Windows Full Disk Encryption This guide takes you through the process of configuring Microsoft BitLocker full disk encryption on a system running Windows 7 or later. BitLocker can be enabled on an existing system – that is, existing data is kept and there should be no need to reinstall things. However, it is highly recommended that all important data be backed up first. TPM First, we must ensure the Trusted Platform Module (TPM) chip is enabled and active. You should check this in the system BIOS/UEFI. If you find that you can’t enable BitLocker, it’s probably due to the TPM not being enabled or activated. Enable TPM Activate TPM
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
WindowsFullDiskEncryptionThisguidetakesyouthroughtheprocessofconfiguringMicrosoftBitLockerfulldiskencryptiononasystemrunningWindows7orlater.BitLockercanbeenabledonanexistingsystem–thatis,existingdataiskeptandthereshouldbenoneedtoreinstallthings.However,itishighlyrecommendedthatallimportantdatabebackedupfirst.
TPMFirst,wemustensuretheTrustedPlatformModule(TPM)chipisenabledandactive.YoushouldcheckthisinthesystemBIOS/UEFI.Ifyoufindthatyoucan’tenableBitLocker,it’sprobablyduetotheTPMnotbeingenabledoractivated.
EnableTPM
ActivateTPM
BitLockerToenableBitLocker,inWindowsExplorerright-clickonthesystemdrive(oranyotherdriveyouwanttoencrypt)andselectTurnBitLockeron.
Thiswillstarttheprocessbyfirstcheckingthesystem’sconfiguration.Afterthat,thesystemwillneedtoberestarted.BitLockerwillthenbeginitssetup.
NOTE:Youmaybeaskedhowmuchofyourdriveyouwishtoencrypt.Theoptionsareusedspaceonlyorentiredrive.Ifthisisabrandnewcomputer,youcanselecttheusedspaceoption.Otherwise,it’ssafesttochooseentiredisc.
NOTE:ForWindows10youmaybeaskedanadditionalquestionduringtheprocessaboutwhetheryouwanttousethenewerXTS-AESencryption.Werecommendyouselectthisoptionforsystemdriveencryption.
RecoveryKeyYouwillthenbeaskedhowyouwouldliketostoreyourrecoverykey.Thisisanimportantstep,asthekeymayberequiredatalaterdate.Forexample,whenevercertainchangesorupgradesaremadetothehardware,BitLockermayrequiretherecoverykeytobeentered.
Werecommendthatyoustoretherecoverykeyinasecurenetworkdrive,onamemorystick,orprintacopyandkeepitinasafeplace.(Considerdoingmorethanoneofthese).Forobviousreasons,thesystemwillnotallowstoringthekeyinthedriveyouareencrypting!
Oncetherecoverykeyissaved,thedriveisreadytobeencrypted.WerecommendthatyouruntheBitLockersystemcheck,toensurethatthesystemcansuccessfullyusetherecoverykey.
Thesystemwillthenneedtoberestartedagain,afterwhichtheencryptionprocessbegins.
Oncethesystemhasrestarted,youwillnownoticeinWindowsExplorerthatthereisapadlockonthedrive,whichdenotesthatBitLockeristunedonforthisdrive.
IntheBitLockerDriveEncryptioncontrolpanel,you’llseethatthedriveisEncrypting.Oncecompleted,theBitLockercontrolpanelwillconfirmthatBitLockerison.
You’llbeabletousethesystemwhilstthedriveisbeingencrypted,howeverwhilstthisisinprogress,itmaybesluggish,andthenreturntonormaloncetheencryptionprocessiscomplete(whichcouldbeafewhours,orlonger,soconsiderlettingitrunovernight).Thereafter,BitLockershouldhavenonoticeableeffectonsystemperformance.
AdvancedmanagementThecommandlinetoolprovidesfurtherinformationaboutthesystem’sdisksandtheirBitLockerstatus,aswellasallowingyoutocontrolotheraspectsofdiskencryption.Wecanuseittoalsomonitorthediscencryptionprogress,shownbelowviathecommand,manage-bde-status.Formorefunctionalityseetheoutputfromthecommandmanage-bde-?.
NOTE:Yourequirelocaladminrightstorunmanage-bdecommands.
Related Documents
