February 2021: BitLocker data encryption and TPM maneuver
BitLocker is the Windows encryption technology that protects your data from unauthorized access by
encrypting your drive and requiring one or more factors of authentication
before it will unlock it, whether for regular Windows use or an unauthorized access
attempt.
BitLocker is good because it is nicely integrated
into Windows, and it is easy to operate. As it was designed to “protect the
integrity of the operating system,” most who use it implemented it in TPM mode,
for best results your computer must
be equipped with a Trusted Platform Module (TPM) chip. This is a special
microchip that enables your device to support advanced security features.
How to turn on BitLocker
Once
you made sure BitLocker can be properly enabled on your computer, BitLocker
Drive Encryption is available only on Windows 10 Pro and Windows 10 Enterprise.
Make sure to keep your computer connected to an uninterrupted power supply
throughout the entire process.
Follow these steps:
1.
Use the Windows key + X keyboard shortcut to open the Power User menu
and select Control Panel.
2.
Click System and Security.
3. Click BitLocker Drive Encryption.
4. Under BitLocker Drive Encryption, Click Turn on BitLocker.
5. Choose how you want to unlock your drive during startup: Insert a USB flash drive or Enter a password. For the purpose of the guide, select Enter a password to continue.
6. Enter a password that you'll use every time you boot Windows 10 to unlock the drive, and click Next to continue. (Make sure to create a strong password mixing uppercase, lowercase, numbers, and symbols.)
7.
You will be given the choice to
save a recovery key to regain access to your files in case you forget your
password. Options include:
o Save to your Microsoft account
o Save to a USB flash drive
o Save to a file
o Print the recovery
Select the option that is most
convenient for you, and save the recovery key in a safe place.
Quick Tip: If you trust the cloud, you can choose to save your
recovery key in your Microsoft account using the Save to your Microsoft account option. In which case, you can
retrieve your encryption key at this location: https://onedrive.live.com/recoverykey.
8. Click Next to continue.
9.
Select the encryption option that
best suits your scenario:
o Encrypt used disk space only (faster and best for new PCs
and drives)
o Encrypt the entire drive (slower but best for PCs and drives already in use)
10.
Choose between the two encryption
options:
o New encryption mode (best for fixed drives on this device)
o Compatible mode (best for drives that can be moved from this
device)
On
Windows 10 version 1511, Microsoft introduced support for XTS-AES
encryption algorithm. This new encryption method
provides additional integrity support and protection against new attacks that
use manipulating ciphertext to cause predictable modifications in cleartext.
BitLocker supports 128-bit and 256-bit XTS AES keys.
11. Click Next to continue.
12. Make sure to check the Run BitLocker system check option, and click Continue.
13.
Finally, restart your computer to
begin the encryption process.
14. On reboot, BitLocker will prompt you to enter your encryption password to unlock the drive. Type the password and press Enter.
After rebooting, you'll notice that your computer will quickly boot to the Windows 10 desktop. However, if you go to Control Panel > System and Security > BitLocker Drive Encryption, you'll see that BitLocker is still encrypting your drive. Depending on the option you selected and the size of the drive, this process can take a long time, but you'll still be able to work on your computer.
Once the encryption process completes, the drive level should read BitLocker on.
You can verify that BitLocker is turned on by the lock icon on the drive when you open This PC on File Explorer.
BitLocker Drive Encryption options
When BitLocker is enabled on your
main hard drive, you'll get a few additional options, including:
·
Suspend protection: When you're suspending protection your data won't be
protected. Typically, you would use this option when applying a new operating
system, firmware, or hardware upgrade. If you don't resume the encryption
protection, BitLocker will resume automatically during the next reboot.
·
Back up
your recovery key: If you lose your recovery key,
and you're still signed into your account, you can use this option to create a
new backup of the key with the options mentioned in step 6.
·
Change
password: You can use this option to
create a new encryption password, but you'll still need to supply the current password to make the change.
·
Remove
password: You can't use BitLocker
without a form of authentication. You can remove a password only when you
configure a new method of authentication.
·
Turn off
BitLocker: In the case, you no longer
need encryption on your computer, BitLocker provides a way to decrypt all your
files. However, make sure to understand that after turning off BitLocker your
sensitive data will no longer be protected. In addition, decryption may take a
long time to complete its process depending on the size of the drive, but you
can still use your computer.
Similar
to BitLocker, device encryption is a feature designed to protect your data
from unauthorized access in the unexpected case that your laptop is lost or
stolen. When the feature is enabled, the entire system drive and secondary
drives connected to your device, are scrambled, and only you with the correct
password can access the data.
The biggest difference between the two
is that device encryption is available on all the editions of Windows 10, while BitLocker
is only available for Windows 10 Pro, Enterprise, or Education, and offers some
additional management tools.
How to encrypt a hard drive for Windows Home edition and Windows Home pro
To see if your laptop
or desktop computer meets the requirements for device encryption, use these
steps.
1. Open Start.
2. Search for System Information, right-click the top result, and select
the Run as administrator option.
3. Click the System Summary branch from the left pane.
4. Check the "Device Encryption Support" item, and if it reads Meets prerequisites, then your computer includes support file encryption.
After you complete the
steps, you can proceed to enable encryption on the entire system.
Enabling device encryption
To enable device
encryption on your Windows 10 Home laptop or desktop computer, use these steps:
1. Open Settings.
2. Click on Update & Security.
3. Click on Device encryption.
A quick tip: If the The "Device encryption" page isn't available, then it's likely that your device doesn't support the encryption feature.
4. Under the "Device encryption" section, click the Turn on button.
Once you complete the
steps, Windows 10 will turn on encryption for the current and future files you
store on your computer.
Configure TPM on UEFI
If you know that the device has a TPM chip, but it's disabled, you can refer to these steps to
enable it:
1. Open Settings.
2. Click on Update & Security.
3. Click on Recovery.
4. Under the "Advanced startup" section, click the Restart now button.
5. Click on Troubleshoot.
6. Click on Advanced options.
7. Click on UEFI Firmware Settings.
8. Click the Restart button.
9. Locate the security settings.
Quick note: You may need to
consult your manufacturer support website for more specific details to find the
TPM settings.
10. Enable the TPM feature.
After you complete the
steps, you should be able to enable device encryption on your computer running
Windows 10 Home to protect your files.
Disabling device encryption
To disable device
encryption on your Windows 10 Home device, use these steps:
1. Open Settings.
2. Click on Update & Security.
3. Click on Device encryption.
4. Under the "Device encryption" section, click the Turn off button.
5. Click the Turn off button again to confirm.
After you complete the
steps, the device will go through the decryption process, which depending on
the amount of data, can take a very long time.
We're focusing this guide on Windows 10 Home users, but this option, as well as BitLocker, is also available for devices running Windows 10 Pro with supported hardware.
Compiled by Esther Nyapendi, Tech Support Volunteer