Microsoft's BitLocker allows for full-disk encryption, which means data stored on the drive will be protected using the newest, strongest encryption standards to prevent unauthorized access. BitLocker To Go, a subset of BitLocker, works in much the same fashion except it is used to protect data on external media, such as USB flash drives and requires a key in order to decrypt data before it can be successfully read.
This comprehensive guide covers essential information about BitLocker, including features and system requirements. Check this resource periodically, because we'll update it when Microsoft releases new information throughout BitLocker's development lifecycle.
SEE: Encryption policy (Tech Pro Research)
- What is BitLocker? BitLocker (and BitLocker To Go) is a whole-disk encryption program that encrypts data on a Windows PC or USB flash drive to prevent unauthorized access from anyone that does not have the decryption key or user's account credentials.
- Why does BitLocker matter? In many cases, a data breach could have been mitigated if encryption had been implemented for data at rest. This "last resort" ensures that data is protected against unauthorized access.
- Who does BitLocker affect? Anyone that has Windows Vista or later installed on their PC can turn on BitLocker to protect their data.
- Which OSes support BitLocker? BitLocker is currently available to all users of Windows Vista and later, although not all versions of the OS are supported.
- How can I get BitLocker? BitLocker is a native feature for all supported versions of Windows—from Windows Vista to Windows 10 and Windows Server 2008 through Windows Server 2016.
- Microsoft BitLocker Administration and Monitoring TechNet (Microsoft)
- Windows 10 tip: Save a copy (or two) of your BitLocker recovery key (ZDNet)
What is BitLocker?
BitLocker is Microsoft's encryption program that provides full-disk encryption of the hard drives or USB flash drives. By utilizing the latest encryption algorithms and leveraging the power and efficiency of modern CPUs, the entire contents of the startup disk are encrypted, preventing unauthorized access to the data stored on the disk, save for those with either the login account to decrypt the disk, or those which possess the recovery key.
By enabling BitLocker's whole-disk encryption, data is secured from prying eyes and all attempts to access this data physically or over the network will be met with either prompts to authenticate or error messages stating the data cannot be accessed even when attempting to access data backups, as BitLocker encrypts those too.
Why does BitLocker matter?
Security is everyone's responsibility. BitLocker's strong, whole-disk encryption standard and flexible nature goes the extra mile in protecting data stored on fixed or portable devices from unauthorized access. Like most encryption schemes, BitLocker by itself won't do much to protect against attacks to the device, keep out threat actors, or prevent phishing campaigns from emailing everyone in the hopes of finding a way in. It does serve as the last resort, however, which should offer some peace of mind that attackers will have to work extremely hard to break the encryption algorithm to successfully read the data.
This is especially useful for mobile professionals that rely on mobile devices and untrusted networks, departmental staff that work with HR, financial, and/or sensitive data, or basically anyone that wishes to keep their data protected and private from prying eyes, especially in the event that the device becomes lost or stolen—encryption ensures that the data will have little to no value in its unreadable state.
- Why citizens need encryption as a fundamental human right (TechRepublic)
- Encrypting communication: Why it's critical to do it well (TechRepublic)
- Windows 10 tip: Protect removable storage devices with BitLocker encryption (ZDNet)
- BitLocker: Get a Recovery Key (Cornell University)
- Backing up BitLocker and TPM Recovery Information to AD DS TechNet (Microsoft)
Who does BitLocker affect?
BitLocker affects all Windows users, regardless of whether you're using your own device or a company-owned device. Ultimately, data encryption protects your data by scrambling the contents with the encryption key; this prevents unauthorized access—even if data is somehow removed from the device—until the user's login is processed or the recovery key is used, which will make the data readable again.
Systems administrators can implement BitLocker on managed devices within the enterprise to ensure that company data while at rest stays protected no matter what. Data breach, theft, or exfiltration—even backups made can be set to be encrypted. By leveraging Active Directory, recovery keys can be stored for later retrieval in the event there's an emergency need to recover data on devices.
- 43% of enterprises have adopted an encryption strategy (TechRepublic)
- Reducing the risks of BYOD in the enterprise (free PDF) (TechRepublic)
- BYOD (bring-your-own-device) policy (Tech Pro Research)
- Home usage of company-owned equipment policy (Tech Pro Research)
What are the most popular alternatives to BitLocker?
Microsoft's BitLocker offers native support for encrypting hard drives and USB devices (via BitLocker To Go), and when paired with an Active Directory network it will provide centralized management of recovery keys by storing them as attributes in the AD schema for administrators to manage, as needed. These are not the only options for providing data security or encryption to files and, more specifically, drives; below is a sampling of third-party data security products that provide enhanced features and cross-platform support.
FileVault 2 from Apple is a proprietary full-disk encryption application that is included with all versions of OS X/macOS dating back to version 10.7. It supports XTS-AES-128 encryption with a 256-bit key that protects the startup volume on a Mac, preventing access to unauthorized users unless they have the account credentials for the volume or the master recovery key to decrypt it.
With FileVault 2 enabled, Mac users will also have the peace of mind that backups performed from the device will have the encryption extended to the backup volume as well. Additionally, users on Open Directory networks may utilize Time Machine Server to back up individually encrypted files instead of the entire volume for a streamlined data recovery plan. Lastly, iCloud-enabled accounts have the option of securely storing the master recovery key within their iCloud account for safe recovery of the key in the event of an issue.
VeraCrypt is a free, open source disk encryption software that provides cross-platform support for Windows, Linux, and macOS. It was derived from TrueCrypt, which was a full-disk encryption application; its creators discontinued support after a security audit revealed several vulnerabilities in the software.
Having acquired the use of TrueCrypt, VeraCrypt forked the former app and corrected the vulnerabilities, while adding some changes to strengthen the way in which the files are stored. VeraCrypt creates a virtually encrypted disk within a file and mounts it as a disk that can be read by the OS. It can encrypt the entire disk, a partition, or storage devices, such as USB flash drives, and it provides real-time on-the-fly encryption, which can be hardware-accelerated for better performance. It also supports TrueCrypt's hidden volume and hidden operating system features.
GnuPG is based on the PGP encryption program created by Phil Zimmerman and later bought by Symantec. Unlike Symantec's offering, GnuPG is completely free software and part of the GNU Project. The software is command-line based and offers hybrid-encryption by use of symmetric-key cryptography for performance and public-key cryptography for the ease of exchanging secure keys.
While the lack of GUI may not be for everyone, the flexibility of the program allows for signed communications, file encryption, and (with some configuration) disk encryption to protect data. Dubbed the universal crypto engine, GnuPG can run directly from the CLI, shell scripts, or from other programs, often serving as a backend for other applications.
LibreCrypt is a transparent full-disk encryption program that fully supports Windows and contains partial support for Linux distributions. It is open source and has an online community of users that are committed to resolving issues and introducing new features. Often cited as the most easy to use encryption program for Windows, it can create encrypted containers as well, mounting them as removable disks in Windows Explorer for easy access.
In addition to the multitude of supported encryption and hashing standards and modes, it also supports smart cards and security tokens to authenticate users and decrypt data at the file level, partition, or for the entire disk.
EncFS is an encrypted filesystem that runs in the user-space, using the FUSE library. That library acts as an interface for filesystems in user-space which allows users to mount and use filesystems not natively supported by the host OS. FUSE/EncFS are open source releases and support Linux, BSD, Windows, Android devices, and macOS. It is available in a number of languages, as it has been translated by community members.
With active community support on GitHub and regular updates, EncFS offers users the ability to create a filesystem that can be mounted and used to store secure data files, and then it may be unmounted to protect against offline attacks and unauthorized user access.
- How to recover data encrypted with Apple's FileVault 2 (TechRepublic)
- How to encrypt a USB flash drive with VeraCrypt (TechRepublic)
- How to work with PGP keys using GnuPG (TechRepublic)
Which OSes support BitLocker?
BitLocker is currently available to supported versions of Windows, from Vista and later. Specifically, it is supported only for the following releases of Windows client operating systems; it is available on all releases of Windows Server 2008 and later.
- Windows Vista: Enterprise and Ultimate Editions
- Windows 7: Enterprise and Ultimate Editions
- Windows 8/8.1: Pro and Enterprise Editions
- Windows 10: Pro, Education, and Enterprise Editions
- Secure your USB drives with BitLocker To Go for Windows 7 (TechRepublic)
- Microsoft BitLocker Administration and Monitoring 2.5 (Microsoft)
- Windows' disk encryption could be easily bypassed in 'seconds' (ZDNet)
How can I get and use BitLocker?
If your Windows PC has one of the supported versions of Windows installed, BitLocker is already available, though it is disabled by default. To enable it, go to the Control Panel and locate the BitLocker Drive Encryption system preference and click the link to Turn On BitLocker.
Follow the prompts at the wizard to create a recovery password to unlock the drive and if TPM 1.2 or later is not present on the motherboard, you'll need to set a startup password or configure a USB startup drive in order to verify the trusted path of the BIOS and boot drive to ensure drive integrity. Next, decide how you wish to back up your recovery key, and lastly, choose how you wish to have the drive encrypted. This will run a check on the system and begin the encryption process on your device.
- Prepare your organization for BitLocker: planning and policies (Microsoft)
- BitLocker Active Directory Recovery Password Viewer Overview TechNet (Microsoft)
- BitLocker recovery keys: FAQs (Microsoft)
- Windows 10 tip: Use BitLocker to encrypt your system drive (ZDNet)
- Windows 10 tip: Take control of Microsoft account security and privacy settings (ZDNet)
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.