BitLocker Full Disk Encryption

Bitlocker Full Disk Encryption Bitlocker External Media Encryption

Bitlocker is Windows’ OEM full disk encryption software. Though VeraCrypt 1.18 now advertises support for Windows 10/UEFI machines, I recently have had issues with it. And since I couldn’t make it work, I’m not going to recommend it to you as your sole option. This means that BitLocker may still be the best viable full disk encryption option for a good percentage of Windows users. This is unfortunate but since it’s currently the best option, I’m going to cover BitLocker full disk encryption for Windows 10.There are some benefits to BitLocker. Unlike VeraCrypt’s multi-step setup (which I view as interesting and more casual users no doubt view as fussy), enabling BitLocker is a snap. It is also optimized to work with Windows, and there are no new interfaces to learn.

BitLocker Full Disk Encryption Availability

To set up BitLocker full disk encryption,  you first need to make sure you have a version that supports it. Unfortunately BitLocker is not included in all versions of Windows and cannot be purchased separately. The program is included in the following versions of Windows:

  • Windows Vista and 7: Ultimate and Enterprise Editions
  • Windows 8 through 10: Pro and Enterprise Editions

Upgrading a Windows 10 computer from Home Edition to Pro Edition costs $99. This is no small matter for most home users. This also the reason I don’t recommend BitLocker more enthusiastically.

BitLocker Full Disk Encryption Setup

To set up BitLocker, open your computer’s Control Panel. Click the “System and Security” category. Navigate to BitLocker Drive Encryption and click “Manage BitLocker”. This will open a list of the drives currently on the machine. Select the drive you wish to encrypt (the system drive in this case) and click “Turn on BitLocker”.

Bitlocker Full Disk EncryptionNext you will be promted to store a recovery key. I recommend against storing this recovery key in your Microsoft account. Instead, either print the recovery key or save it to a file. Do not, however, store this file on the computer that it protects. If you need the recovery key you will be unable to access it. The next screen will ask how much of the drive you wish to encrypt. I recommending encrypting the entire drive. Though this will be slower it will ensure that everything is protected. Finally, you will be asked which encryption mode you prefer. I recommend the newer AES-XTS mode.

Bitlocker Full Disk EncryptionOnce you have made these decisions you will be asked if you are ready to begin encrypting. After restarting the computer the process will begin. It may take a long time depending on: the size and speed of your hard drive/SSD, the speed of your processor, and what else the computer is doing in the meantime. While the drive is being encrypted you can continue to work. If you need to shut down the computer you may; the process will resume automatically when the computer restarts.

Bitlocker Full Disk Encryption 3

You will notice there was no prompt to enter a password during this process. This is because your user account password is your decryption password. This is incredibly convenient. It makes the software completely transparent to users who don’t wish to have to navigate yet another password prompt.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

7 thoughts on “BitLocker Full Disk Encryption”

  1. Justin, if your user account password is the decryption password, does this mean there are multiple decryption passwords if there are multiple accounts set up on the machine? For example, I have an admin account and a standard user account set up on my machine (both local, not Microsoft accounts), so which would be the decryption password?

    1. Dave,
      That is an excellent question and I apologize for not thinking of it. I am encrypting a machine right now to be able to answer that for you. I should have an answer by tomorrow at latest.

    2. Dave,
      Ok, so turns out I already have a BitLocker’ed PC with WinX. I am able to boot and log into either account (admin or user). The reason is that currently the machine is only at full-*volume* encryption (I should have known that, and I should have made it more clear in the post). Later this month I will cover the steps necessary to require a password to boot the machine. I hope that answers your question,

  2. The account password being the decryption password may be convenient, but isn’t it a security risk ? I use Windows 7, so I might not be aware of relevant differences with Windows 10.

    I have a weak account password, first because it’s a weak line of defence anyway (it’s easy to break into the account without the password), second because I need to type it multiple times in the day to respond to UAC prompts.

    I have a strong encryption password, for obvious reasons.

    If account and decryption passwords are the same, then one needs to have a long and impractical account password. Correct ?

    1. That’s pretty much correct and agreed – it isn’t ideal. One option is make your login password a lot stronger, and add it to your password manager. The other option (that I will discuss later in this series) is a pre-boot PIN. This adds a password before the machine boots.

      Hope that helps!

    1. You can’t. You would have to type it once (on startup) then you could access it from the password manager for day-to-day operations. In your original post you mentioned having to type it multiple times per day for UAC prompts.

Leave a Reply

Your email address will not be published.