BitLocker is the name given to the full disk encryption software that’s built into Windows. First introduced with Windows 7 Ultimate Edition, BitLocker is now available with the Pro editions of Windows 8 and Windows 10.
Encryption is a complex topic which isn’t always well understood. BitLocker aims to provide a streamlined encryption experience for your Windows 10 PC, so you can benefit from the advantages even if you’re unsure how encryption actually works.
BitLocker works by encrypting entire drives. That means you can only apply it to top-level storage containers on your PC, such as your hard drives, SSDs and removable USB flash drives. If you’re looking for granular encryption of individual files and folders, you’ll need to look elsewhere or use Windows’ folder-level password protection abilities (but remember that password protection is not the same as encryption)!
Benefits of BitLocker
BitLocker as an encryption technology is now mature and fairly well-regarded, although not without its issues. Arguably, it’s distinguished by its simplicity and seamless integration into Windows. This makes it less cumbersome to work with than some third-party solutions.
Making use of full disk encryption is generally advisable, if your PC supports it. It provides an extra level of protection around your files. Anyone who obtains your device won’t be able to read the data on your encrypted drives. They’re only unlocked when you supply authentication information, such as your Windows password.
Enabling BitLocker therefore gives you extra security at no extra cost. The performance penalty for using full disk encryption is minimal on modern hardware. When encrypting your system drive, you won’t generally need to complete any extra steps to unlock your device; when you supply your Windows password, BitLocker will automatically unlock your drive.
Enabling BitLocker for your drives
Many new devices come with BitLocker automatically enabled for the system drive (where Windows is installed). This will be protected using your Microsoft account credentials. As soon as you login to Windows, BitLocker will automatically unlock the drive.
To check whether BitLocker is enabled for your drives, search for “bitlocker” in the Start menu. Select the “Manage BitLocker” option which appears. BitLocker’s page in the Control Panel will launch.
You’ll see a list of all the storage drives on your PC. The BitLocker encryption status of each one is displayed next to its name.
To enable BitLocker, click a drive in the list and then press “Turn BitLocker on.” You’ll be prompted to choose an unlock method for the drive. Each time you want to access the files on the drive, you’ll use this unlock method to authenticate yourself.
The options you’ll see here depend on the type of drive you’re encrypting and whether your device has a TPM (see below). The simplest method, which is always available, is a traditional password prompt when you use the drive. However, TPM-based encryption is recommended for the growing majority of devices which support it – this is what enables drives to automatically unlock when you login to Windows.
Follow the prompts to complete the encryption process. You’ll be asked to back up your recovery key – it is vital you make a note of this now! If you’re ever unable to login to Windows, this key is the only lifeline which can restore your data.
Windows will now start to encrypt the contents of the drive, which could take several hours depending on the amount of data involved. You can check the status of the process from the BitLocker icon which will appear in your system tray.
Managing BitLocker encryption
You can manage BitLocker encryption by returning to the Control Panel page. For each of your encrypted drives, you have the option of disabling encryption, backing up the recovery key and changing the authentication method which is used.
These settings can be changed at any time, so you’re not stuck with the options you selected when you enabled encryption. Remember that disabling encryption will require you to unlock the drive first and could take a considerable amount of time.
Unlocking BitLocker protected drives
The process to unlock your encrypted drives varies depending on their type and authentication method used. If you opted for password protection, you’ll need to enter your password before you can access any files.
For drives protected by a USB device, connecting the device should unlock the drive. It will relock when the USB is removed.
Finally, on newer PCs with a TPM, you can choose to have drives unlock automatically at login. A TPM (Trusted Platform Module) is a hardware feature on your device’s motherboard for the secure storage of credentials. Using the TPM, BitLocker can unlock your drives when you login to Windows, making encryption a truly seamless experience.
Due to a TPM, you may well already be using BitLocker without knowing it. As mentioned above, new devices with a TPM enable BitLocker by default if you login with a Microsoft account. Everything occurs in the background when you authenticate, with the TPM enabling BitLocker to authenticate your identity from your Windows password. Your files stay encrypted until you login.
There’s more to BitLocker than we can cover here. This guide is a gentle introduction to the underlying concepts of full disk encryption. For more information, we recommend referring to the BitLocker documentation, which also provides more detailed guidance on configuring BitLocker with different drives and authentication systems.