Windows 10

Using BitLocker Drive Encryption

File History and System Protection ensure the availability of your files, in that they allow you to restore lost or damaged files by restoring from a backup copy. BitLocker drive encryption isn't about availability - it's about confidentiality. If your notebook computer is lost or stolen, that's certainly a bad thing. But if your computer contains confidential personal, client, or patient information, that's even worse. BitLocker drive encryption ensures that lost or stolen data can't be read by prying eyes.

Tip:
BitLocker differs from the Encrypting File System (EFS) in that EFS encrypts individual folders and files, whereas BitLocker encrypts the whole disk.

BitLocker drive encryption works by encrypting all the data on a hard drive. With BitLocker drive encryption active, you can use the computer normally. All the necessary encryption and decryption takes place automatically behind the scenes. But a thief can't access data, passwords, or confidential information on the drive.

Tip:
BitLocker drive encryption ensures the confidentiality of data stored in portable computers.

BitLocker hardware Requirements

BitLocker drive encryption uses an encryption key to encrypt and decrypt data. That key must be stored in a Trusted Platform Module (TPM) Version 1.2 microchip and compatible BIOS. Only newer computers come with the appropriate hardware preinstalled. You also need a USB flash drive to store a copy of the password.

Caution

BitLocker drive encryption is primarily designed for organizations that have sensitive data stored on notebooks and PCs. Theft of that data could have a negative impact on the organization, its customers, or its shareholders. While transparent to the user, the act of setting up BitLocker is normally entrusted to IT professionals within the organization.

If you aren't an IT professional, you need to be aware of the risks involved, especially if you plan to set up BitLocker on a hard drive that already contains files. First, always back up your data before repartitioning a drive. Although many programs on the market allow you to repartition a disk without losing data, there's always a risk. A backup is your only real insurance. More important, you should understand that BitLocker is not for the technologically faint-of-heart. You have no way to undo any bad guesses or mistakes. If not handled with the utmost care, BitLocker can render your computer useless and your data unrecoverable. If you aren't technologically inclined, but you have a serious need for drive encryption, consider getting professional support in setting up BitLocker for your system.

Note:
The first time you open the BitLocker task page, you see a message indicating whether you have a TPM Version 1.2 chip installed. If you're certain that you have such a chip, but Windows 10 fails to recognize it, check with your computer manufacturer for instructions on making it available to Windows 10.

In addition to a TPM chip, your hard drive must contain at least two volumes (also called partitions). One volume, called the system volume, must be at least 1.5GB in size. That volume contains some startup files and cannot be encrypted. The other volume, called the operating system volume, contains Windows 10, your installed programs, and user account folders. Both volumes must be formatted with NTFS.

Encrypting the volume

When all the necessary hardware is in place, setting up BitLocker drive encryption is a relatively easy task:

  1. Select BitLocker Drive Encryption from Control Panel.
    If your hardware setup doesn't support BitLocker, you see messages to that effect. You cannot continue without appropriate hardware and disk partitions.
  2. If all systems are go, the BitLocker Drive Encryption window appears.
  3. Click Turn On BitLocker. If your TPM isn't initialized, a wizard takes you through the steps to initialize it. Follow the onscreen instructions to complete the initialization.
  4. When prompted, choose your preferred password storage method, store the password, and click Next.
  5. On the encryption page, select Run BitLocker System Check and click Continue.
  6. Insert the password recovery USB flash drive (or whatever medium you used for password recovery) and click Restart Now.
  7. Follow the onscreen instructions.

The wizard ensures that all systems are working and it's safe to encrypt the drive. Just follow the instructions to the end to complete the procedure.

Make sure you password-protect all user accounts to prevent unauthorized access to the system. Otherwise, a thief can get at the encrypted data just by logging in to a user account that requires no password!

Computer Won't Start

After BitLocker is enabled, you should be able to start the computer and log in to it normally. BitLocker only prevents normal startup if it detects changes that could indicate tampering. For example, putting the drive in a different computer, or even making BIOS changes that look like tampering, causes BitLocker to prevent bootup. To get past the block, you need to supply the appropriate password.

Turning off BitLocker

If you ever change your mind about using BitLocker, repeat the steps in the section "Encrypting the volume" and choose the option to turn off BitLocker drive encryption.

More info on BitLocker

The setup wizard for BitLocker drive encryption is designed to simplify the process as much as possible for people using computers with TPM 1.2. Other scenarios are possible. For more information, search Windows Help for "BitLocker." Or better yet, browse to www.technet.com or technet.microsoft.com and search for "BitLocker."

Performing a System Image Backup

Performing a system image backup lets you capture your system's image and save it to a remote device. The system image is a copy of the drive on which Windows is installed. If some of the files get destroyed or the drive gets damaged, you may have to restore your system image as a last resort to getting back up and running. (The system image can be saved to any remote media, such as a DVD, or the same external drive used by File History.)

A system image backup combined with File History is an excellent and reliable (and free) alternative to a costly local or online backup service or software.

To capture your system image, click the Create a system image link on the bottom-left corner of the Backup and Restore screen. A dialog box opens to allow you to select a remote device or location for the system backup. The next screen prompts you to confirm your choices and start the backup. (Notice that the System Backup is still the old System Backup from Windows 7 days. Looks like a good thing lasts forever.)

[Previous] [Content]

In this tutorial:

  1. Protect Your Windows Files
  2. Using System Protection
  3. Using BitLocker Drive Encryption