Home / Windows 10

Data Secure via Encryption

There's a pretty good chance that your computer contains all sorts of personal or sensitive information-legal, financial, or medical documents, -and so on-that you wouldn't want a stranger to get their hands on.

You may think that your Windows account password protects your sensitive files from prying eyes, and it does, but only up to a certain point. Although keeping your Windows password secret (it is a secret, right?) will prevent anyone from logging into your account to view your files, there are ways to access a PC's storage without going through Windows.

One way is to use a so-called Live CD or DVD, which contains an operating system (typically a version of Linux) that runs entirely in the PC's memory (RAM). Starting a PC with a Live CD/DVD allows someone to bypass Windows and use another operating system to access the hard drive without making any permanent changes to it (i.e., you don't have to "install" the operating system on the hard drive). Another method is to simply remove the hard drive from a PC and connect it to different computer in order to directly access the contents while circumventing any restrictions Windows may have put on files or folders.

If your PC should ever be lost or stolen, these methods will be among the first things someone of malicious intent will do in order to mine the computer for exploitable information. But you can keep your data secure in this kind of scenario by encrypting it.

What Is Encryption?

Simply put, encrypting data means scrambling it with a special algorithm and a secret code called an encryption key. Once data is scrambled in this way it becomes gibberish, so the only way to convert it back into its original, readable form is with that encryption key. Encryption comes in many different forms. Beyond the various encryption algorithms that exist, there are numerous ways to implement encryption. For example, some kinds of encryption are built into Windows, but you can also get it via third-party hardware or software. Some encryption products are designed to encrypt specific files (or the folders containing them), whereas others encrypt an entire storage device, including the operating system and applications.

Unfortunately, there's no easy answer to that question. No form of security is 100 percent effective, and it's an axiom that virtually any form of security can be defeated given enough time, money, and effort. It's also important to remember that security and convenience reside on opposite ends of a continuum. That is, when security goes up, convenience goes down, and vice versa. Some forms of encryption can be quite onerous, requiring a lot of time and effort to use. The methods we'll discuss here are designed to be transparent-that is, once they're turned on, they more or less work automatically, and in the background, without significantly impacting how you use the computer.

Windows Device Encryption

One of the easiest ways to protect your data on a Windows 8.1 or Windows 10 PC is via the built-in Device Encryption feature. Device Encryption automatically encrypts the entire contents of your computer. But there's a catch-using Windows' Device Encryption feature requires a PC to support a technology called InstantGo, which among other things, means that the PC contains a built-in Trusted Platform Module (TPM), which is a special security chip that can store encryption keys.

In addition, to use Device Encryption you must log into Windows using a Microsoft account (which links you to Microsoft's various online services) with administrator permissions, rather than a Local account.

If your PC is a modern tablet, laptop, or convertible/hybrid type system (the kind that can function as either a laptop or a tablet) and came with Windows 8.1 preinstalled (i.e., it wasn't upgraded from a previous version of Windows), it might support Device Encryption. (Windows desktops are unlikely to support it, however.)

Assuming that your PC meets the hardware requirements and that you're currently using your Microsoft account to log into Windows, Device Encryption may even already be running. In any event, the easiest way to know for sure whether or not your Windows PC supports/is using Device Encryption is to check for it.

Search for "encrypt" and look for Change device encryption settings.

If you don't see Change device encryption settings, your PC doesn't support Device Encryption.

Depending on whether device encryption is already running or not, you'll see a button labeled either Turn off or Turn on. If you find the former, device encryption is already running and you're good to go. If you see the latter, just tap or click the button, and Windows will automatically begin encrypting the system. You can keep using it while this happens. (You may be asked to confirm information about your Microsoft account before you can activate device encryption.)

During the encryption process, a recovery key will automatically be uploaded to your Microsoft account. You don't need to make a record of the recovery key, as it will be associated with and available through your Microsoft account.

Device encryption requires a Microsoft account mainly for convenience, because it eliminates the need for you to keep track of your own recovery key. Storing the recovery key online within your Micosoft account is the best way to ensure that it will be accessible to you when you need it, because even if you forget your Microsoft account password, Microsoft has other ways to verify that you are you (such as by sending a numeric code to your mobile phone). Without the Microsoft account you'd have to record your own recovery key, and if you were to somehow lose or forget it, there would be no way to recover your encrypted data.
That said, if you'd also prefer to save your own copy of the recovery key, go to windows.microsoft.com/recoverykey and sign in with your Microsoft account info. There you'll be able to view, print, or copy and paste your 56-digit recovery key. Note that it will be referred to as a "BitLocker" recovery key; device encryption actually uses a Microsoft encryption technology called BitLocker, which is a good segue to talk about it.


Windows Device Encryption is actually based on a predecessor encryption technology from Microsoft called BitLocker. Although using BitLocker isn't quite as effortless as using Device Encryption, it accomplishes much the same thing-it encrypts the contents of your hard drive to thwart any attempt to bypass Windows and directly access your files. But, as with Device Encryption, BitLocker comes with a catch-it's only available on the Pro and Enterprise editions of Windows 8 or Windows 10, which are businessoriented versions of Windows, which include features not found in the "regular" consumer-oriented Windows editions.

Fortunately, it's easy enough to determine whether or not you have a version of Windows that includes BitLocker: just search for "bitlocker". If you see a result called Manage Bitlocker, then you've got it; if not, you don't.

If you didn't find BitLocker on your system, you can get it (along with other new features) by upgrading your system via the Windows 8.1 Pro Pack. It's not exactly cheap-the Pro Pack costs $100 if you buy it online directly from Microsoft, although you can often find it cheaper from other online retailers such as Amazon.
Price aside, however, adding the Pro Pack is an easy upgrade because there is nothing to download or install-you're actually buying a product key, which is an alphanumeric code that you enter into your computer to instantly unlock the higher version of Windows without disturbing any of your existing software or data.
To buy an upgrade code (or use one you've previously purchased), search for "add features", then tap or click Add Features to Windows 8.1.

Using BitLocker

Once you've run BitLocker, there's a good chance that you're going to see the window. As we mentioned earlier, a TPM is a special security chip that's built into certain laptops, but many models lack one. Eventually, all laptops will likely have TPMs, but as of this writing they're far more common in business-oriented computers than consumer-oriented models.

Although lacking a TPM chip is a showstopper if you want to use the Device Encryption that we discussed in the previous section, you can still use BitLocker even if you don't have a TPM-you just need to make a system tweak first.

If your PC was provided by your company and is under control of a network administrator, you may not be able to perform the following tweak.

To allow BitLocker to run on a system without a TPM, go to the Start screen and search for gpedit (or edit group policy) to launch the Local Group Policy Editor. Then navigate to Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives. Finally, doubleclick Require additional authentication at startup, click enabled, and make sure Allow BitLocker without a compatible TPM is checked. Click Apply, then OK, then rerun BitLocker.

Once you've got BitLocker running, you'll see the window. Click Turn on BitLocker next to the hard drive that you want to protect. (If your computer happens to have multiple hard drives, you'll see a link for each one, as BitLocker must be turned on separately for each drive.)

Next you'll be asked how you want to unlock your drive at startup (i.e., each time you turn on your PC). Your options are to insert a USB Flash drive or enter a password.

If your PC does have a TPM, you won't have to make this choice, as the TPM will automatically unlock your drive at startup.

For this example, we'll opt for using a password. Enter and confirm your password, and be sure it's a strong one.

Unlocking via a USB Flash:
Drive If you choose to unlock via a USB Flash drive, you will always need to have that drive inserted into your system before it will start. This unlocking method is more secure than choosing a password (which can potentially be guessed) but take care-should you misplace or lose the drive (and they are quite small), you won't be able to use the computer until you jump through the hoops required to retrieve the BitLocker Recovery Key. (more on this in a moment).

Next, Bitlocker will ask you how you want to back up your recovery key. Your options are to Save to your Microsoft account, a USB flash drive, a file, or to print it. You can-and should-choose multiple backup methods so that you have a fallback in case one is unavailable. Choose your backup methods one at a time, follow the steps, and then click Next when you're done.

Save to a file will only work if your PC has multiple internal storage devices; you can't save the recovery key to the drive you're encrypting.

Now it's time to decide how much of the drive to encrypt. If you're doing this on a brand new computer, the default option, Encrypt used disk space only, will get the job done faster, but if the computer's been in use for a while already, the Encrypt entire drive option will ensure that free space, which likely contains previously deleted data, is also encrypted.

Regardless of which option you choose, any new data that you add to the drive will be encrypted automatically.

Finally, you'll be asked if you are ready to encrypt the drive. You'll see that a box labeled Run BitLocker system check is checked. It's strongly recommended that you keep the box checked, as BitLocker will test to make sure that your unlock password or key is working correctly before your drive is encrypted. Click Continue. At this point, you'll need to restart your computer to initiate the encryption process.

When your system restarts, you'll be prompted to provide the Bitlocker unlock password or insert the USB drive you created. (Note the option to press ESC for BitLocker recovery; select this should you ever forget your unlock password or lose the USB drive.) Once you've entered the unlock password, Windows will finish loading and start encrypting your drive. You can use the computer while it's being encrypted, but be patient because the process can take many hours to complete and performance may be quite sluggish until it does.

Using BitLocker on Removable Drives

Maybe the files you want to protect aren't on your PC but, rather, on a removable storage device such as a USB hard drive or Flash drive. If so, you can use BitLocker to encrypt those drives, too-just connect the drive that you want to encrypt, locate it in File Explorer, right click it, and select Turn on BitLocker. You'll go through steps similar to those outlined earlier-choosing and confirming a password, backing up a recovery key, and so on-and when you're done the drive will begin encrypting. Don't remove the drive during encryption. If you absolutely must, click Pause to put encryption on hold before doing so.

Once a removable drive is encrypted, you'll need to enter the unlock password each time you insert the drive into a Windows 10, Windows 8.x, or Windows 7 computer.

There is no official way to access a BitLocker to Go drive from non-Windows operating systems such as Mac OS X or Linux, but a free third-party tool that purports to make this possible is available at www.hsc.fr/ressources/outils/dislocker.

Other Encryption Options

If your PC doesn't support Device Encryption and you don't have a version of Windows that includes BitLocker, there are third-party software options available. For a no-cost option, look into either VeraCrypt (veracrypt.codeplex.com) or CipherShed (ciphershed. org), both of which are based on the same code as TrueCrypt, which was arguably the most popular third-party encryption software until it was abruptly discontinued in May 2014. Both VeraCrypt and CipherShed can encrypt internal and removable drives, and both are compatible with Windows, Mac OS X, or Linux (although neither is quite as user-friendly as BitLocker).

If your main concern is carrying encrypting data with you on a removable drive, you should also consider hardware-encrypted USB hard drives and flash drives. These drives contain a built-in security chip, so they provide very strong, fast, encryption that works on any computer, regardless of operating system used. They also integrate a numeric keypad or biometric scanner so you can access them via a PIN code or swipe of your finger. Two companies that make these types of drives are Apricorn (www.apricorn.com) and IronKey (www.ironkey.com). But be forewarned-these drives can be up to ten times the price of ordinary drives with the same storage capacity.