A beginner's guide to BitLocker, Windows' built-in encryption tool
The creators of TrueCrypt shocked the computer security world this week when they seemingly ended development of the popular open source encryption tool. Even more surprising, the creators said TrueCrypt could be insecure and that Windows users should migrate to Microsoft's BitLocker. Conspiracy theories immediately began to swirl around the surprise announcement.
Regardless of the true motivations behind the message, the TrueCrypt fiasco gives us a chance to talk about BitLocker—and how to use it.
What is BitLocker?
BitLocker is Microsoft's easy-to-use, proprietary encryption program for Windows that can encrypt your entire drive as well as help protect against unauthorized changes to your system such as firmware-level malware.
Who can use BitLocker
BitLocker is available to anyone who has a machine running Windows Vista or 7 Ultimate, Windows Vista or 7 Enterprise, Windows 8.1 Pro, or Windows 8.1 Enterprise. If you're running an Enterprise edition chances are your PC belongs to a large company so you should discuss enabling BitLocker encryption with your company's IT department.
Most of us buy PCs with the standard version of Windows, which doesn't include BitLocker encryption. But if you upgraded to Windows 8 during the initial rollout of Microsoft's dual-interface OS then you probably have Windows 8 or 8.1 Pro. During the early days of Windows 8 Microsoft was selling cheap Windows 8 Pro upgrade licenses to anyone eligible for an upgrade.
To run BitLocker you'll need a Windows PC running one of the OS flavors mentioned above, plus a PC with at least two partitions and a Trusted Platform Module (TPM).
A TPM is a special chip that runs an authentication check on your hardware, software, and firmware. If the TPM detects an unauthorized change your PC will boot in a restricted mode to deter potential attackers.
If you don't know whether your computer has a TPM or multiple partitions, don't sweat it. BitLocker will run a system check when you start it up to see if your PC can use BitLocker.
Who should use BitLocker?
Here's the thing about BitLocker: It's a closed source program. That's problematic for extremely privacy-minded folks, since users have no way of knowing if Microsoft was coerced into putting some kind of backdoor into the program under pressure from the U.S. government.
The company says there are no back doors, but how can we be certain? We can't. Sure, if BitLocker was open source most of us wouldn't be able to read the code to determine if there was a backdoor anyway. But somebody out there would be able to meaning there would be a much higher chance of any faults with the program being discovered.
So with BitLocker's closed source nature in mind, I wouldn't count on this encryption program defending your data against a government actor such as border agents or intelligence services. But if you're looking to protect your data in case your PC is stolen or other situations where petty criminals and non-government types might mess with your hardware then BitLocker should be just fine.
Getting ready to go crypto, Microsoft style
Here's how I got BitLocker running on a Windows 8.1 Pro machine. The first thing you'll need to do is fire up the Control Panel.
When the Control Panel opens, type BitLocker into the search box in the upper right corner and press Enter. Next, click Manage BitLocker, and on the next screen click Turn on BitLocker.
Now BitLocker will check your PC's configuration to make sure your device supports Microsoft's encryption method.
If you're approved for BitLocker, Windows will show you a message like this one. If your TPM module is off then Windows will turn it on automatically for you, and then it will encrypt your drive.
To activate your TPM security hardware Windows has to shut down completely. Then you will have to manually turn your PC back on. Before you go ahead with this process make sure any flash drives, CDs, or DVDs are ejected from your PC. Then hit Shutdown.
Once you restart your PC, you may see a warning that your system was changed. In my case I had to hit F10 to confirm the change or press Esc to cancel. After that, your computer should boot back up and once you login again you'll see the BitLocker window.
Recovery key and encryption
After a few minutes, you should see a window with a green check mark next to "Turn on the TPM security hardware." We're almost at the point where we'll encrypt the drive! When you're ready, click Next.
Before you encrypt your drive, however, you have to save a recovery key just in case you have problems unlocking your PC. Windows gives you three choices for saving this key in Windows 8.1: save the file to your Microsoft account, save to a file, or print the recovery key. You are able to choose as many of these options as you like, and you should choose at least two.
In my case, I chose to save the file to a USB key and print the key on paper. I decided against saving the file to my Microsoft account, because I don't know who has access to the company's servers. That said, saving your key to Microsoft's servers will make it possible to decrypt your files if you ever lose the flash drive or paper containing your recovery key code.
Once you've created two different instances of the recovery key and removed any USB drives, click Next.
On the following screen, you have to decide whether to encrypt only the disk space used so for or encrypt your PC's entire drive. If you are encrypting a brand new PC without any files then the option to encrypt only the used disk space is best for you since new files will be encrypted as they're added. If you have an old PC with a few more miles on the hard drive you should choose to encrypt the entire drive.
Once you've chosen your encryption scheme click Next. We're almost there.
Make sure the box next to "Run BitLocker system check" is clicked so that Windows will run a system check before encrypting your drive. Once the box is checked click Continue...and nothing happens.
You'll see an alert balloon in the system tray telling you that encryption will begin after you restart the PC. Restart your PC.
When you log in this final time you should see another system tray alert telling you that the encryption is in progress.
You can continue to work on your PC during the encryption phase, but things may be working a little more slowly than usual. Consider holding back on anything that might tax your system during initial encryption, such as graphics-intensive programs.
After all those clicks, that's it! Just leave Windows to do its thing and in a few hours you'll have a BitLocker-encrypted drive. The length of time it takes BitLocker to fully encrypt your files depends on the size of your drive, or how much data you're encrypting if you're only encrypting existing data on a new PC.