How to Set Up BitLocker® Drive Encryption in Windows 10

In this new era of rampant ransomware attacks and threatening activities on the internet, setting up a form of encryption is a good idea even if only to prevent your data landing in the wrong hands.

BitLocker® first appeared in Windows Vista and later, featuring a full disk encryption for entire volumes using AES encryption algorithm in Cipher Block Chaining (CBC) or XTS mode with 128-bit or 256-bit keys. Cipher Block Chaining is not deployed over the entire disk but applied to each individual sector. 

                       BitLocker Encryption Availability
The encryption program is not available on all Windows versions however, especially Windows 7 Professional which is used by multitudes of users. You’ll have to upgrade to Windows 7 Ultimate to take advantage of this feature.

Windows 8, 8.1 and 10 Pro, Enterprise and Education versions have this feature along with Windows Server 2008 and later can have their disk drives and removable drives encrypted using this tool.

                            BitLocker Encryption Modes
Three authentication mechanisms exist serving as building blocks to implement BitLocker encryption;

  §  Trusted Platform Mode (TPM): This mode ensures a more transparent user experience when accessing your encrypted drive. A Trusted Platform Module hardware chip stores the encrypted keys and releases them to the OS loader code only if the file is unmodified.

  §  User Authentication Mode: This requires the user to type in the pre-boot PIN or password set during encryption process.

  §  USB Key Mode: This mode requires the user to insert a USB device containing the key to boot the OS. The BIOS on the protected machine must support access and reading of USB drive in a pre-OS environment for this to work. 
              Set Up Process for BitLocker® Drive Encryption 
If you currently run Windows 7 Professional®, you may want to upgrade to Ultimate edition or later to activate BitLocker. Advanced functions like TPM would also require hardware specifications.

Free disk encryption programs such as TrueCrypt, DiskCryptor and COMODODisk Encryption and ESET Endpoint Encryption are available for download. 

1. Start by searching BitLocker and launch Manage BitLocker program. You can also access this from the control panel of your computer. 

 2. You can now turn on BitLocker for the required volume or drive to encrypt. The options to encrypt the local C: drive and removable data drives such as USB flash are available with BitLocker–To-Go®. 

3. If your computer is equipped with the 1.2 TPM chipset, you can turn it on in the BIOS. Click TPM Administration link to find out if your hardware is compatible, useful for storing encrypted keys. 

4. Head over to Microsoft Technet help page for a step-by-stepguide turning on the Windows Trusted Platform Module Management in your BIOS. Those of you without this chip however can still turn on BitLocker without using the TPM management mode.

5. You will get this error notification below when you try to turn on BitLocker without the TPM chip.

6. This setting can be activated in the Group Policy Management console. Hold Windows+R and type in search gpedit.msc to launch the Group Policy Editor.

7. Once open, navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup. Notice the state showing Not Configured. 

8. Select “Enabled”, and ensure the “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)” checkbox is also ticked. Click save and Close policy editor.

9. Relaunch the BitLocker program and Windows will perform a system configuration check. This process may take a while depending on drives available and data stored.

10. Windows will now display the processes involved in turning on BitLocker including preparing the drive and then encrypting the drive. Click Next to proceed.

11. BitLocker Encryption will now prepare your drive by shrinking the C: drive, creating new system drive and finally prepare the drive for BitLocker.

12. Make sure you leave the checkbox ticked to Run BitLocker system check. This ensures that BitLocker can read the recovery and encryption keys correctly before encrypting the drive. Continue.

13. You get to choose how much of your drive to encrypt. Bearing in mind for new drives or PCs, its good practice to encrypt used disk space only. With PCs that have been in use for a while, consider choosing to encrypt the entire drive. Click Next to proceed.

14. Two options are available to unlock the drive at start up. You can insert a USB flash drive with your unlock key or enter a password to unlock your drive on start up.

15. Remember to choose a strong secure password containing uppercase and lowercase letters, numbers, symbols and spaces. Password must be different from your local admin password for security.

16. Once the password is created, set up will give you three options to back up your recovery key. It’s up you which method works best for you, however saving to a Microsoft account requires you to set up your PC for login using Microsoft account. Find it in the Account Settings section of control panel.  

17. Restart your computer to finish system drive encryption after drive preparation is complete.

18. If the BitLocker set up went successfully, you should see this screen prompting you for a password to unlock your drive before booting into Windows. TPM chip users may log in directly if activated.  

19. Check the status of your encryption when you log into Windows. Notice a padlock symbol next to your C: drive and options to suspend protection, back up recovery key, remove password and Turn off BitLocker encryption.

Options for encrypting removable flash drives using BitLocker-To-Go can also be found in this window. 

It is worth noting that BitLocker works for encrypting virtual hard disks of virtual machines, while leaving the native OS hard disk unencrypted. This could be an added layer of security for VM environments.    

      USB Drive Encryption with BitLocker® Windows 10 Pro

On 25th May 2018, the European Union's General Data Protection Regulation (GDPR) comes into force, issuing hefty monetary fines of up to £500,000 to organizations that fail to adequately protect their user's data. Penalties will reach an upper limit of 20 million Euros or 4% or annual global turn over - whichever is higher. 

New legislation will require compliance in ISO 27001 information security management, in order to avoid penalties from breaches of personal user data. Businesses risk being  penalized with insolvency or complete closure if found in violation, and best time to prepare is now!

Encrypting employee data on USB and external hard drives represents the first step your organization's IT team can implement, to ensure compliance to the Data Protection Act. 

Running from a home lab environment, you may not want to encrypt your main native OS if your're running VMware virtual machines with Windows 10 Pro. Lets take a closer look;

20. Launch VMware workstation 12 and boot up Windows 10 Pro virtual machine. 

21. Insert the USB or external HDD into the host machine and get a prompt of external devices available to mount on this virtual machine. Click on VM > Removable Devices > Mass Storage > Connect ( Disconnect from Host )

22. Open File Explorer and locate the new removable device now in view. Right Click on the volume and Select Properties. You can now select Turn On BitLocker from the menu. 

23. BitLocker will now initialize the drive. You may cancel the operation at this point but never remove the drive until its complete and safe to prevent data corruption. 

24. Next step is to enter your secure password required to unlock the drive. The smart card PIN option is also available. Remember to save a recovery key on your system. 

25. Drive encryption will now begin after selecting whether to encrypt the entire disk or sections with data. Its worth noting this process can be paused and resumed at a later time. Removing the drive safely ensures data isn't corrupt. The encryption process continues automatically when the external drive is re-inserted. 

We hope you enjoyed learning the set up process for encrypting USB and external HDD removable drives in Windows 10 using BitLocker®. Try your hands on encrypting USB sticks and test out to see the results.

Thank you for investing your time with us. 

                                     Ledger Nano S - The secure hardware wallet
                                        Learn Data Backup on Sia Blockchain 


         Credits to all organisations and development teams at Microsoft Corporation        

           Twitter:@ixploitsecurity    Facebook


Post a Comment