If you keep sensitive data on your PC, use this guide to use BitLocker to turn on drive encryption on Windows 10 to protect your files.
When you store sensitive data on your computer, it's crucial that you take the necessary steps to protect that data (especially if you use a laptop or tablet). This is to prevent your private data from falling into the wrong hands if you lose your device, or it gets stolen.
One way you can protect your data is by using encryption. Briefly, encryption is basically the process of making any type of data unreadable by anyone without proper authorisation. If you use encryption to scramble your data, it will continue to be unreadable even after sharing it with other people. In other words, only you with the right encryption key can make the data readable again.
Windows 10, similar to previous versions, includes BitLocker Drive Encryption, a feature that allows you to use encryption on your PC's hard drive.
Things to know before following this guide
- BitLocker Drive Encryption is available only on Windows 10 Pro and Windows 10 Enterprise.
- For best results your computer must be equipped with a Trusted Platform Module (TPM) chip. This is a special microchip that enables your device to support advanced security features.
- You can use BitLocker without a TPM chip by using software-based encryption, but it requires some extra steps for additional authentication.
- Your computer's BIOS must support TPM or USB devices during startup. If this isn't the case, you'll need to check your PC manufacturer's support website to get the latest firmware update for your BIOS before trying to set up BitLocker.
- Your PC's hard drive must contain two partitions: a system partition, which contains the necessary files to start Windows, and the partition with the operating system. If your computer doesn't meet the requirements, BitLocker will create them for you. Additionally, the hard drive partitions must be formatted with the NTFS file system.
- The process to encrypt an entire hard drive isn't difficult, but it's time-consuming. Depending the amount of data and size of the drive, it can take a very long time.
- Make sure to keep your computer connected to power and has a fully charged battery throughout the entire process.
Important: While BitLocker is a stable feature on Windows 10, as any significant change you make to your computer has its risks. It's always recommended that you make a full backup of your system before proceeding with this guide.
How to check if your device has a TPM chip
- Use the Windows key + X keyboard shortcut to open the Power User menu and select Device Manager.
Expand Security devices. If you have a TPM chip, one of the items should read Trusted Platform Module with the version number.
Note: Your computer must have a TPM chip version 1.2 or later to support BitLocker.
Alternatively, you can also check your PC manufacturer's support website to find out if your device includes the security chip, and for instructions to enable the chip in the BIOS (if applicable).
Devices, such as Surface Pro 3, Surface Pro 4, or Surface Book come with the TMP chip to support BitLocker encryption.
How to turn on BitLocker on the Operating system drive
Once you made sure BitLocker can be properly enabled on your computer, follow these steps:
- Use the Windows key + R keyboard shortcut to open the Run command, type gpedit.msc, and click OK.
- Under Computer Configuration, expand Administrative Templates.
- Expand Windows Components.
- Expand BitLocker Drive Encryption and Operating System Drives.
On the right side, double-click Require additional authentication at startup.
- Select Enabled.
- Make sure to check the "Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)" option.
Click OK to complete this process.
- Use the Windows key + X keyboard shortcut to open the Power User menu and select Control Panel.
- Click System and Security.
Click BitLocker Drive Encryption.
Under BitLocker Drive Encryption, click Turn on BitLocker.
Choose how you want to unlock your drive during startup: Insert a USB flash drive or Enter a password. For the purpose of the guide, select Enter a passwordto continue.
Enter a password that you'll use every time you boot Windows 10 to unlock the drive, and click Next to continue. (Make sure to create a strong password mixing uppercase, lowercase, numbers, and symbols.)
You will be given the choices to save a recovery key to regain access to your files in case you forget your password. Options include:
- Save to your Microsoft account
- Save to a USB flash drive
- Save to a file
- Print the recovery
Select the option that is most convenient for you, and save the recovery key in a safe place. Because if you forget your password or lose your USB flash drive and do not have the recovery key then your data will be lost forever.
Quick Tip: If you trust the cloud, you can choose to save your recovery key in your Microsoft account using the Save to your Microsoft account option. In which case, you can retrieve your encryption key at this location: https://onedrive.live.com/recoverykey.
Click Next to continue.
Select the encryption option that best suits your scenario:
- Encrypt used disk space only (faster and best for new PCs and drives)
- Encrypt entire drive (slower but best for PCs and drives already in use)
Choose between the two encryption options:
- New encryption mode (best for fixed drives on this device)
Compatible mode (best for drives that can be moved from this device)
On Windows 10 version 1511, Microsoft introduced support for XTS-AES encryption algorithm. This new encryption method provides additional integrity support and protection against new attacks that use manipulating cipher text to cause predictable modifications in clear text. BitLocker supports 128-bit and 256-bit XTS AES keys.
Click Next to continue.
Make sure to check the Run BitLocker system check option, and click Continue.
- Finally, restart your computer to begin the encryption process.
On reboot, BitLocker will prompt you to enter your encryption password to unlock the drive. Type the password and press Enter.
After rebooting, you'll notice that your computer will quickly boot to the Windows 10 desktop. However, if you go to Control Panel > System and Security > BitLocker Drive Encryption, you'll see that BitLocker is still encrypting your drive. Depending on the option you selected and the size of the drive, this process can take a long time, but you'll still be able to work on your computer.
Once the encryption process completes, the drive level should read BitLocker on.
You can verify that BitLocker is turned on by the lock icon on the drive when you open This PC on File Explorer.
BitLocker Drive Encryption options
When BitLocker is enabled on your main hard drive, you'll get a few additional options, including:
- Suspend protection: When you're suspending protection your data won't be protected. Typically, you would use this option when applying a new operating system, firmware, or hardware upgrade. If you don't resume the encryption protection, BitLocker will resume automatically during the next reboot.
- Back up your recovery key: If you lose your recovery key, and you're still signed into your account, you can use this option to create a new backup of the key with the options mentioned on step 6.
- Change password: You can use this option to create a new encryption password, but you'll still need to supply the current password to make the change.
- Remove password: You can't use BitLocker without a form of authentication. You can remove a password only when you configure a new method of authentication.
- Turn off BitLocker: In the case, you no longer need encryption on your computer, BitLocker provides a way to decrypt all your files. However, make sure to understand that after turning off BitLocker your sensitive data will no longer be protected. In addition, decryption may take a long time to complete its process depending on the size of the drive, but you can still use your computer.