Skip to main content

Windows BitLocker

A Windows 10 Pro feature that allows for the encryption of entire hard drives.

BitLocker utilizes the TPM chip installed on a system's motherboard. The TPM chip has to be at version 1.2+. While BitLocker can be enabled without the TPM chip installed, the boot files will not be encrypted and will be vulnerable to corruption. A startup USB key or a system volume password will be required in order to boot into Windows using this method.

Setup

When BitLocker is enabled, it splits the active hard disk into two volumes. The first volume is a 100MB partition that stores all the Windows boot files. The second volume stores the rest of the data stored by the user.

If the hard drives contains the operating system files, it must be installed into a different machine and configured as a data drive before it can be decrypted.

Encryption Styles

BitLocker offers two encryption styles: whole or used space only. Whole encryption takes the entire drive and encrypts it at once, while used space only encrypts only the space that has been used. As you store more things after enabling BitLocker, those things get encrypted and added to the volume.

Data Recovery

Windows generates a recovery key while setting up BitLocker. The recovery key is separate from other keys like the system volume key. It's randomly generated and can be used to recover the data if:

  • the hard drive is moved to a new system
  • changes are made to the Windows boot files
  • BitLocker detects a security breach and goes into a locked state

The recovery key is extremely important, and it is recommended to backup this key in several places.

A special user account called the Data Recovery Agent (DRA) can be created to decrypt any encrypted data drive on the computer network.

#IV

No comments to display

Back to top