BitLocker is a tool built into Windows that lets you encrypt an entire hard drive for enhanced security. Here’s how to set it up.
When TrueCrypt controversially closed up shop, they recommended their users transition away from TrueCrypt to using BitLocker or Veracrypt. BitLocker has been around in Windows long enough to be considered mature, and is an encryption product generally well-regarded by security pros. In this article, we’re going to talk about how you can set it up on your PC.
Note: BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 8 or 10, or the Ultimate version of Windows 7. However, starting with Windows 8.1, the Home and Pro editions of Windows include a “Device Encryption” feature (a feature also included in Windows 10) that works similarly. We recommend Device Encryption if your computer supports it, BitLocker for Pro users who can’t use Device Encryption, and VeraCrypt for people using a Home version of Windows where Device Encryption won’t work.
Encrypt an Entire Drive or Create an Encrypted Container?
Many guides out there talk about creating a BitLocker container that works much like the kind of encrypted container you can create with products like TrueCrypt or Veracrypt. It’s a bit of a misnomer, but you can achieve a similar effect. BitLocker works by encrypting entire drives. That could be your system drive, a different physical drive, or a virtual hard drive (VHD) that exists as a file and is mounted in Windows.
The difference is largely semantic. In other encryption products, you usually create an encrypted container, and then mount it as a drive in Windows when you need to use it. With BitLocker, you create a virtual hard drive, and then encrypt it. If you’d like to use a container rather than, say, encrypt your existing system or storage drive, check out our guide to creating an encrypted container file with BitLocker.
For this article, we’re going to concentrate on enabling BitLocker for an existing physical drive.
How to Encrypt a Drive with BitLocker
To use BitLocker for a drive, all you really have to do is enable it, choose an unlock method—password, PIN, and so on—and then set a few other options. Before we get into that, however, you should know that using BitLocker’s full-disk encryption on a system drive generally requires a computer with a Trusted Platform Module (TPM) on your PC’s motherboard. This chip generates and store the encryption keys that BitLocker uses. If your PC doesn’t have a TPM, you can use Group Policy to enable using BitLocker without a TPM. It’s a bit less secure, but still more secure than not using encryption at all.
You can encrypt a non-system drive or removable drive without TPM and without having to enable the Group Policy setting.
On that note, you should also know that there are two types of BitLocker drive encryption you can enable:
- BitLocker Drive Encryption: Sometimes referred to just as BitLocker, this is a “full-disk encryption” feature that encrypts an entire drive. When your PC boots, the Windows boot loader loads from the System Reserved partition, and the boot loader prompts you for your unlock method—for example, a password. BitLocker then decrypts the drive and loads Windows. The encryption is otherwise transparent—your files appear like they normally would on an unencrypted system, but they’re stored on the disk in an encrypted form. You can also encrypt other drives than just the system drive.
- BitLocker To Go: You can encrypt external drives—such as USB flash drives and external hard drives—with BitLocker To Go. You’ll be prompted for your unlock method—for example, a password—when you connect the drive to your computer. If someone doesn’t have the unlock method, they can’t access the files on the drive.
In Windows 7 through 10, you really don’t have to worry about making the selection yourself. Windows handles things behind the scenes, and the interface you’ll use to enable BitLocker doesn’t look any different. If you end up unlocking an encrypted drive on Windows XP or Vista, you’ll see the BitLocker to Go branding, so we figured you should at least know about it.
So, with that out of the way, let’s go over how this actually works.
Step One: Enable BitLocker for a Drive
The easiest way to enable BitLocker for a drive is to right-click the drive in a File Explorer window, and then choose the “Turn on BitLocker” command. If you don’t see this option on your context menu, then you likely don’t have a Pro or Enterprise edition of Windows and you’ll need to seek another encryption solution.
It’s just that simple. The wizard that pops up walks you through selecting several options, which we’ve broken down into the sections that follow.
Step Two: Choose an Unlock Method
The first screen you’ll see in the “BitLocker Drive Encryption” wizard lets you choose how to unlock your drive. You can select several different ways of unlocking the drive.
If you’re encrypting your system drive on a computer that doesn’t have a TPM, you can unlock the drive with a password or a USB drive that functions as a key. Select your unlock method and follow the instructions for that method (enter a password or plug in your USB drive).
If your computer does have a TPM, you’ll see additional options for unlocking your system drive. For example, you can configure automatic unlocking at startup (where your computer grabs the encryption keys from the TPM and automatically decrypts the drive). You could also use a PIN instead of a password, or even choose biometric options like a fingerprint.
If you’re encrypting a non-system drive or removable drive, you’ll see only two options (whether you have a TPM or not). You can unlock the drive with a password or a smart card (or both).
Step Three: Back Up Your Recovery Key
BitLocker provides you with a recovery key that you can use to access your encrypted files should you ever lose your main key—for example, if you forget your password or if the PC with TPM dies and you have to access the drive from another system.
You can save the key to your Microsoft account, a USB drive, a file, or even print it. These options are the same whether you’re encrypting a system or non-system drive.
If you back up the recovery key to your Microsoft account, you can access the key later at https://onedrive.live.com/recoverykey. If you use another recovery method, be sure to keep this key safe—if someone gains access to it, they could decrypt your drive and bypass encryption.
You can also back up your recovery key multiple ways if you want. Just click each option you want to use in turn, and then follow the directions. When you’re done saving your recovery keys, click “Next” to move on.
Note: If you’re encrypting a USB or other removable drive, you won’t have the option of saving your recovery key to a USB drive. You can use any of the other three options.
Step Four: Encrypt and Unlock the Drive
BitLocker automatically encrypts new files as you add them, but you must choose what happens with the files currently on your drive. You can encrypt the entire drive—including the free space—or just encrypt the used disk files to speed up the process. These options are also the same whether you’re encrypting a system or non-system drive.
If you’re setting up BitLocker on a new PC, encrypt the used disk space only—it’s much faster. If you’re setting BitLocker up on a PC you’ve been using for a while, you should encrypt the entire drive to ensure no one can recover deleted files.
When you’ve made your selection, click the “Next” button.
Step Five: Choose an Encryption Mode (Windows 10 Only)
If you’re using Windows 10, you’ll see an additional screen letting you choose an encryption method. If you’re using Windows 7 or 8, skip ahead to the next step.
Windows 10 introduced a new encryption method named XTS-AES. It provides enhanced integrity and performance over the AES used in Windows 7 and 8. If you know the drive you’re encrypting is only going to be used on Windows 10 PCs, go ahead and choose the “New encryption mode” option. If you think you might need to use the drive with an older version of Windows at some point (especially important if it’s a removable drive), choose the “Compatible mode” option.
Whichever option you choose (and again, these are the same for system and non-system drives), go ahead and click the “Next” button when you’re done, and on the next screen, click the “Start Encrypting” button.
Step Six: Finishing Up
The encryption process can take anywhere from seconds to minutes or even longer, depending on the size of the drive, the amount of data you’re encrypting, and whether you chose to encrypt free space.
If you’re encrypting your system drive, you’ll be prompted to run a BitLocker system check and restart your system. Make sure the option is selected, click the “Continue” button, and then restart your PC when asked. After the PC boots back up for the first time, Windows encrypts the drive.
If you’re encrypting a non-system or removable drive, Windows does not need to restart and encryption begins immediately.
Whatever type of drive you’re encrypting, you can check the BitLocker Drive Encryption icon in the system tray to see its progress, and you can continue using your computer while drives are being encrypted—it will just perform more slowly.
Unlocking Your Drive
If your system drive is encrypted, unlocking it depends on the method you chose (and whether your PC has a TPM). If you do have a TPM and elected to have the drive unlocked automatically, you won’t notice anything different—you’ll just boot straight into Windows like always. If you chose another unlock method, Windows prompts you to unlock the drive (by typing your password, connecting your USB drive, or whatever).
And if you’ve lost (or forgotten) your unlock method, press Escape on the prompt screen to enter your recovery key.
If you’ve encrypted a non-system or removable drive, Windows prompts you to unlock the drive when you first access it after starting Windows (or when you connect it to your PC if it’s a removable drive). Type your password or insert your smart card, and the drive should unlock so you can use it.
In File Explorer, encrypted drives show a gold lock on the icon (on the left). That lock changes to gray and appears unlocked when you unlock the drive (on the right).
You can manage a locked drive—change the password, turn off BitLocker, back up your recovery key, or perform other actions—from the BitLocker control panel window. Right-click any encrypted drive, and then select “Manage BitLocker” to go directly to that page.
Like all encryption, BitLocker does add some overhead. Microsoft’s official BitLocker FAQ says that “Generally it imposes a single-digit percentage performance overhead.” If encryption is important to you because you have sensitive data—for example, a laptop full of business documents—the enhanced security is well worth the performance trade-off.