The creators of TrueCrypt shocked the computer security world in 2014 when they ended development of the popular open-source encryption tool. Even more surprising, the creators said TrueCrypt could be insecure and that Windows users should migrate to Microsoft’s BitLocker. Conspiracy theories immediately began to swirl around the surprise announcement.
What is BitLocker?
BitLocker is Microsoft’s easy-to-use, proprietary encryption program for Windows that can encrypt your entire drive as well as help protect against unauthorized changes to your system such as firmware-level malware.
BitLocker is available to anyone who has a machine running Windows Vista or 7 Ultimate, Windows Vista or 7 Enterprise, Windows 8.1 Pro, Windows 8.1 Enterprise, or Windows 10 Pro. If you’re running an Enterprise edition, chances are your PC belongs to a large company, so you must discuss enabling BitLocker encryption with your company’s IT department.
Most of us buy PCs with the standard version of Windows, which doesn’t include BitLocker encryption. But if you upgraded to Windows 8 during the initial rollout of Microsoft’s dual-interface OS then you probably have Windows 8 or 8.1 Pro. During the early days of Windows 8, Microsoft was selling cheap Windows 8 Pro upgrade licenses to anyone eligible for an upgrade. That Pro upgrade also carried over if you moved from 8.1 to Windows 10.
BitLocker system requirements
To run BitLocker you’ll need a Windows PC running one of the OS flavors mentioned above, plus a storage drive with at least two partitions and a Trusted Platform Module (TPM).
A TPM is a special chip that runs an authentication check on your hardware, software, and firmware. If the TPM detects an unauthorized change, your PC will boot in a restricted mode to deter potential attackers.
If you don’t know whether your computer has a TPM or multiple partitions, don’t sweat it. BitLocker will run a system check when you start it up to see if your PC can use BitLocker.
If it turns out your don’t have a TPM it’s still possible to run BitLocker if you tinker with the Group Policy Editor. Check out How-To Geek’s tutorial for how to use Microsoft’s encryption program without TPM.
Who should use BitLocker?
Here’s the thing about BitLocker: It’s a closed-source program. That’s problematic for extremely privacy-minded folks, since users have no way of knowing whether Microsoft was coerced into putting some kind of backdoor into the program under pressure from the United States government.
The company says there are no backdoors, but how can we be certain? We can’t. Sure, if BitLocker were open-source, most of us wouldn’t be able to read the code to find vulnerabilities, but somebody out there would be able to do so.
So with BitLocker’s closed-source nature in mind, I wouldn’t expect this encryption program to defend your data against a government actor such as border agents or intelligence services. But if you’re looking to protect your data in the event your PC is stolen or otherwise messed-with, then BitLocker should be just fine.
How to set up BitLocker
Here’s how I got BitLocker running on a Windows 8.1 Pro machine. I’ve also added some Windows 10-specific instructions.
1. Open Windows' Control Panel, type BitLocker into the search box in the upper-right corner, and press Enter.
2. Next, click Manage BitLocker, and on the next screen click Turn on BitLocker.
3. Now BitLocker will check your PC’s configuration to make sure your device supports Microsoft’s encryption method.
If you’re approved for BitLocker, Windows will show you a message like this one (see screenshot at left). If your TPM module is off, Windows will turn it on automatically for you, and then it will encrypt your drive.
To activate your TPM security hardware Windows has to shut down completely. Then you’ll have to manually restart your PC. Before you do, make sure any flash drives, CDs, or DVDs are ejected from your PC. Then hit Shutdown.
Once you restart your PC, you may see a warning that your system was changed. In my case I had to hit F10 to confirm the change or press Esc to cancel. After that, your computer should reboot and once you log in again you’ll see the BitLocker window.
Recovery key and encryption
After a few minutes, you should see a window with a green check mark next to Turn on the TPM security hardware. We’re almost at the point where we’ll encrypt the drive! When you’re ready, click Next.
Before you encrypt your drive, however, you will be asked to enter a password that must be entered every time you turn on your PC, before you even get to the Windows login screen. Windows gives you a choice of either entering the password manually or inserting a USB key. Choose whichever method you prefer, but I recommend sticking with the manual password so you aren’t depending on a single USB key for authentication.
Next, you have to save a recovery key just in case you have problems unlocking your PC. Windows gives you three choices for saving this key in Windows 8.1 and Windows 10: Save the file to your Microsoft account, save to a file, save to a flash drive (Windows 10), or print the recovery key. You are able to choose as many of these options as you'd like, and you should choose at least two.
In my case, I chose to save the file to a USB key and print the key on paper. I decided against saving the file to my Microsoft account, because I don’t know who has access to the company’s servers. That said, saving your key to Microsoft’s servers will make it possible to decrypt your files if you ever lose the flash drive or paper containing your recovery key code.
Once you’ve created two different instances of the recovery key and removed any USB drives, click Next.
On the following screen, you have to decide whether to encrypt only the disk space used so far, or encrypt your PC’s entire drive. If you’re encrypting a brand-new PC without any files, then the option to encrypt only the used disk space is best for you, because new files will be encrypted as they’re added. If you have an older PC with a few more miles on the hard drive, you should choose to encrypt the entire drive.
Once you’ve chosen your encryption scheme, click Next. We’re almost there.
Windows 10 only
If you’re running WIndows 10 build 1511 or later, you’ll be asked to choose your encryption mode: new or compatible. If you’re encrypting your onboard storage drive, then choose new. The compatible mode is mostly for removable drives that will be used with older versions of Windows that do not have the “new” encryption mode.
Make sure the box next to Run BitLocker system check is clicked so that Windows will run a system check before encrypting your drive. Once the box is checked, click Continue... and nothing happens.
You’ll see an alert balloon in the system tray telling you that encryption will begin after you restart the PC. Restart your PC, and you’ll be asked to enter your BitLocker password or insert the USB key you created earlier.
After you log in this final time, you should see another system tray alert telling you that the encryption is in progress.
You can continue to work on your PC during the encryption phase, but things may be running a little more slowly than usual. Consider holding back on anything that might tax your system during initial encryption, such as graphics-intensive programs.
After all those clicks, that’s it! Just leave Windows to do its thing, and in a few hours you’ll have a BitLocker-encrypted drive. The length of time it takes BitLocker to fully encrypt your files depends on the size of your drive, or how much data you’re encrypting if you’re only encrypting existing data on a new PC.