For all its new security bells and whistles, such as facial and fingerprint login, Windows 10 is, by default, relatively weak against in-person data stealing. This is because BitLocker, Windows 10's encryption, isn't applied to your drives by default.
This means that a person doesn't need to log in to your PC to steal your information. If your laptop gets stolen, they can simply use a bootable USB drive to take the data directly from your disks and view it on another PC. In some cases, drives that don't use Windows BitLocker contain personal photos and information that can be used for identity theft. Depending on your browser configuration, they can also store passwords for your online accounts.
Thankfully, BitLocker setup in Windows 10 isn't difficult and you don't even need to download BitLocker separately. Despite this, Microsoft doesn't prompt you to create a BitLocker encrypted drive during setup or even explain what BitLocker does. We're going to explain the benefit and show you how to password protect enable Bitlocker for your system drive with or without TPM. We'll also be covering the use of BitLocker To Go to password protect an external drive in Windows 10, encrypt a USB drive, or encrypt a non-system partition on the main drive.
What is BitLocker?
BitLocker is a proprietary encryption program for Windows 10 that prevents unauthorized access to your drives and can protect against malware. When you perform BitLocker encryption on a drive, it's transformed into random numbers and letters until you enter your BitLocker password or a USB key, which decrypts the drive.
BitLocker in Windows 10 has three ways of usage
- BitLocker for system drives makes use of the TPM chip or an optional unlock-screen to ensure integrity during boot and protect against malware that attacks the boot sector.
- BitLocker for non-system disks for any drive or partition other than the system partition. It doesn't use TPM and doesn't require an unlock at boot.
- BitLocker to go – a variant of BitLocker for non-system disks that is optimized for external drives connected via USB or other methods.
Though there have been a few successful attempts to bypass BitLocker, Microsoft has generally been quick to respond to them and has denied intelligence services a backdoor. As of Windows 10 1511, it comes with an XTS-AES encryption algorithm, further increasing security over Windows 8.1.
As a result, it's pretty much a no-brainer to use BitLocker drive encryption. It's only going to increase security, and the downsides are small: the inability to access that data from non-Microsoft OS', a very minor hit to disk performance, and loss of access to the data if you don't back up your recovery key properly. Let's get started with the tutorial:
How to Check for Trusted Platform Module
Trying to enable encryption on Windows 10 will net you with a TPM BitLocker error if you don't own a motherboard with a TPM chip. To check if we have one or not, we can use Device Manager.
How to Allow BitLocker for Windows 10 Without a Compatible TPM via Group Policy Editor
A Trusted Platform Module (TPM) chip will provide hardware-level tamper protection and can partially store the encryption key, making you safer. Though you can allow BitLocker without a compatible TPM, you should know that you aren't getting the same level of security. That said, it's still a lot better than nothing if you don't have a TPM, so here's how to edit the group policy:
- Open Group Policy Editor
Press “Start” and type “gpedit”, then click “Edit group policy” in the Start menu. - Browse to the “Require additional authentication at startup” policy
You can use the side-bar to navigate to the BitLocker policy folder, which is found inLocal Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
.Double-click the “Require additional authentication at startup” policy.
- Enable the Policy and the “Allow BitLocker Without a Compatible TPM” option
Set “Require additional authentication at startup” to “Enabled”, then tick “Allow BitLocker Without a Compatible TPM”. Click “OK”. Go back to Step 1 of ‘How to Turn on and Set Up BitLocker Drive Encryption'.
How to Encrypt System Drive with BitLocker
You can access your BitLocker encryption settings via the legacy control panel.
- Open the Control Panel
Press “Start” and type “Control Panel”, clicking on the top result. - Click on “System and Security”
- Click on “BitLocker Drive Encryption”
- Encrypt your system drive with BitLocker
Under the BitLocker Drive Encryption settings, look for the “Operating system drive” heading and click “Turn on BitLocker” next to the C: drive. - Wait for BitLocker to start the encryption process
If you see a BitLocker TPM error at this point, go back to the previous section and perform those steps. - Choose your BitLocker drive encryption unlock method
The BitLocker Drive Encryption wizard will now ask you to ‘Choose how to unlock your drive at startup'. There's the option of USB drives or passwords, with passwords generally being recommended because of how easy it is to lose a USB key. This password should be different to your Windows 10 log-in password and won't be used as a replacement. - Enter a secure BitLocker password
This should be completely unique, long, and consist of capitals and non-capitals, numbers, and special characters. Do not use something easily guessable, such as names of pets, friends, or family, your middle or maiden name, or your date of birth. Ideally, it should be completely unrelated to your life and not in any dictionary. Once you're done, press “Next”.
- Save your recovery key for a future BitLocker unlock
It's important at this point to save your BitLocker for Windows recovery key and keep it in a secure location. It's a good idea to save it to your Microsoft account, and you can also save it as a text file, which you can store on an unlabeled USB drive or in your OneDrive Personal Vault.
Click “Save to your Microsoft account”, then “Save to a file”. Then click “Next”. - Turn on Windows 10 encryption to password protect your hard drive
BitLocker Drive Encryption will ask you to choose between encryption methods, “Encrypt used disk space only”, and “Encrypt entire drive”. Unless you've just set up your PC, we recommend option two – it may take a little while, but it's safer and will run in the background while you perform your usual OS tasks. - Choose the drive encryption mode
From Windows 10 version 1511 and onwards, Windows 10 offers two forms of encryption – XTS-AES, a more secure version, and ‘Compatible mode'. Which one you choose depends on your use case. The new encryption mode isn't compatible with older Windows versions, so if you think that you're going to be moving the drive to a different PC, you should choose compatible mode.
Choose “New encryption mode” or “Compatible mode” and click “Next”. - Run a BitLocker system check
After the encryption process, we strongly recommend that you run a “BitLocker system check” to make sure you don't lose any of your data. To do this, tick the option in the BitLocker Drive Encryption wizard and click “Continue”. - Restart your PC and enter your BitLocker encryption password
You should be 100% you know your BitLocker encryption password before you restart your PC. Forget it, and you may be unable to recover your data. When Windows boots, enter your password to continue the process. - Wait for the BitLocker encrypted drive tool to finish
This process may take a long time depending on the number of files on your drive and which encryption option you chose.
Check Encryption Status and Change Bitlocker Settings for System Drive
After the encryption process has finished, you can check if your drive is locked or unlocked and change any settings with ease.
- Find your drive in File Explorer
Press “Windows + E” to open File Explorer and navigate to “This PC”. You'll see your drive with a padlock, open indicating that it's unlocked and closed locked. - Right-click the BitLocker encrypted drive and choose “Manage BitLocker” or “Change BitLocker password”
- Change your BitLocker settings
After clicking an option, you'll be taken to the BitLocker Drive Encryption section in the control panel, where you can revise decisions made during setup such as backing up recovery keys, changing or removing password, or turning off BitLocker entirely.
How to Use Bitlocker for non-system disks / BitLocker To Go to Encrypt a USB Drive, External Hard Drive or Secondary Drive
BitLocker To Go can provide encryption for removable and secondary drives, or partitions other than the system drive.
- Turn on BitLocker for the Drive
Press “Windows + E” to open File Explorer and click “This PC” to get an overview of your drives. Right-click the drive you want to click and select “Turn on BitLocker”. - Enter a BitLocker password
Ideally, this should be different to the password for your system drive, but still secure. - Choose where to save your encryption key
- Choose how much of your BitLocker To Go drive to encrypt
- Choose your BitLocker Encryption mode
As this is intended for a USB drive, external drive, or second hard drive, we'd recommend you choose “Compatible mode” so you unlock it if you want to move data running an older version of Windows. - Start BitLocker To Go Encryption
- Wait for the drive to encrypt
Depending on the size of the drive, this could take some time
How to Check Encryption Status and Change BitLocker Settings for USB Drives / Secondary disks
Last Updated on August 14, 2020 7:42 pm CEST