Windows can encrypt entire operating system drives and removable devices with its built-in BitLocker encryption. When TrueCrypt controversially closed up shop, they recommended their users transition away from TrueCrypt to BitLocker.
BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 8, or 8.1 or 10, or the Ultimate version of Windows 7. However, the “core” version of Windows 8.1 includes a “Device Encryption” feature that works similarly.
Enable BitLocker For a Drive
To enable BitLocker, open the Control Panel and navigate to System and Security > BitLocker Drive Encryption. You can also open Windows Explorer or File Explorer, right-click a drive, and select Turn On BitLocker. If you don’t see this option, you don’t have the right edition of Windows.
Click the Turn on BitLocker option next to an operating system drive, internal drive (“fixed data drive”), or removable drive to enable BitLocker for the drive.
There are two types of BitLocker encryption you can enable here:
- BitLocker Drive Encryption: Sometimes referred to just as BitLocker, this is a “full-disk encryption” feature that will encrypt an entire drive. When the computer boots, the Windows boot loader loads from the System Reserved partition, and the boot loader will prompt you for your unlock method — for example, a password. BitLocker will then decrypt the drive and load Windows. The encryption is otherwise transparent — your files will appear like they normally would on an unencrypted system, but they’re stored on the disk in an encrypted form. You can also encrypt other drives in a computer, not just the operating system drive.
- BitLocker To Go: External drives, such as USB flash drives and external hard drives, can be encrypted with BitLocker To Go. You’ll be prompted for your unlock method — for example, a password — when you connect the drive to your computer. If someone doesn’t have the unlock method, they can’t access the files on the drive.
Use BitLocker Without a TPM
If the PC you’re enabling BitLocker on doesn’t have a Trusted Platform Module (TPM), you’ll see a message saying your administrator must set the “Allow BitLocker without a compatible TPM” option.
BitLocker Drive Encryption normally requires requires a computer with a TPM to secure an operating system drive. This is a microchip built into the computer, installed on the motherboard. BitLocker can store the encryption keys here, which is more secure than simply storing them on the computer’s data drive. The TPM will only provide the encryption keys after verifying the state of the computer. An attacker can’t just rip out your computer’s hard disk or create an image of an encrypted disk and decrypt it on another computer.
If you’re doing this on your own computer, you’re the computer’s administrator. You’ll just need to open the Local Group Policy Editor application and change this setting.
Press Windows Key + R to open the Run dialog, type gpedit.msc into it, and press Enter. Navigate to Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives. Double-click the “Require additional authentication at startup” setting, select Enabled, and check the “Allow BitLocker without a compatible TPM” option. Click OK to save the new setting.
Choose an Unlock Method
Next, you’ll see the “Choose how to unlock your drive at startup” screen. You can select several different ways of unlocking the drive. If your computer doesn’t have a TPM, you can unlock the drive with a password or by inserting a special USB flash drive that functions as a key.
If your computer does have a TPM, you’ll have additional options. For example, you can configure automatic unlocking at startup — your computer will grab the encryption keys from the TPM and automatically decrypt the drive. You could also secure it in other ways — for example, you could provide a PIN at startup. That PIN would unlock the strong decryption key stored in the TPM and unlock the drive.
Choose your preferred unlock option and follow the instructions in the next screen to set it up.
Back Up Your Recovery Key
BitLocker will provide you with a recovery key. This key can be used to access your encrypted files if you ever lose your main key — for example, if you forget your password or if the computer with the TPM dies and you have to remove the drive.
You can save the key to a file, print it, store it on a USB flash drive, or save it to your Microsoft account on Windows 8 and 8.1. If you back up the recovery key to your Microsoft account, you can access the key later at https://onedrive.live.com/recoverykey . Be sure to keep this key safe — if someone gains access to your key, they could decrypt your drive and bypass the encryption. You may want to back it up in multiple locations — if you lose this recovery key and your main unlock method, your encrypted files will be lost forever.
Encrypt and Unlock the Drive
BitLocker will automatically encrypt new files as you add them, but you’ll need to choose what happens with the files currently on your drive. You can encrypt the entire drive — including the free space — or just encrypt the used disk files to speed up the process.
If you’re setting up BitLocker on a new PC, encrypt the used disk space only — it’s faster. If you’re setting BitLocker up on a PC you’ve been using for a while, you should encrypt the entire drive to ensure no one can recover deleted files. Encrypting only the used disk space is faster, while encrypting the entire drive takes longer.
You’ll be prompted to run a BitLocker system check and reboot your computer. After the computer boots back up for the first time, the drive will be encrypted. Check the BitLocker Drive Encryption icon in the system tray to see its progress. You can continue using your computer while it’s being encrypted, but it performs more slowly.
When your computer boots, you’ll see a BitLocker prompt if you need to enter a password, PIN, or plug in a USB flash drive.
Press Escape here if you lose your unlock method. You’ll be able to enter your recovery key.
If you choose to encrypt a removable drive with BitLocker To Go, you’ll see a similar wizard but your drive will be encrypted without any rebooting required. Don’t remove the drive while it’s being encrypted.
When you connect the drive to a computer, you’ll be prompted to provide the password or smart card you chose to unlock the removable device. Drives protected with BitLocker are identified with a lock icon in Windows Explorer or File Explorer.
You can manage a locked drive — change the password, turn off BitLocker, back up your recovery key, or perform other actions — from the BitLocker control panel window. Right-click an encrypted drive and select Manage BitLocker to go directly to it.
Like all encryption, BitLocker does add some overhead. Microsoft’s official BitLocker FAQ says that “Generally it imposes a single-digit percentage performance overhead.” If encryption is important to you because you have sensitive data — for example, a laptop full of business documents — it’s worth the performance trade-off.