Today we are going to explore the possibilities offered by one of the most important conquers when it comes to protect (personal) data at rest, the encryption, which is the most effective way to protect data from being stolen. In our case, a Windows 10 environment, we are going to use Bitlocker, which is the native software provided by Microsoft for full disk encryption.
Before activating it, we have to make sure our system has encryption capabilities. To do so, first of all, we should check our Windows version. Windows 10 home has no encryption capabilities, unlike Windows Pro. Moreover for the software to work we need to have TPM on board, version 1.2 or higher. To check which TPM version we can right click the Start Menu–>Click on Device Manager–>Security Devices
It should tell us which version of TPM is on board, in my case TPM 1.2
To turn on BitLocker on a certain hard drive, let’s assume a secondary drive, in my case drive D:\ we should type Bit in the search box, and click on Manage Bitlocker
It will open Bitlocker Drive Encryption window where we will select the drive we want to protect. You will be asked how you want to unlock the drive, by typing a password or through a smart card. In this case I chose to use a password. The following dialogue will ask “How do you want to back up your recovery key?”. You have 3 options, save it to a usb disk, save it to a file or print it.
Of these 3 I would not recommend the “save to a file option”, especially if we are going to save the key on the same system where there’s the encrypted drive. In case our system gets compromised, the attacker will also be able to recover the encrypted content, thus nullifying our efforts to protect it. In my case I chose to print it. We will be presented the choice to encrypt used disk space only – faster and for new pcs and drives – or the entire disk – slower and better for already used systems and drives.
It will ask us “Are you ready to encrypt this drive?”. Let click on encrypt and wait for the process to finish. It might take some time depending on the size of the hard drive.
Optional(for system drives only)
There are some minor differences you have to consider if you want encrypt the hard drive where the Os resides. In this case a window will open stating “The computer must be restarted”. Press “Restart Now”. After the computer goes back on line, you will need to go to Control Panel à System and Security à BitLocker Drive Encryption. Below the “Operating system drive”, you will see the C: drive. It should say “BitLocker Encrypting”. This means BitLocker is now processing the drive.
Unfortunately, if we want to protect our system drive, we’ll have to perform a few more steps to setup the startup PIN. To proceed, let’s write gpedit.msc from the search box and click on “Edit group policy”. Navigate to Computer Configuration à Administrative Templates à Window Components à BitLocker Drive Encryption à Operating System Drives.
Click on “Require additional authentication at startup”. In the “Require additional authentication at startup” window, select Enabled. Under “Configure TPM startup PIN” select “Require startup PIN with TPM and click OK.
Close the window. Now open an administrative command prompt, right-click “Command Prompt” and select “Run as administrator”. Type “manage-bde -protectors -add c: -TPMandPIN” and enter. You will be asked to choose the startup PIN. Type a numerical PIN and repeat it to confirm. A message stating “Key Protectors Added”.
Type “manage-bde -status” and hit enter. Under Volume C: you can find “Key Protectors:”. Now it shows “Numerical Password, TPM, and PIN”
Perform a system restart. You should now be presented with a BitLocker window asking for the PIN you chose earlier. Type in the PIN and press enter. The computer should now boot.
Well done, your data is now protected by Bitlocker encryption.