You wouldn’t think of leaving your office door unlocked when
you leave for the night. Your really important business documents are stored in
a fireproof safe. Don’t your digital secrets deserve the same level of
If your laptop is lost or stolen, you can replace it. But if
the thief can access the files on that device, you could be in big trouble.
That’s where encryption becomes essential. A thief who encounters an encrypted
hard disk or flash drive can’t access its contents without your password—he can
reformat the disk, but he can’t decode the contents.
On modern Windows PCs, you have at least four useful
encryption options, which I’ll walk through in this article.
Full disk encryption
On new devices running any edition of Windows 8.1, full disk
encryption is a standard feature. The encryption initially uses a clear key,
which allows access to the volume during setup. As soon as you sign in using a
Microsoft account, encryption is turned on, and the recovery key is stored
automatically in SkyDrive storage.
For earlier versions of Windows, you need to find an
alternative encryption option. For consumer-grade PCs, that usually means
third-party software, such as TrueCrypt.
Download Tech Pro Research’s Encryption Policy template and customize it to fit your organization’s needs.
On business-class PCs, BitLocker encryption is available as
a standard feature of Windows. The prerequisites? The hardware must include a
Trusted Platform Module (TPM) chip, which supports high-grade encryption and
storage of encryption keys and is designed to resist tampering. You must be
running a business edition of Windows: Windows 7 Professional or Ultimate,
Windows 8.1 Pro, or the Enterprise editions of either.
If you pass those hurdles, you (or your system
administrator) can turn on BitLocker Drive Encryption. You’ll find the
BitLocker management options in Control Panel. (Just search for BitLocker and
you’ll find it easily enough.) BitLocker uses a higher-grade encryption than
the standard full-disk encryption on a default installation of Windows 8.1.
More important, it can be centrally managed, so that an employer or
administrator can maintain control of recovery keys.
The first step in encrypting the system drive is the most
important one: Back up your recovery key to a safe location, preferably a local
drive and a secure cloud-based
storage location. If you need to reinstall Windows or move your
BitLocker-encrypted drive to a different device, you’ll be required to enter
that 48-digit numeric key to access the drive’s contents.
Windows 8 and 8.1 allow you to encrypt only the used disk
space instead of the full drive’s contents. That makes the process much faster
than in prior versions and is a perfectly acceptable option on a new PC.
The encryption process requires a restart; the exact amount
of time required for encryption to complete depends on the size of the drive,
but in general it’s pretty quick. When it’s finished, your system drive is
completely encrypted and is inaccessible without either your login credentials
or the recovery key. Even if a third party removes the drive or boots the system
using an alternative operating system, they’ll be unable to access any files on
that disk. And you can sleep better at night.
BitLocker To Go
USB flash drives and SD cards are a convenient way to store
data files and move them between devices. But because they’re small, they’re
also easily lost. If your removable drive contains important data files, you’re
The solution is a feature called BitLocker To Go, which uses
the same encryption technology as BitLocker Drive Encryption but applies it to
individual removable drives. A USB flash drive or SD card encrypted with
BitLocker To Go is protected with a password (if you forget the password, you
can access the drive’s contents with a recovery key, saved in a secure
location). You can only set up BitLocker To Go using a business version of
Windows, but the resulting drive can be accessed (with the proper password) on
any Windows PC.
One feature worth noting is auto-unlock. That allows you to
skip the password if you insert the removable drive into the PC where it was
created and you’re signed in. If the device is separated from that PC, anyone who
finds it will be unable to access its contents unless they have the password.
Windows To Go
This might be the most secure scenario of all: Don’t carry a
computer at all. Instead, use Windows To Go.
With Windows To Go, your operating system, apps, and data
files are stored on a fast, fully encrypted, bootable USB drive. Sit down at
any PC (sorry, Macs and Windows RT devices won’t work), boot from your Windows
To Go drive, and get to work. Because you’re booting from the flash drive, you
completely bypass whatever OS is installed on the PC you’re borrowing. And when
you’re done working, you shut down, put the drive back in your pocket, and walk
away, leaving no trace behind.
What’s the catch? For starters, you need Windows 8/8.1
Enterprise edition, which is available only if you purchase a volume license
with Software Assurance. (But don’t assume that means you have to be
responsible for hundreds or thousands of PCs. Using the Microsoft Open License
program, you can buy licenses in quantities as low as five, and that can
include other Microsoft software, not just Windows.)
If you have an MSDN subscription (or if you’re a TechNet
subscriber waiting for the program to end next year), you might also have
access to Windows 8.1 Enterprise. Check your subscription to see if this option
The other half of the Windows To Go equation is the
hardware: a certified Windows To Go drive. You can’t just use any old USB flash
drive you have hanging around. Instead, the drive must support USB 3.0
(although you can use it in a USB 2.0 slot at lower speeds) and it must be certified
for use with Windows To Go after passing a battery of speed and reliability
tests. In essence, these are SSDs in a USB flash drive form factor.
At the moment, the list of certified USB drives includes the
- Imation: IronKey Workspace W300 and IronKey Workspace W500 (32, 64,
and 128 GB)
- Kingston: The DataTraveler Workspace (32, 64, and 128 GB)
- SPYRUS: Secure Portable Workplace drives support Windows To Go; WorkSafe and WorkSafe Pro models can also be used
as full USB smartcards for secure hardware authentication with any compatible
PC. All drives are available in 32,
64, and 128 GB capacities. Spyrus includes a utility that allows its Windows To
Go devices to boot on a Mac, although the resulting drives are not supported by
- Super Talent: RC4 and RC8 drives are available in capacities up to 256 GB.
- Western Digital: The 500 GB Western Digital
My Passport Enterprise, a small external hard drive, is
certified for use as a Windows To Go device.
Although Windows To Go was introduced in Windows 8, I
recommend that you use Windows 8.1 to create a workspace. Why? Because Windows
8.1 adds a crucial feature: the ability to run Windows Store apps on a Windows
To Go machine, which wasn’t available in Windows 8.
To create a Windows To Go workspace, plug the Windows To Go
drive into a USB slot (preferably USB 3.0) on a PC running Windows 8.1. Then
run the Windows To Go Workspace Creator. (Search for Windows To Go using the
built-in search tool.)
Follow the wizard’s steps to choose the USB drive and then
select the image file for Windows 8.1 Enterprise. If you have created a custom
image, you can use it. If you’ve downloaded Windows 8.1 Enterprise as an ISO,
double-click the file to mount it as a virtual drive and point the Windows To
Go Workspace Creator to that drive letter.
The final step of the wizard lets you encrypt the workspace
using a BitLocker password. I strongly recommend that you choose this option,
which will keep your sensitive data from being accessed if you lose the Windows
To Go drive.
After the wizard completes its work, you have a fully
functional Windows PC you can safely run from any PC that is capable of running
Windows 7. In fact, you can even use this option to access your corporate files
from your home PC or notebook, keeping the two environments completely separate.
As long as you can get to the PC’s boot menu to choose the Boot from a USB Drive
option, you’re in business.
The host hardware and your portable Windows To Go
installation are separated by design. You can’t access internal hard drives on
the host PC at all from your Windows To Go workspace, although you can copy
files to and from a second USB drive on the host machine, if necessary.
Setting up a Windows To Go workspace isn’t particularly
difficult once you have the pieces in place. And the end result is about as
secure as you can get.