Windows has included BitLocker Encryption in Windows 10 for Professional or Enterprise editions of the new OS. Windows can now encrypt your entire operating system drives and removable devices without using a third party application. BitLocker is designed to protect data by providing encryption for entire volume, securing both: user files and empty space. The resulting code is unreadable and cannot be deciphered easily via unauthorised offline access.
How to Enable BitLocker for a Drive
In order to enable BitLocker, open Control Panel and go to System and Security>BitLocker Drive Encryption. You can also get to it by Windows Explorer or File Explorer, right-click the drive you want, and select Turn On BitLocker. If for some reason you don’t see this option, you don’t have the right edition of Windows. So now click the Turn on BitLocker option next to an operating system drives to enable BitLocker.
Currently there are two types of BitLocker encryption you can use here:
BitLocker Drive Encryption: his is a “full-disk encryption” feature that will encrypt an entire drive. When the computer boots, the Windows boot loader loads from the System Reserved partition, and the boot loader will prompt you for your unlock method — for example, a password. BitLocker will then decrypt the drive and load Windows. The encryption is otherwise transparent — your files will appear like they normally would on an unencrypted system, but they’re stored on the disk in an encrypted form. You can also encrypt other drives in a computer, not just the operating system drive.
BitLocker To Go: External drives, such as USB flash drives and external hard drives, can be encrypted with BitLocker To Go. You’ll be prompted for your unlock method — for example, a password — when you connect the drive to your computer. If someone doesn’t have the unlock method, they can’t access the files on the drive.
You will now see the “Choose how to unlock your drive at startup” screen. You can select from different ways of unlocking the drive. If your computer doesn’t have a TPM, you can unlock the drive with a password or by inserting a special USB flash drive that functions as a key.
Choose your preferred unlock option and follow the instructions in the next screen to set it up.
Backing Up Your Recovery Key
BitLocker provides you with a lot of different recovery key options. This key can be used to access your encrypted files if you ever lose your main key — for example, if you forget your password or if the computer with the TPM dies and you have to remove the drive.
You can save the key to a file, print it and store it on a USB flash drive. Be sure to keep this key safe! If someone gains access to your key, they could in fact decrypt your drive and bypass the encryption. You may want to back it up to multiple locations for safety. If you lose this recovery key and your main unlock method, your encrypted files will be lost forever.
Encrypt and How To Unlock The Drive
BitLocker will automatically encrypt new files as you add them, but you’ll need to choose what happens with the files currently on your drive. You can encrypt the entire drive — including the free space — or just encrypt the used disk files to speed up the process.
If you’re setting up BitLocker on a new PC, encrypt the used disk space only — it’s faster. If you’re setting BitLocker up on a PC you’ve been using for a while, you should encrypt the entire drive to ensure no one can recover deleted files. Encrypting only the used disk space is faster, while encrypting the entire drive takes longer.
You’ll be prompted to run a BitLocker system check and reboot your computer. After the computer boots back up for the first time, the drive will be encrypted. Check the BitLocker Drive Encryption icon in the system tray to see its progress. You can continue using your computer while it’s being encrypted, but it performs more slowly.
When you turn on your computer and it boots, you’ll see a BitLocker prompt if you need to enter a password, PIN, or plug in a USB flash drive.
Press ESC if you lose your unlock method. It will then have you enter in your recovery key.
If you choose to encrypt a removable drive with BitLocker To Go, you’ll see a similar wizard, however your drive will be encrypted without any rebooting required. Don’t remove the drive till encryption is completed.
When you connect the external drive to a computer, you’ll be prompted to provide the password or smart card you can chose to unlock the removable device. Drives protected with BitLocker are identified with a lock icon in Windows Explorer or File Explorer.
You can manage a locked drive. You can change the password, turn off BitLocker, back up your recovery key, or perform other actions by going to the BitLocker control panel window. Right-click an encrypted drive and select Manage BitLocker to go directly to it.
BitLocker does add some overhead but so do all other encryption software. Microsoft’s official BitLocker FAQ says that “Generally it imposes a single-digit percentage performance overhead.” If encryption is important to you because you have sensitive data. For example, a laptop full of business documents. It’s worth the performance trade-off to have your data safe and encrypted.