Loading...
 
Skip to main content

DRAFT

BitLocker

Why is encryption a good idea? We need to encrypt our computers, so strangers will never have access to our personal and business files in case our laptops are ever stolen. Just think for a moment about all the financial and personal information someone could learn about you or your business if they had your computer.

If you are not using disk encryption, someone can very easily steal all of your computer files if they get physical access to your computer by simply booting to a new operating system using a flash drive. They can even mount your hard drive in another computer to bypass your password.

Encrypting your entire hard drive will protect you and your data in case your laptop falls into the wrong hands, because the attacker will only see scrambled cipher text if they try to access your files.

Why Use Full Disk Encryption?

There are several different ways you can encrypt your files. They can be encrypted individually, saved in an encrypted container, or encrypted as part of full-disk encryption. So why not just protect your computer data using individual file or container encryption? Because your sensitive data can end up unencrypted in unexpected places like your temporary files, the swap file, or your hibernation file.

Attackers with the right tools can get access to your data. With full-disk encryption you avoid this risk, because everything is encrypted (see BitLocker and memory cold boot attacks below).

Full-disk encryption is also more transparent to the user than the other methods. You don’t have to manually encrypt your files or copy them to a separate encrypted container. All encryption takes place in the background while you work, so you can just use Windows in a normal manner.

Why Use BitLocker?

There are several encryption products for Windows, so why would we choose BitLocker instead of a third-party tool? First, system drive encryption requires tight integration with the OS, so there is always a chance that a Windows update might break your third-party encryption software. Microsoft has the Windows system code, so they can ensure BitLocker will work seamlessly with Windows through all the OS changes and updates.

Second, Microsoft makes a lot of money from Windows sales, so they are very interested in keeping BitLocker working correctly for their paying customers. It would really hurt Microsoft financially if their customers' data was lost through a BitLocker failure. Third-party products don’t necessarily have the vested interest of keeping your data safe that Microsoft does.

BitLocker only runs on Pro, Enterprise, Education, of Windows 10 and later versions plus Windows Server 2008 and later server versions. It does not run on the Home version of Windows.

Data Loss Protection

BitLocker has been used in Windows for many years and is a mature product.

Even so, if you enable BitLocker and lose your password and recovery key then you will never be able to access your computer. That’s what encryption is all about; preventing access without the correct password.

Backups & Saving Your Recovery Key

There are two key elements to using BitLocker safely: Regular backups and saving your recovery key in multiple safe locations.

Backups will allow you to recover from many problems including malware and ransomware. They will also enable you to recover your data if you can’t unlock your BitLocker drive. Frequent backups can be relatively quick and easy if you do incremental backups every day in between your full backups.

Handle Recovery Keys in a Secure Way

You create the BitLocker recovery key during the BitLocker setup. The key will also allow you to regain access to your encrypted data from another computer if you remount the hard drive.

Save your recovery key in at least 2 different places such as a cloud based password manager that is accessible through a web browser and also print the key out and save it in a special location at home that you will remember. You might also consider saving your key in your Microsoft account and giving it to another trusted person, such as your spouse. Don’t keep your saved recovery key on your person or anywhere near the system it will unlock.

For work system recovery keys, save the keys in a departmental cloud-based password manager that several persons have access to and also print out and save them in different locations away from work like at users’ homes.

Our team stores our BitLocker keys in a Google Drive Keepass password manager, so other team members can access our laptops if necessary.

Finally, Miradore (if you have it set up) will automatically backup your BitLocker recovery key

There are a couple of important things to be aware of when using BitLocker:

Recovery Key Necessary After System Change

If your system’s root configuration is changed, BitLocker will force you to enter your recovery key. But if you don’t have the key, then you will be in serious trouble unless you can recover using a recent backup.

Be Aware - Always Shutdown or Hibernate

You should completely shut down or hibernate your computer at the end of the day rather than just suspending it in sleep mode. Everything in memory is erased shortly after you shut down or hibernate your computer, so it won’t be susceptible to memory attacks. The hibernation file is automatically encrypted with BitLocker once your system enters hibernation mode.

Be Aware - Suspend BitLocker Before Updating Your BIOS

The main manufacturers such as Dell, and HP automatically suspend BitLocker before applying BIOS updates. However other brands might not do that. Should your manufacturer not implement this precaution, you must first suspend BitLocker BEFORE you update your system’s BIOS or all your data will be permanently lost!

To suspend BitLocker:

  1. Press Windows+E on your keyboard to open File Explorer. Then right-click on your C: drive, and click the context menu item Manage BitLocker (or search for BitLocker) 
  2. Click Suspend protection in the BitLocker Drive Encryption window. 

Now you can update your BIOS. When you are finished, open the BitLocker Drive Encryption window and click Resume protection.

Be Aware: Your Password is the Weakest Link

You can enable BitLocker with a password, this is more secure. In this case, your password is the weakest link in your encryption, so you need to use a strong one. You can secure your system with 256-bit encryption, but if your password is only 48 bits strong, then your system encryption will only be 48 bits strong.

  1. Password length is more important than complexity.
  2. A group of five random words is usually longer, stronger and easier to remember than cryptic passwords. Also pad the beginning and ending with a couple more characters to make it even longer.

Trusted Platform Module

BitLocker normally requires a TPM chip, Trusted Platform Module, that’s version 1.2 or later (but you can allow the use of BitLocker without a TPM chip using GPOs).

This is a special chip that generates and stores the actual encryption keys. It automatically decrypts your drive when you type in your Windows Login password.

Your laptop probably supports TPM, because most all Intel CPUs have had TPM since Windows 8.1

But it’s easy to double-check if you have TPM by:

  1. Pressing the Windows+X keys to open the user menu
  2. Select Device Manager.
  3. Expand Security devices
  4. If you have a TPM chip, one of the items should read Trusted Platform Module with the version number. 
  5. Go ahead and double-click it to bring up the details.

Power Failures During Encryption are Okay

It’s safest to be connected to a power line and allow your computer to finish encrypting your drive before you shut it off, but if your power fails or you accidentally restart or shut down your system, the BitLocker encryption process should resume where it stopped the next time Windows starts.

But make sure you have your recovery key just in case.

 

BitLocker and memory cold boot attacks

Recent research has shown that using BitLocker with TPM without using a password is not secure enough. Researchers have also found a security issue if the computer is in standby mode (even if encrypted). Should you want to know more about Microsoft mitigation steps against cold boot attacks, see attached documentation before enabling BitLocker. This documentation will help you improve your BitLocker encryption. If you want to implement these recommendations later on, you will need to decrypt your disk and start from scratch. 

If you want to enable BitLocker without these additional steps, simply continue the procedure below.

Install BitLocker

Remember to make a working backup before you encrypt your hard drive. It’s always a good idea to test the restoring of your backups to make sure they work.

To activate BitLocker:

  1. Press Windows+E on your keyboard to open File Explorer.
  2. Then right-click on your C: drive.
  3. Click the menu item Turn on BitLocker.

You might see a couple of informational screens that you can just click through.

Set a Preboot Password

It is possible to allow BitLocker without a compatible TPM, but this requires changing the Group policies. If you enable this option and are running BitLocker without a TPM chip, or if you simply want to increase the protection, you will be asked to set a preboot password. This will also help to protect you from cold boot attacks. Enter a strong password and click Next.

Save Your Recovery Key

It is very important to safely backup your recovery key before beginning to encrypt your system.

It is recommended that you save your recovery key to a cloud enabled password manager (see next section), AND print it on paper to keep somewhere safe like your home.

At the very least, Print the recovery key to a PDF file and take a picture of it using your phone.

Save to Password Manager

Open up your password manager and save all the recovery key text from the pdf file you just created. Give your new BitLocker password the name of your computer and the current date and “BitLocker” (i.e. Dell Work 2024-02-22 BitLocker). Now, you can easily search for it. Make sure you can access your password manager from somewhere else, or that you can restore the database to a different location.

Now you can go back and click the Next button.

Encrypt Your Hard Drive

If you are setting up BitLocker on a computer that you are already using then select Encrypt entire drive.

Choose Encryption Mode

Select New encryption mode (best for fixed drives on this device). Microsoft created the XTS-AES encryption algorithm to add protection against new attacks.

BitLocker System Check

The encryption process will probably take a long time, but you can continue working while the encryption takes place in the background.

Check Run the BitLocker system check, because it’s always best to double check that your system can safely encrypt.

Restart to Encrypt

Click the Restart now button.

If you don’t see the Restart now button, then simply restart your computer manually.

Manage BitLocker

After your computer finishes restarting, search for BitLocker and select the feature Manage BitLocker.

Your Drive is Encrypting

You will see that BitLocker is encrypting your drive.

This process can take a long time depending on the size of your drive, but you can still safely work on your computer while it’s encrypting.

BitLocker On

Once the encryption process completes, C: BitLocker Encrypting will change to C: BitLocker on.

Congratulations! You have safely encrypted your computer 🙂

 

----------

What is BitLocker To Go? (BL2G)

You can now use BitLocker To Go since you started using BitLocker.

BitLocker To Go is BitLocker Encryption on removable NTFS formatted data drives.

BitLocker To Go makes it easy to encrypt your portable drives’ data both for use and safe disposal.

BL2G - Activating BitLocker To Go

First, click Turn on BitLocker for your removable drive in your Manage BitLocker screen.

BL2G - Set a Password

Set an encryption password by typing it in twice. Click Next.

BL2G - Saving Your Recovery Key

The rest of setting up BitLocker on your flash drive is just like doing it on your computer.

You need to safely backup your recovery key before beginning. So, first Print the recovery key to a PDF file.

BL2G - Save to Password Manager

Save all the PDF file BitLocker information into your preferred password manager.

Make sure either your new password has been synced to your cloud-based Password Manager or that you have a current backup of your Password Manager database.

Now you can go back and click the Next button.

BL2G - Encrypt Your USB Drive

Select Encrypt entire drive, because our flash drives aren’t new. Click the Next button.

BL2G - Choose Encryption Mode

Select the Compatible mode which will give us backward compatibility with computers running Windows 7 or 8.

BL2G - Start Encrypting

Click Start Encrypting.

BL2G - Encrypting

Make sure you click Pause before removing the drive if you don’t have time to finish.

When you're ready to continue the encryption process, insert your removable drive back into one of your Windows 10 USB ports, type the drive's password, and BitLocker To Go continues to encrypt the USB drive from where you left off.

BL2G - Finished

Finished. Now everything on your flash drive or anything you copy to it will be encrypted.

BL2G - Convenient Auto-Unlock

It can get tiring having to enter the password every time you connect your encrypted flash drive to your computer, but you can change this.

Open the Manage BitLocker window, and click on the "Turn on auto-unlock" toggle option.

Windows 11 now stores the drive's password on your PC, so you no longer have to enter it each time you connect your drive.

You can disable this by clicking "Turn off auto-unlock".

You might like to view this video

Windows Security Settings

 

Contributors to this page: admin .
Page last modified on Tuesday March 4, 2025 11:08:27 GMT-0000 by admin.
Show PHP error messages