Windows 10 sometimes uses encryption by default, and sometimes doesn’t—it’s complicated. Here’s how to check if your Windows 10 PC’s storage is encrypted and how to encrypt it if it isn’t. Encryption isn’t just about stopping the NSA—it’s about protecting your sensitive data in case you ever lose your PC, which is something everyone needs.
Unlike all other modern consumer operating systems—macOS, Chrome OS, iOS, and Android—Windows 10 still doesn’t offer integrated encryption tools to everyone. You may have to pay for the Professional edition of Windows 10 or use a third-party encryption solution.
Many new PCs that ship with Windows 10 will automatically have “Device Encryption” enabled. This feature was first introduced in Windows 8.1, and there are specific hardware requirements for this. Not every PC will have this feature, but some will.
There’s another limitation, too—it only actually encrypts your drive if you sign into Windows with a Microsoft account. Your recovery key is then uploaded to Microsoft’s servers. This will help you recover your files if you ever can’t log into your PC. (This is also why the FBI likely isn’t too worried about this feature, but we’re just recommending encryption as a means to protect your data from laptop thieves here. If you’re worried about the NSA, you may want to use a different encryption solution.)
Device Encryption will also be enabled if you sign into an organization’s domain. For example, you might sign into a domain owned by your employer or school. Your recovery key would then be uploaded to your organization’s domain servers. However, this doesn’t apply to the average person’s PC—only PCs joined to domains.
To check if Device Encryption is enabled, open the Settings app, navigate to System > About, and look for a “Device encryption” setting at the bottom of the About pane. If you don’t see anything about Device Encryption here, your PC doesn’t support Device Encryption and it’s not enabled. If Device Encryption is enabled—or if you can enable it by signing in with a Microsoft account—you’ll see a message saying so here.
If Device Encryption isn’t enabled—or if you want a more powerful encryption solution that can also encrypt removable USB drives, for example—you’ll want to use BitLocker. Microsoft’s BitLocker encryption tool has been part of Windows for several versions now, and it’s generally well regarded. However, Microsoft still restricts BitLocker to Professional, Enterprise, and Education editions of Windows 10.
BitLocker is most secure on a computer that contains Trusted Platform Module (TPM) hardware, which most modern PCs do. You can quickly check whether your PC has TPM hardware from within Windows, or check with your computer’s manufacturer if you’re not sure. If you built your own PC, you may able to add a TPM chip to it. Search for a TPM chip that’s sold as an add-on module. You’ll need one that supports the exact motherboard inside your PC.
Windows normally says BitLocker requires a TPM, but there’s a hidden option that allows you to enable BitLocker without a TPM. You’ll have to use a USB flash drive as a “startup key” that must be present every boot if you enable this option.
If you already have a Professional edition of Windows 10 installed on your PC, you can search for “BitLocker” in the Start menu and use the BitLocker control panel to enable it. If you upgraded for free from Windows 7 Professional or Windows 8.1 Professional, you should have Windows 10 Professional.
If you don’t have a Professional edition of Windows 10, you can pay $99 to upgrade your Windows 10 Home to Windows 10 Professional. Just open the Settings app, navigate to Update & security > Activation, and click the “Go to Store” button. You’ll gain access to BitLocker and the other features that Windows 10 Professional includes.
Security expert Bruce Schneier also likes a proprietary full-disk encryption tool for Windows named BestCrypt. It’s fully functional on Windows 10 with modern hardware. However, this tool costs $99—the same price as an upgrade to Windows 10 Professional—so upgrading Windows to take advantage of BitLocker may be a better choice.
Spending another $99 just to encrypt your hard drive for some additional security can be a tough sell when modern Windows PCs often only cost a few hundred bucks in the first place. You don’t have to pay the extra money for encryption, because BitLocker isn’t the only option. BitLocker is the most integrated, well-supported option—but there are other encryption tools you can use.
The venerable TrueCrypt, an open-source full-disk encryption tool that is no longer being developed, has some issues with Windows 10 PCs. It can’t encrypt GPT system partitions and boot them using UEFI, a configuration most Windows 10 PCs use. However, VeraCrypt—an open-source full-disk encryption tool based on the TrueCrypt source code—does support EFI system partition encryption as of versions 1.18a and 1.19.
In other words, VeraCrypt should allow you to encrypt your Windows 10 PC’s system partition for free.
TrueCrypt’s developers did famously shut down development and declare TrueCrypt vulnerable and unsafe to use, but the jury is still out on whether this is true. Much of the discussion around this centers on whether the NSA and other security agencies have a way to crack this open-source encryption. If you’re just encrypting your hard drive so thieves can’t access your personal files if they steal your laptop, you don’t have to worry about this. TrueCrypt should be more than secure enough. The VeraCrypt project has also made security improvements, and should potentially be more secure than TrueCrypt. Whether you’re encrypting just a few files or your entire system partition, it’s what we recommend.
We’d like to see Microsoft give more Windows 10 users access to BitLocker—or at least extend Device Encryption so it can be enabled on more PCs. Modern Windows computers should have built-in encryption tools, just like all other modern consumer operating systems do. Windows 10 users shouldn’t have to pay extra or hunt down third-party software to protect their important data if their laptops are ever misplaced or stolen.