous section and perform those steps.

    Windows 10 - Control Panel - BitLocker initializing

  6. Choose your BitLocker drive encryption unlock method


    The BitLocker Drive Encryption wizard will now ask you to ‘Choose how to unlock your drive at startup’. There’s the option of USB drives or passwords, with passwords generally being recommended because of how easy it is to lose a USB key. This password should be different to your Windows 10 log-in password and won’t be used as a replacement.

    Windows 10 - BitLocker - System Drive - Choose Unlock-Method

  7. Enter a secure BitLocker password

    This should be completely unique, long, and consist of capitals and non-capitals, numbers, and special characters. Do not use something easily guessable, such as names of pets, friends, or family, your middle or maiden name, or your date of birth. Ideally, it should be completely unrelated to your life and not in any dictionary. Once you’re done, press “Next”.

    Windows 10 - BitLocker - System Drive - Set Password

  8. Save your recovery key for a future BitLocker unlock


    It’s important at this point to save your BitLocker for Windows recovery key and keep it in a secure location. It’s a good idea to save it to your Microsoft account, and you can also save it as a text file, which you can store on an unlabeled USB drive or in your OneDrive Personal Vault.

    Click “Save to your Microsoft account”, then “Save to a file”. Then click “Next”.

    Windows 10 - BitLocker - System Drive - Backup Recovery Key

  9. Turn on Windows 10 encryption to password protect your hard drive


    BitLocker Drive Encryption will ask you to choose between encryption methods, “Encrypt used disk space only”, and “Encrypt entire drive”. Unless you’ve just set up your PC, we recommend option two – it may take a little while, but it’s safer and will run in the background while you perform your usual OS tasks.

    Windows 10 - BitLocker - System Drive - Encrypt used disk space only

  10. Choose the drive encryption mode


    From Windows 10 version 1511 and onwards, Windows 10 offers two forms of encryption – XTS-AES, a more secure version, and ‘Compatible mode’. Which one you choose depends on your use case. The new encryption mode isn’t compatible with older Windows versions, so if you think that you’re going to be moving the drive to a different PC, you should choose compatible mode.

    Choose “New encryption mode” or “Compatible mode” and click “Next”.

    Windows 10 - BitLocker - System Drive - Encryption Method

  11. Run a BitLocker system check


    After the encryption process, we strongly recommend that you run a “BitLocker system check” to make sure you don’t lose any of your data. To do this, tick the option in the BitLocker Drive Encryption wizard and click “Continue”.

    Windows 10 - BitLocker - System Drive - Run System Check

  12. Restart your PC and enter your BitLocker encryption password


    You should be 100% you know your BitLocker encryption password before you restart your PC. Forget it, and you may be unable to recover your data. When Windows boots, enter your password to continue the process.

    Windows 10 - BitLocker Boot Screen

  13. Wait for the BitLocker encrypted drive tool to finish


    This process may take a long time depending on the number of files on your drive and which encryption option you chose.

    Windows 10 - BitLocker - System Drive encryption running

Check Encryption Status and Change Bitlocker Settings for System Drive

After the encryption process has finished, you can check if your drive is locked or unlocked and change any settings with ease.

  1. Find your drive in File Explorer


    Press “Windows + E” to open File Explorer and navigate to “This PC”. You’ll see your drive with a padlock, open indicating that it’s unlocked and closed locked.

    Windows 10 - File Explorer - System Drive - Check Bitlocker Status

  2. Right-click the BitLocker encrypted drive and choose “Manage BitLocker” or “Change BitLocker password”


    Windows 10 - File Explorer - System Drive - Change Bitlocker settings

  3. Change your BitLocker settings


    After clicking an option, you’ll be taken to the BitLocker Drive Encryption section in the control panel, where you can revise decisions made during setup such as backing up recovery keys, changing or removing password, or turning off BitLocker entirely.

    Windows 10 - File Explorer - System Drive - Change Bitlocker settings

How to Use Bitlocker for non-system disks / BitLocker To Go to Encrypt a USB Drive, External Hard Drive or Secondary Drive

BitLocker To Go can provide encryption for removable and secondary drives, or partitions other than the system drive.

  1. Turn on BitLocker for the Drive


    Press “Windows + E” to open File Explorer and click “This PC” to get an overview of your drives. Right-click the drive you want to click and select “Turn on BitLocker”.

    Windows 10 - File Explorer - Turn On Bitlocker To Go

  2. Enter a BitLocker password


    Ideally, this should be different to the password for your system drive, but still secure.

    Windows 10 - Turn On Bitlocker To Go - Set Password

  3. Choose where to save your encryption key


    As before, we recommend saving to your Microsoft account.

    Windows 10 - Turn On Bitlocker To Go - Backup Recovery Key

  4. Choose how much of your BitLocker To Go drive to encrypt


    Windows 10 - Turn On Bitlocker To Go - Encrypt used disk space

  5. Choose your BitLocker Encryption mode


    As this is intended for a USB drive, external drive, or second hard drive, we’d recommend you choose “Compatible mode” so you unlock it if you want to move data running an older version of Windows.

    Windows 10 - Turn On Bitlocker To Go - Compatibility Mode

  6. Start BitLocker To Go Encryption


    Windows 10 - Turn On Bitlocker To Go - Start Encryption

  7. Wait for the drive to encrypt


    Depending on the size of the drive, this could take some time

    Windows 10 - Turn On Bitlocker To Go - Encryption Progress

How to Check Encryption Status and Change BitLocker Settings for USB Drives / Secondary disks

  1. Right-click the BitLocker encrypted drive and choose “Manage BitLocker”


    Windows 10 - File Explorer - Change Bitlocker To Go Settings

  2. Back up your recovery key, change your password, or add a smart card


    BitLocker To Go presents a few more options, including the ability to add a smart card to unlock it and turn on auto-unlock.

    Windows 10 - Bitlocker To Go Settings - Options