Safeguard sensitive data with Windows encryption

Featured Content

This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.

This article is courtesy of TechRepublic Premium. For more content like this, as well as a full library of ebooks and whitepapers, sign up for Premium today. Read more about it here.

Join Today

Digital information has never been so portable -- and so much at risk. Ed Bott explains how Windows encryption can protect your valuable data even if a device falls into the wrong hands.

You wouldn't think of leaving your office door unlocked when you leave for the night. Your really important business documents are stored in a fireproof safe. Don't your digital secrets deserve the same level of protection?

If your laptop is lost or stolen, you can replace it. But if the thief can access the files on that device, you could be in big trouble. That's where encryption becomes essential. A thief who encounters an encrypted hard disk or flash drive can't access its contents without your password—he can reformat the disk, but he can't decode the contents.

On modern Windows PCs, you have at least four useful encryption options, which I'll walk through in this article.

Enjoying this article?

Download this article and thousands of whitepapers and ebooks from our Premium library. Enjoy expert IT analyst briefings and access to the top IT professionals, all in an ad-free experience.

Join Premium Today

Full disk encryption

On new devices running any edition of Windows 8.1, full disk encryption is a standard feature. The encryption initially uses a clear key, which allows access to the volume during setup. As soon as you sign in using a Microsoft account, encryption is turned on, and the recovery key is stored automatically in SkyDrive storage.

For earlier versions of Windows, you need to find an alternative encryption option. For consumer-grade PCs, that usually means third-party software, such as TrueCrypt.

Download Tech Pro Research's Encryption Policy template and customize it to fit your organization's needs.


On business-class PCs, BitLocker encryption is available as a standard feature of Windows. The prerequisites? The hardware must include a Trusted Platform Module (TPM) chip, which supports high-grade encryption and storage of encryption keys and is designed to resist tampering. You must be running a business edition of Windows: Windows 7 Professional or Ultimate, Windows 8.1 Pro, or the Enterprise editions of either.

If you pass those hurdles, you (or your system administrator) can turn on BitLocker Drive Encryption. You'll find the BitLocker management options in Control Panel. (Just search for BitLocker and you'll find it easily enough.) BitLocker uses a higher-grade encryption than the standard full-disk encryption on a default installation of Windows 8.1. More important, it can be centrally managed, so that an employer or administrator can maintain control of recovery keys.

The first step in encrypting the system drive is the most important one: Back up your recovery key to a safe location, preferably a local drive and a secure cloud-based storage location. If you need to reinstall Windows or move your BitLocker-encrypted drive to a different device, you'll be required to enter that 48-digit numeric key to access the drive's contents.

Windows 8 and 8.1 allow you to encrypt only the used disk space instead of the full drive's contents. That makes the process much faster than in prior versions and is a perfectly acceptable option on a new PC.

BitLocker (2).png

The encryption process requires a restart; the exact amount of time required for encryption to complete depends on the size of the drive, but in general it's pretty quick. When it's finished, your system drive is completely encrypted and is inaccessible without either your login credentials or the recovery key. Even if a third party removes the drive or boots the system using an alternative operating system, they'll be unable to access any files on that disk. And you can sleep better at night.

BitLocker To Go

USB flash drives and SD cards are a convenient way to store data files and move them between devices. But because they're small, they're also easily lost. If your removable drive contains important data files, you're vulnerable.

The solution is a feature called BitLocker To Go, which uses the same encryption technology as BitLocker Drive Encryption but applies it to individual removable drives. A USB flash drive or SD card encrypted with BitLocker To Go is protected with a password (if you forget the password, you can access the drive's contents with a recovery key, saved in a secure location). You can only set up BitLocker To Go using a business version of Windows, but the resulting drive can be accessed (with the proper password) on any Windows PC.

One feature worth noting is auto-unlock. That allows you to skip the password if you insert the removable drive into the PC where it was created and you're signed in. If the device is separated from that PC, anyone who finds it will be unable to access its contents unless they have the password.

BitLocker To Go.png

Windows To Go

This might be the most secure scenario of all: Don't carry a computer at all. Instead, use Windows To Go.

With Windows To Go, your operating system, apps, and data files are stored on a fast, fully encrypted, bootable USB drive. Sit down at any PC (sorry, Macs and Windows RT devices won't work), boot from your Windows To Go drive, and get to work. Because you're booting from the flash drive, you completely bypass whatever OS is installed on the PC you're borrowing. And when you're done working, you shut down, put the drive back in your pocket, and walk away, leaving no trace behind.

What's the catch? For starters, you need Windows 8/8.1 Enterprise edition, which is available only if you purchase a volume license with Software Assurance. (But don't assume that means you have to be responsible for hundreds or thousands of PCs. Using the Microsoft Open License program, you can buy licenses in quantities as low as five, and that can include other Microsoft software, not just Windows.)

If you have an MSDN subscription (or if you're a TechNet subscriber waiting for the program to end next year), you might also have access to Windows 8.1 Enterprise. Check your subscription to see if this option is included.

The other half of the Windows To Go equation is the hardware: a certified Windows To Go drive. You can't just use any old USB flash drive you have hanging around. Instead, the drive must support USB 3.0 (although you can use it in a USB 2.0 slot at lower speeds) and it must be certified for use with Windows To Go after passing a battery of speed and reliability tests. In essence, these are SSDs in a USB flash drive form factor.

At the moment, the list of certified USB drives includes the following:

Although Windows To Go was introduced in Windows 8, I recommend that you use Windows 8.1 to create a workspace. Why? Because Windows 8.1 adds a crucial feature: the ability to run Windows Store apps on a Windows To Go machine, which wasn't available in Windows 8.

To create a Windows To Go workspace, plug the Windows To Go drive into a USB slot (preferably USB 3.0) on a PC running Windows 8.1. Then run the Windows To Go Workspace Creator. (Search for Windows To Go using the built-in search tool.)

Follow the wizard's steps to choose the USB drive and then select the image file for Windows 8.1 Enterprise. If you have created a custom image, you can use it. If you've downloaded Windows 8.1 Enterprise as an ISO, double-click the file to mount it as a virtual drive and point the Windows To Go Workspace Creator to that drive letter.


The final step of the wizard lets you encrypt the workspace using a BitLocker password. I strongly recommend that you choose this option, which will keep your sensitive data from being accessed if you lose the Windows To Go drive.

After the wizard completes its work, you have a fully functional Windows PC you can safely run from any PC that is capable of running Windows 7. In fact, you can even use this option to access your corporate files from your home PC or notebook, keeping the two environments completely separate. As long as you can get to the PC's boot menu to choose the Boot from a USB Drive option, you're in business.

The host hardware and your portable Windows To Go installation are separated by design. You can't access internal hard drives on the host PC at all from your Windows To Go workspace, although you can copy files to and from a second USB drive on the host machine, if necessary.

Setting up a Windows To Go workspace isn't particularly difficult once you have the pieces in place. And the end result is about as secure as you can get.

Join Premium Today