Keeping the sensitive data on your system can be risky unless you protect it an effective way. Encryption is one of the best ways to safeguard your data from hackers, spying agencies or going into the hands of wrong people if your laptop is stolen. Encryption encrypts the data by converting it into an unrecognizable form. One can access the data only after decrypting it by providing the password key. Windows operating system offers a robust data encryption tool in the form of Bitlocker. You need to have a Windows 10 professional or enterprise edition in order to setup Bitlocker encryption. Apart from encrypting the internal hard drives, Bitlocker can also encrypt the external drives for enhanced security.
Benefits of Bitlocker
The computers are becoming more and more portable and with that said, most of the employees do take their laptops at home or in the field for work. The possibility of laptop getting stolen cannot be ruled out and access to physical hardware makes it easier to steal the data than doing it online. Organizations need to worry more in case the system falls into the hands of its competition. To overcome this situation, Bitlocker encryption comes handy since nobody will be able to boot the device or extract data from the hard drive.
Protects USB drives
It is not uncommon that in organizations, the employees write the data to USB drives and the chances of losing the USB drive are much higher than hard drives or laptops. Bitlocker is capable of encrypting not only inbuilt storage drives but it can also encrypt the USB drives rendering the data non-recoverable in case of misplacing it. IT professionals can also use group policies of windows OS to allow the users to write data ONLY to Bitlocker configured USB drives.
Once in while you might face a situation when the hard disk crashes and you need to take it data recovery experts for data recovery. This can also pose a huge security lapse since the data can go into wrong hands. So had it been encrypted with bitlocker, you will not worry about data theft before handling the storage drive to data recovery agents.
In case somebody tampers the booting files of windows 10 by installing some Trojan software, you will easily get to know about it if the booting partition is encrypted. Any tampering with boot files will make the windows start in Bitlocker recovery mode and any attempt to install malicious software will be thwarted.
Most companies do dispose of their IT hardware equipment from time to time and IT pros also make sure that all the data is deleted from the data storage devices before discarding them. But Is it sufficient to just erase or delete the data from hard drives? No, anybody with little data-recovery knowledge can extract that data but a drive encrypted with bitlocker cannot be unlocked without the authentication key.
Bitlocker is available in windows Vista and all later versions.
- Enterprise and Ultimate editions of Windows Vista and Windows 7
- Enterprise and Professional editions of windows 8 and windows 8.1
- Enterprise, professional and education editions windows 10
- The motherboard of the computer or laptop must have a Trusted Platform Module (TPM) chip. When you encrypt operating system drive, bitlocker creates a key in TPM chip that will require upon booting the system.
- The BIOS or UEFI firmware must be compatible to read from USB storage device in pre-operating system stage. In simple terms, the system should be able to boot from a USB drive.
- You need at least 2 partitions of the hard disk in a computer to install bitlocker. If you do not have bitlocker will create instead.
Advance Preparations for Encryption with Bitlocker
- Bitlocker is a time consuming process and depends on the size of your data (in case of partial encryption) and the size of partition in case of full encryption. So, if you are using a laptop, make sure it is connected to power source and if you intend to enable bitlocker on a computer, you need to have a UPS connected to it for power backup in case of power-outage.
- Before you start encrypting your computer with bitlocker, you have to check whether the hardware of your system has a TPM chip or not. You can examine this by 2 methods.
Method1. Open run command (windows+R) and type tpm.msc
If the system hardware does not have a TPM installed, following message will be displayed.
And if it has a TPM, you will get the following message.
Method2. You can also verify whether the computer has TMP or not by navigating to
Rghtclick on my computer>click properties>device manager
Now if your system has a TPM hardware, among the various hardware devices, you will find security devices and on expanding it, you will find the TPM version installed.
|Note: You need not worry if you do not have a TPM on your system motherboard since you can buy it separately and install it in the motherboard.|
How to Encrypt System Drive C (with TPM)
Select the primary partition that is drive C and right click on it Now click “Turn on Bitlocker”.
As soon you turn on the bitlocker, the computer will perform two steps. First, it will turn on the TPM security hardware and secondly it will encrypt the drive
After you press Next button, the process will ask you to shut down the PC and restart it.
In the next screen, you will be instructed to press F1 to let the windows to create authentication value in TPM.
When the system re-boots, the bitlocker will be turned on and on pressing the next button, you will be asked to back up the recovery key. This is only required if you want to connect this drive to some other system for data transfer.
In bitlocker setup with TPM, you need NOT have to input a password to unlock the encrypted drive. You just have to sign in windows with your login password.
How to enable bitlocker on a computer without TPM
In case you have checked that your computer motherboard does not support TPM, you can still secure your system drive.
You need to edit the group policy to create additional authentication method on startup.
So let’s start
Open run command (windows+R) and open local group policy editor by typing gpedit.msc.
From the left sidebar menu, navigate to
windows templates>windows components>Bitlocker drive encryption>operating system drives
Now on the right side double click on “Require additional authentication at startup”.
In the next screen that opens up, you can see that a radio button of “Not configured” is selected by default. Now you need to select Enabled radio button. By doing so, you can see that the option of “Allow Bitlocker without a compatible TPM” is automatically selected in the lower section of the window. Finally, click on Apply and OK.
Now right click on C drive and click on Turn-on Bitlocker.
The encryption will start as shown in the image below.
In the next screen, it will ask you the type of authentication you want to opt for. The two option are
- Insert a USB flash drive. Choosing this option will require you to insert a USB drive with an authentication key every time to boot the system.
- Enter a password. If you select this option, you have to input a password upon booting of system
We will select the 2nd option which is less cumbersome and does not require you to always carry a USB drive with you in order to startup the system.
Next, you will be asked to save a recovery key in order to unlock the encrypted drive. The various options include saving it to your Microsoft account, saving it to a removable USB drive, save it to file and print it on a paper.
We will select the option of saving it to file which will prompt you to save the recovery key to any location on the local hard drive.
Next, you need to select whether you want to encrypt the used hard drive or the complete hard drive. We will select 1st option since it is faster and new data is automatically encrypted by bitlocker.
In the next screen, we will select the New encryption mode which is best for fixed drives.
Finally, Bitlocker will perform a system check during which it will check the authentication and recovery keys.
Once you hit the continue button, you need to restart the system and asked to provide the password before you proceed.
After the system restarts you will get a notification that Encryption of Drive C is completed. You will always have to provide a password in order to open the C drive and on booting of the computer.
You can manage the encryption in a number of ways. Right click on the encrypted drive and click manage bitlocker. You will find following options.
- Suspend protection. You can suspend the bitlocker encryption on a temporary basis when you need to perform any software or hardware upgradation.
- Backup your recovery key. In case you have lost your recovery key, you can again create a recovery key at the desired location.
- Change password. If you think your password is too old and might have been leaked, you can change it but you need to input your old password to complete the operation.
- Remove password. Before you go for this step, make sure you have created another authentication method.
- Turn Off bitlocker. This option will completely remove the encryption from the partition or drive.
Encryption of NON-OS Partitions and External Drives with Bitlocker
The procedure to encrypt USB drives or other than system partitions is same. You do not need TPM to encrypt these partitions.
Setup Bitlocker Encryption Now to Secure your Data
Although Bitlocker encryption is available only on windows 10 pro and enterprise editions, you must enable Bitlocker to save your sensitive data from hackers and Trojan attacks. Follow these methods and also share the tips with your friends.