BitLocker® first appeared in Windows Vista and later, featuring a full disk encryption for entire volumes using AES encryption algorithm in Cipher Block Chaining (CBC) or XTS mode with 128-bit or 256-bit keys. Cipher Block Chaining is not deployed over the entire disk but applied to each individual sector.
BitLocker Encryption Availability
The encryption program is not available on all Windows versions however, especially Windows 7 Professional which is used by multitudes of users. You’ll have to upgrade to Windows 7 Ultimate to take advantage of this feature.
Windows 8, 8.1 and 10 Pro, Enterprise and Education versions have this feature along with Windows Server 2008 and later can have their disk drives and removable drives encrypted using this tool.
BitLocker Encryption Modes
Three authentication mechanisms exist serving as building blocks to implement BitLocker encryption;
Trusted Platform Mode (TPM): This mode ensures a more transparent user experience when accessing your encrypted drive.A Trusted Platform Modulehardware chip stores the encrypted keys and releases them to the OS loader code only if the file is unmodified.
User Authentication Mode: This requires the user to type in the pre-boot PIN or password set during encryption process.
USB Key Mode: This mode requires the user to insert a USB device containing the key to boot the OS. The BIOS on the protected machine must support access and reading of USB drive in a pre-OS environment for this to work.
Set Up Process for BitLocker® Drive Encryption
If you currently run Windows 7 Professional®, you may want to upgrade to Ultimate edition or later to activate BitLocker. Advanced functions like TPM would also require hardware specifications.
1. Start by searching BitLocker and launch Manage BitLocker program. You can also access this from the control panel of your computer.
2. You can now turn on BitLocker for the required volume or drive to encrypt. The options to encrypt the local C: drive and removable data drives such as USB flash are available with BitLocker–To-Go®.
3. If your computer is equipped with the 1.2 TPM chipset, you can turn it on in the BIOS. Click TPM Administration link to find out if your hardware is compatible, useful for storing encrypted keys.
4. Head over to Microsoft Technet help page for a step-by-stepguide turning on the Windows Trusted Platform Module Management in your BIOS. Those of you without this chip however can still turn on BitLocker without using the TPM management mode.
5. You will get this error notification below when you try to turn on BitLocker without the TPM chip.
6. This setting can be activated in the Group Policy Management console. Hold Windows+R and type in search gpedit.msc to launch the Group Policy Editor.
7. Once open, navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup. Notice the state showing Not Configured.
8. Select “Enabled”, and ensure the “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)” checkbox is also ticked. Click save and Close policy editor.
9. Relaunch the BitLocker program and Windows will perform a system configuration check. This process may take a while depending on drives available and data stored.
10. Windows will now display the processes involved in turning on BitLocker including preparing the drive and then encrypting the drive. Click Next to proceed.
11. BitLocker Encryption will now prepare your drive by shrinking the C: drive, creating new system drive and finally prepare the drive for BitLocker.
12. Make sure you leave the checkbox ticked to Run BitLocker system check. This ensures that BitLocker can read the recovery and encryption keys correctly before encrypting the drive. Continue.
13. You get to choose how much of your drive to encrypt. Bearing in mind for new drives or PCs, its good practice to encrypt used disk space only. With PCs that have been in use for a while, consider choosing to encrypt the entire drive. Click Next to proceed.
14. Two options are available to unlock the drive at start up. You can insert a USB flash drive with your unlock key or enter a password to unlock your drive on start up.
15. Remember to choose a strong secure password containing uppercase and lowercase letters, numbers, symbols and spaces. Password must be different from your local admin password for security.
16. Once the password is created, set up will give you three options to back up your recovery key. It’s up you which method works best for you, however saving to a Microsoft account requires you to set up your PC for login using Microsoft account. Find it in the Account Settings section of control panel.
17. Restart your computer to finish system drive encryption after drive preparation is complete.
18. If the BitLocker set up went successfully, you should see this screen prompting you for a password to unlock your drive before booting into Windows. TPM chip users may log in directly if activated.
19. Check the status of your encryption when you log into Windows. Notice a padlock symbol next to your C: drive and options to suspend protection, back up recovery key, remove password and Turn off BitLocker encryption.
Options for encrypting removable flash drives using BitLocker-To-Go can also be found in this window.
It is worth noting that BitLocker works for encrypting virtual hard disks of virtual machines, while leaving the native OS hard disk unencrypted. This could be an added layer of security for VM environments.
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?