Bitlocker is Windows’ OEM full disk encryption software. Though VeraCrypt 1.18 now advertises support for Windows 10/UEFI machines, I recently have had issues with it. And since I couldn’t make it work, I’m not going to recommend it to you as your sole option. This means that BitLocker may still be the best viable full disk encryption option for a good percentage of Windows users. This is unfortunate but since it’s currently the best option, I’m going to cover BitLocker full disk encryption for Windows 10.There are some benefits to BitLocker. Unlike VeraCrypt’s multi-step setup (which I view as interesting and more casual users no doubt view as fussy), enabling BitLocker is a snap. It is also optimized to work with Windows, and there are no new interfaces to learn.
BitLocker Full Disk Encryption Availability
To set up BitLocker full disk encryption, you first need to make sure you have a version that supports it. Unfortunately BitLocker is not included in all versions of Windows and cannot be purchased separately. The program is included in the following versions of Windows:
- Windows Vista and 7: Ultimate and Enterprise Editions
- Windows 8 through 10: Pro and Enterprise Editions
Upgrading a Windows 10 computer from Home Edition to Pro Edition costs $99. This is no small matter for most home users. This also the reason I don’t recommend BitLocker more enthusiastically.
BitLocker Full Disk Encryption Setup
To set up BitLocker, open your computer’s Control Panel. Click the “System and Security” category. Navigate to BitLocker Drive Encryption and click “Manage BitLocker”. This will open a list of the drives currently on the machine. Select the drive you wish to encrypt (the system drive in this case) and click “Turn on BitLocker”.
Next you will be promted to store a recovery key. I recommend against storing this recovery key in your Microsoft account. Instead, either print the recovery key or save it to a file. Do not, however, store this file on the computer that it protects. If you need the recovery key you will be unable to access it. The next screen will ask how much of the drive you wish to encrypt. I recommending encrypting the entire drive. Though this will be slower it will ensure that everything is protected. Finally, you will be asked which encryption mode you prefer. I recommend the newer AES-XTS mode.
Once you have made these decisions you will be asked if you are ready to begin encrypting. After restarting the computer the process will begin. It may take a long time depending on: the size and speed of your hard drive/SSD, the speed of your processor, and what else the computer is doing in the meantime. While the drive is being encrypted you can continue to work. If you need to shut down the computer you may; the process will resume automatically when the computer restarts.
You will notice there was no prompt to enter a password during this process. This is because your user account password is your decryption password. This is incredibly convenient. It makes the software completely transparent to users who don’t wish to have to navigate yet another password prompt.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.