Last month we talked about whole disk encryption and I promised a walk-through on how to turn on BitLocker drive encryption on your Windows computer. Before we dive in I want to remind you about some of the requirements for BitLocker. BitLocker is only available on certain versions of Windows, and these are: Windows 7 Enterprise, Windows 7 Ultimate, Windows 8.1 Pro, and Windows 8.1 Enterprise. BitLocker also defaults to requiring a Trusted Platform Module or TPM chip inside the device. There are ways around this final requirement that might actually provide better security but we won’t get into that right now.
So we need to head for the Control Panel first. In Windows 7 click start and then on the right hand column of the start menu click Control Panel. There you will find the BitLocker applet which you can double click to open. In Windows 8.1 the easiest way to get here is to click the search icon at the top right of the Start Screen and type BitLocker. The same search can also be done from the Start Menu of Windows 7. Now that we have the BitLocker applet open we can get started.
You should see your drives listed on the main page of the applet. Under each drive grouping you should see a link to turn on BitLocker. Clicking that link will start the wizard that will prepare the machine to encrypt the drive. The wizard will first check to see if BitLocker can run on the device. It is looking for that TPM I mentioned earlier. Assuming you have the requisite TPM the wizard asks you how you would like to unlock your drive. Unlocking the drive basically decrypts the data for you to use while the device is on. You have 2 options: Insert a USB Flash Drive or Enter a Password. This is an important decision because you will need either the password you enter or the USB flash drive every time you turn on the device. If you choose a password this is separate from the login password you use to get into Windows and should be a different password. If you choose the USB flash drive you will have to have it with you to plug into the device whenever you turn it on.
Now that you have chosen how you want to unlock the drive I am sure you want to know what happens if you forget your password or lose your USB flash drive. Microsoft has you covered in this next step. The BitLocker Wizard creates a recovery key you can use to decrypt the drive in case you can’t unlock the drive. There are several options including saving the key to your Microsoft Account. If you have full faith in Microsoft choose this option but not knowing who else might be able to access this data at Microsoft I would caution against this option. I would recommend however choosing at least 2 of the other options before clicking next and moving on. My personal favorites are printing and storing the print in a secure location at your office and saving to a USB Key and storing it in another separate secure location like a safe at home.
The final step is to choose if you want to encrypt the entire drive or just the used space. Choosing to encrypt the used space leaves the empty portion alone and encrypts new data as it is added to the drive. This is ok if you are encrypting a new device. If you have been using a device for a while previously deleted items may still be located on the hard drive just invisible because that space is now marked as unused so new data can be written over top of it. Choosing to only encrypt the used space leaves this “invisible” data vulnerable to a savvy thief. So if you have been using the device you are encrypting for a while going ahead and choosing to encrypt the entire drive is your best bet. Make your choice and finish up the wizard. A restart is in your very near future. The encryption process takes time and a lot of system resources which slows down the machine. It can also take a good bit of time. I recommend doing this when you will not be needing to use the computer for a few hours while it does its work. Maybe before bed or at the end of the day before you leave the office?
You can encrypt other drives in your computer with BitLocker as well as portable drives with what is called BitLocker To Go. This way you can copy files onto a flash drive or an external hard drive that has been encrypted and rest easy knowing if the drive is lost your data is still safe.