Encrypt Your PC
78

Get secure by encrypting your PC with Microsoft BitLocker for Windows 8 Pro

While the release of Windows Vista was plagued with burden and its legacy was remembered as such, one excellent feature to rise out of the wreckage has served its way through Windows 7 up to current day Windows 8 operating systems. The feature that we are referring to is, of course, Microsoft’s BitLocker Drive Encryption – full disk encryption at the click of a button.

WARNING: Disk Encryption is a delicate process, please be sure to backup your data before beginning. WPCentral, Mobile Nations, Smartphone Experts are not responsible for any data loss caused by a failure to read instructions carefully or ignoring our recommendation to backup ALL of your data before beginning. Please be sure to read the entire article before beginning your encryption journey. If you have doubts about anything, please ask in the comments below before proceeding.

BitLocker Drive Encryption

The encryption software was originally only included within Ultimate and Enterprise editions of previous operating systems can now be found in the more affordable Windows 8 Pro variation. The system itself has the ability to full encrypt a disk with an AES algorithm.

The Advanced Encryption Standard (AES for short) was published by the United States National Institute of Standards and Technology in 2001. As of a 2013 cryptanalysis of the cipher, it was found that there are possibilities other than using a brute force attack to break into an AES encrypted system, but none of them are currently possible with present day computer systems.

The Pros and Cons

If you are looking to encrypt your Windows 8 Pro PC, you should probably consider a few notions before proceeding. To start, you should be aware that in the event of disk or operating system corruption, you are more likely to lose your data if the drive is encrypted. While a normally corrupted PC can be booted up into a Linux variant and the data recovered with software – encryption makes this task ever more difficult and sometimes impossible (despite having a recovery key, as we will discuss).


BackTrack is one of many Linux distros that can be used to break into a Windows file system

Another factor that makes encrypting your disk a bit less invaluable is cloud storage; the files that you are trying so much to protect on your PC are hovering in space, in an unencrypted system. Sure, many online data services vary and the one you use might be using encryption, but for the most part – they are not. If you are using Microsoft’s OneDrive service to keep your files updated and backed up, then you are storing your files in an unencrypted cloud. An excellent wiki article on OneDrive and data encryption (or the lack of it) can be found on Microsoft’s support site by clicking here.

Let us be realistic though, unless you are trying to protect your data from the government (which might be a reality these days), then you probably will not have to worry about someone hacking into Microsoft’s servers to steal your tax information. So let us leave that notion aside and note that you most likely simply want to protect your data from being accessed if your laptop or tablet is stolen.

Disk encryption is an excellent solution for preventing thieves from booting up your system with a side-loaded operating system to access your files. Encryption can provide a reliable and strong shield against the hacker looking to sniff your personal data.


Here, an offline registry editor is used to remove a user's password from their Windows account

If you have decided that you wish to give BitLocker encryption a go, then we are ready to proceed. We, of course, recommend that you first backup all of your data in the event disk corruption occurring during the procedure (in fact, you should be backing up your data anyway).

If your data is backed up and you are ready to begin, then simply follow the steps below to a happier and more encrypted system.

How to Encrypt Systems with TPM Chips

Microsoft’s BitLocker system was designed for use in conjunction with machines that have Trusted Platform Module chips installed within them. To simplify what the TPM chip does, it holds the keys needed to boot up and unlock the operating system.

If your PC now has a giant lock on it, then it only makes sense that a key will be needed to unlock it. A TPM chip holds an encryption system’s keys, so the system can be easily booted. If the drive is removed from the system (and thus separated from the TPM chip), it cannot be booted. In addition, if the system is booted with a side-loaded operating system, the TPM chip will not give the keys up for use.

Many business machines have TPM chips including Lenovo’s ThinkPad series, Dell’s Latitude series, Microsoft’s Surface Pro, and HP’s EliteBook series. If you do have a business machine with a TPM chip, then you can follow the instructions below; otherwise, skip to the next section to see how to encrypt a system without a TPM chip. If you are unsure whether or not your system has a TPM chip, then follow the steps below and see if you are addressed with an error.


Click on the above image to enlarge it.

  1. To begin, please make sure that you are logged in as an administrator on your local machine.
  2. Next, open “This PC” (recently known as “My PC” in previous versions of Windows.
  3. With the “This PC” Explorer window open, you should be able to see a complete list of your devices and drives. Right click the drive you wish to encrypt (usually the ‘C’ drive).
  4. Now select the “Turn on BitLocker Option”. If you have a system with a TPM chip, it may now prompt you to active the chip via a simple “TPM Security Hardware” wizard. If you do not have a TPM chip, you will now be presented with an error message stating that – if so, skip to the next section of this article.
  5. After you have initialized your TPM chip (which may require a reboot), you can go ahead and begin to active BitLocker. During the process you will be given a recovery password to use in emergencies; you can choose to “save to your Microsoft account”, “save the password on a USB drive”, “save the password in a folder”, or “print the password”. We suggest choosing the Microsoft account option, so you will never be at risk of losing your recovery key. One your key has been saved, click “Next” to continue.
  6. The next screen will ask if you wish “Encrypt used disk space only” or if you wish to “Encrypt entire drive” – we suggest going with the latter.
  7. Once you have selected your recovery method and disk encryption amount you will be given one last chance to turn back. Ensure that the right drive is select, check the “Run BitLocker System Check” box and click continue to proceed. Note: Your PC may reboot during this process.
  8. That is it! You should now see an “Encryption in Progress” status bar showing the competition status of the disk you are encryption. While the disk is encrypting itself, you will see a Drive Encryption icon in your taskbar – if any problems arise, you will be notified.
  9. Once the encryption has completely finished, you can use your computer as normal – the system is now safe!

How to Encrypt Systems without TPM Chips

Unfortunately, not all PCs manufactured include built in TPM chips. If you are running a consumer notebook or Microsoft’s Surface 2 – then you will find an error message notifying you of the scenario; the error message may appear as follows:

“This device can’t use a Trusted Platform Module. Your system administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at startup” policy for OS volumes”

For many people who are their own system administrators, this message can seem a bit daunting, but do not worry – if you really wish to encrypt your system with Microsoft’s BitLocker solution, we will help you out!

Click on the above image to enlarge it.

We will begin by changing a setting within the Group Policy Object Editor that will allow you to encrypt the system despite not having the (quite wonderful) TPM chip.

  1. To begin, go to your Start Screen and type in “gpedit.msc”, and hit enter. Alternatively, you can press “WINDOWS KEY + R” to bring up a Run dialog and type in the command from there.
  2. After typing the command, you will see the Local Group Policy Editor pop up in front of you.  The editor is split into two parts, on the left hand side you will see a list of folders (much like you would see in Windows explorer) and on the right side, you will see a Window that will display options available within the folder we have selected. NOTE: Please be sure to follow all instructions as making the wrong change can seriously affect your system. If you are unsure of something, please ask in the comments below.
  3. On the right hand side of the editor, start by selecting the “Administrative Templates” option under “Computer Configuration”.
  4. On the right hand side of the editor, you should now see a selection of folders – double click “Windows Components”, then double click “BitLocker Drive Encryption”, and finally double click “Operating System Drives”.
  5. You will now see a list of items that appear to be files – these files are in fact settings that can be altered by a system administrator. Double click the item entitled “Require additional authentication at startup”. Note: There are two of these settings – do NOT click the one that includes “(Windows Server 2008 and Windows Vista)”.
  6. A dialog box will now popup entitled, “Require additional authentication at startup”. Begin by selecting the bubble entitled “Enabled” (by default, “Not Configured” will be selected).
  7. The options that were once grayed below should become available. Check the box that says “Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)”. Leave all other options as they are and hit “Apply” followed by “OK”. You can now close the policy editor window.

Okay, now that you have enabled Microsoft's BitLocker within Windows 8 Pro, it is time to start encrypting that system! Follow the steps below to continue and encrypt the system.

  1. Open “This PC” (recently known as “My PC” in previous versions of Windows).
  2. With the “This PC” Explorer window open, you should be able to see a complete list of your devices and drives. Right click the drive you wish to encrypt (usually the ‘C’ drive).
  3. Now select the “Turn on BitLocker Option”. If you were previously met with an error before – that error should be gone now.
  4. You will be prompted how you wish to unlock your drive upon booting it up. As the machine cannot store its key on a secure TPM chip, you will have to select another way to store it. Either you can use a USB flash drive by selecting “Insert a USB flash drive” or you can enter a password at boot by selecting “Enter a password”. In this example, we are going to select “Enter a password”. Note: If you choose the option to require a USB flash drive, you must have it on you at all times when you wish to boot the PC.
  5. The system will now prompt you to enter a password to unlock the drive. Use a password that contains uppercase and lowercase letters, numbers, symbols, and spaces for the highest level of security. While you do not have to adhere to the suggestion, we suggest creating the strongest password you can come up with for BitLocker. Note: Be sure to remember your password – if you do not, then you will be unable to boot the system.
  6. After you have entered your super secure password you will be given a recovery password to use in emergencies; you can choose to “save to your Microsoft account”, “save the password on a USB drive”, “save the password in a folder”, or “print the password”. We suggest choosing the Microsoft account option, so you will never be at risk of losing your recovery key. One your key has been saved, click “Next” to continue.
  7. The next screen will ask if you wish “Encrypt used disk space only” or if you wish to “Encrypt entire drive” – we suggest going with the latter.
  8. Once you have selected your recovery method and disk encryption amount you will be given one last chance to turn back. Ensure that the right drive is select, check the “Run BitLocker System Check” box and click continue to proceed. Note: Your PC may reboot during this process.
  9. That is it! You should now see an “Encryption in Progress” status bar showing the competition status of the disk you are encryption. While the disk is encrypting itself, you will see a Drive Encryption icon in your taskbar – if any problems arise, you will be notified.
  10. Once the encryption has completely finished, you can use your computer as normal – the system is now safe! Simply enter your password at startup (or plug in your flash drive) to boot the system.

Some Questions You May Have

  • How do I disable BitLocker? Simple, right click on the encrypted drive in the “This PC” explorer window and select “Turn off BitLocker Drive Encryption”, then select “Disable BitLocker Drive Encryption” from the dialog box that appears.
  • I forgot my password, how can I access my machine? Boot up your encrypted machine and the “BitLocker Drive encryption Recovery Console” will appear. From here, use the method that you selected above to access your recovery key and access the system.
  • If I am using an external backup drive, should I continue using it? If you backup your data to the unencrypted drive, then you might as well never have encrypted your drive. We suggest either keeping the backup drive in a safe unless it is needed or using BitLocker to encrypt your external drive.
  • How do I change the encryption type of BitLocker? Use the Group Policy Editor as before, but this time select the “Choose drive encryption method and cipher strength”. From there you can select exact type of encryption you wish to use.
  • What about TrueCrypt? The encryption solution, TrueCrypt, is a great alternative to Microsoft’s Bitlocker, and you can check it out by visiting their site here. We choose to use BitLocker as our encryption method for two reasons: It is the official solution provided by Microsoft and it is easily integrated into the Windows operating system.
  • I have addition questions, what can I do? You can start by performing a Bing search to see if your question has already been been answered. Alternatively, you can comment below, ask in our Windows 8 forum, or send me a personal question via Twitter (@Marcham93).

We hope you enjoyed this article on encrypting your personal data. Securing your drive and information is the first step towards a more secure future. Remember though, if you take your files outside of the system by placing them on an unencrypted backup, unsecured cloud service, or unencrypted USB flash drive – you are not safe.

DISCLAIMER: Like all security systems - if there is a will, there is a way to break in. While BitLocker is an extremely secure method of protecting your data, there are possible exploits (as with all systems) that might allow an experienced hacker to access the system; you can read more about those exploits by clicking here.

Do you encrypt your personal drive – do you use Microsoft’s BitLocker solution?

7
loading...
0
loading...
0
loading...
0
loading...

Reader comments

Get secure by encrypting your PC with Microsoft BitLocker for Windows 8 Pro

78 Comments

Maybe we should give this smartphone crap up for a few days... That would be good for us....... Until Build of course...

I'm always on the road and my phone keeps me connected to my wife, family, & friends oh and WPC ;)
As for F1 the technology that's implemented is amazing. Some people get mad at changes in the sporting reg. but that's what pushes the teams to innovate even more.

"Unfortunately, not all PCs manufactured include built in TPM chips. If you are running a consumer notebook or Microsoft’s Surface 2 – then you will find an error message notifying you of the scenario"

The Surface 2 most certainly does have a TPM built in.  Also, all Windows RT devices (all connected standby devices for that matter) automatically encrypt the device as soon as you log into a Microsoft account (aka, once the recovery key is backed up to the cloud).  Still though, good article for anyone who doesn't know about Bitlocker.

Hi!

The Surface 2 does not contain a TPM chip as it is an enterprise feature only available in the Surface Pro series; you can explore the specs using the following links to see for yourself.

http://www.microsoft.com/surface/en-us/support/surface-2-specs

http://www.microsoft.com/surface/en-us/support/surface-pro-2-specs

I also confirmed this fact with Microsoft.

-Mike

I admit that I no longer own a Surface RT and never had a Surface 2 to check myself (though it should be fairly easy for anyone to check in Device Manager under Security Devices), but I'm pretty sure Microsoft is giving you incorrect information here (most likely due to the fact that on Windows RT, the end-user can't change any settings for it like on Pro).  A TPM (and v2.0 for that matter) is written into the platform requirements to enable Connected Standby (the extremely nitty-gritty documents for which are located at http://msdn.microsoft.com/en-us/library/windows/hardware/dn423132.aspx ).
 

Either way, my point still stands about always-on Device Encryption on Windows RT devices.  They don't call it Bitlocker because it technically doesn't support all of the Bitlocker features (like the PIN method), but it's based on the same technology.

I have a msg from MS saying the S2 does in fact have a TPM chip. This should be easy to verify right on an S2?

One of the best (if not the best) desktop case ever created though.

I'd gladly pay 300€ or more for a ATX/ITX compatible one.

I've not looked into it myself but I've heard truecrypt full disk encryption doesn't work with the 8 boot loader.

That said, my experiences with bitlocker are *miserable*. If windows doesn't shut down properly (basically once a week) then buttlicker FORCES you to enter your recovery key, and then FORCES you to run windows restore, which can and will create problems where there were none. It knows if you tried to cancel at any point, and windows will not boot until you've run through the various unnecessary hoops.

So if your computer ever hangs to the point where you just pull the plug, if the battery ever dies while in use or while it's sleeping, if windows update didn't quite reboot right (that one is a real bitch with the combination of bitlocker restore cocking things up more), you're going to have to dedicate 20min to fixing it. As a student, this is just unacceptable- more than two times now I've shown up to class and opened my laptop to this and I can't afford to not pay attention.

dm-crypt for Linux has none of these problems. If you shut down improperly, it runs a quick disk check for all of three seconds and proceeds as normal.

1.  What is wrong with your PC that it's not shutting down properly THAT often?

2.  The only time I've ever had to put in a recovery key was when I was trying to dual-boot without suspending Bitlocker, and that includes the occasional hard power off.

3.  No, it does not force you to restore.  You put in your recovery key and you're fine.

There must be something unusual going on with your PC because none of what you describe is normal.  I recently had one of my Windows PCs that had a failing harddrive and it was freezing daily which resulted in the blue screen of death each time.  This went on for weeks and each time I was able to simply restart my PC with no problems from BitLocker or Windows.  The harddrive was eventually replaced.

Link68759, unencrypt your drive and then re-encrypt the drive. The problems you are having are not normal and I have had to re-encrypt the drives for several users I support because they have had some of the same problems.

Thanks, I'm happy to hear that the "recovery after every unclean shutdown" is not by design. I decrypted and re encrypted... Now I wait and see.

I want to know... I have Bitlocker turned on with my surface pro 2 but I usually use truecrypt with most my other pc's... Is it safe to have both turned on or should I turn off bitlocker and install truecrypt? I like that truecrypt asks for a password prior to boot so I'd like that on my surface as I use it for business...

Not sure about both at the same time, but for what it's worth there is a way to enable both a simultaneous PIN and TPM requirement for Bitlocker, but that's getting into slightly more complicated stuff that also involves the command line.

Now that I look at it, Jhoff80 was right, there are some command line tasks involved.  It's in those instructions though so you already have what you need.  For what it's worth, I didn't do the command line part when I configured my PC at work and it still prompts for the startup PIN.

As jhoff80 mentioned, you can have BitLocker ask for a password prior to boot (although it really is not necessary if you have a Windows password at login). You can perform a Bing search to check it out - if you have any questions you can shoot them my way.

I do not recommend having two drive encryption services running - use only one.

Thanks for this. I'm going to look into the startup pin as that's what miss most. I'd rather have two passwords for extra security. In regard to both encryption software's it was because I thought truecrypt did not work with W8 bootloaders on Surface thus I opted for bitlocker. Trueceypt is my choose. Thanks, if I have further q's I'll send them ur way.

Can you encrypt only external drives? Not needed for system drive? Also, can you encrypt in one computer and read in another computer with the key?

Yes to external drives, portable HDD's, USB sticks, SD Cards... All can be bitlocked. Yes, when you put an encrypted drive in another computer it will ask for the key before it can be accessed.

Yes, you can encrypt removable drives including USB flash drives and eSATA hard drives using "BitLocker To Go" which is supported in Windows 7 or higher if I'm not mistaken.  The system drive does not have to be encrypted.  When you insert the drive, Windows will prompt you for the password.  The only downside is that older Windows and non-Windows computers will not be able to read the drive since they don't support BitLocker, but for me that isn't an issue as all my computers (both home and work) are running Windows 8.1 Pro.  All of my internal and external drives are encrypted with BitLocker except my master backup drive which lives in a fireproof safe.

Yes, insert the external drive you wish to encrypt and then right click and select the BitLocker option; it will have you setup a password. When you attempt to use the drive on another Windows PC - it will prompt you for the key before decrypting.

Thank you all for the response. I will look into this further with my setup. Hopefully, i have the pro edition, else i will seek out truecrypt

The bastages changed the pic. It was a pulled out shot with Thinkpad written across the bottom right corner.

But it says T4xxs right to the screen in the picture, and it doesn't look like the yoga pro. I was about to say X240 but it looks like T440.

Oh! There are two Lenovo products in this article, ha. The first image at the top is a picture of the YOGA 2 Pro. The lower picture is a ThinkPad - the T431s. :)

didnt notice the two pc's. sorry for the confusion. I was interested in the 1st one. thank you for clarifying me :))

Eurocom also offers TPM in in their gaming line of laptops(optionally) besides their other laptops. & also has fingerprint readers standard feature

Excellent article!  I am particularly glad to see the warning early on about following the directions properly.  Messing around with BitLocker when you don't know what you're doing is exceedingly dangerous.  I learned the hard way. ;)

As others have mentioned above, when it works correctly, it's amazing.  But when something goes wrong, at best it's very annoying.  At worst, it's a nightmare!

Read the instructions!!!!   Be especially careful when you have multiple partitions!!!

"While a normally corrupted PC can be booted up into a Linux variant and the data recovered with software "

 

Really?  There has been NO NEED to use a Linux variant for data recovery.  This is a insane hold over from the 1990s when the NT 4.0 boot environment was limited. This has FURTHER become even more insane with revisions to the PE introduced with Vista.  If you or anyone you know is using Linux for data recovery, you are 1) wasting your time and 2) potentially damaging your data.

 

Stop telling people to use freaking Linux, this is not 1996, nor even 2005.

 

what do you recommend to recover data from a corrupt OS installation. (where is the question mark on surface keyboard :()

 

I personnaly find Linux quite effective in paticular Parted Magic and Kali Linux.

I never had a problem with Vista. Up until last November before my Vista computer broke down after a solid 7 years I then upgraded to Windows 8 pro. I guess its all about what you know and what you choose to learn about what you don't know.

Won't password only encryption kill performance? I thought the TPM chip helped process encryption at full speed (~65MBps)

One thing to point out is that your system doesnt need to have a TPM chip to enable Bitlocker.

If a hard drive is encrypted using Bitlocker, removed from the originating system and installed into another computer the drive itself cannot be accessed but it can be formatted.

Without even clicking those links, I can tell by the headlines any valid information that may have accidentally made its way in there is woefully taken out of context.
This is what we call sensationalism and scare tactics. Aka, shitty reporting.

Go do some actual research, and use unbiased sources.

How about these links:

http://www.theverge.com/2014/3/20/5530630/hacked-invoices-show-how-much-microsoft-charges-the-fbi-for-customer-information

http://techcrunch.com/2014/03/20/microsoft-read-a-bloggers-personal-email-and-ims-court-docs-reveal/

Even it is very clear that you are not interested in the truth or facts. Otherwise you could have just googled "microsoft fbi" and "microsoft blogger email" and used any sources you consider unbiased. There are plenty of options and guess what, you will find the same facts everywhere.  

Both of those articles are regarding actions taken in conjunction with criminal investigations, and both are completely legal.  I'm really not sure what the big issue is here. If you don't want you data accessed or any information accessed, don't be the subject of a criminal investigation.  It truly is that simple.  It's not like someone at Microsoft is willy nilly looking through people's emails.  And it's not like random FBI agent is just apassing someone at Microsoft a cool benji or two and asking for Bobby McTurdypants' account information.

Also, why so taken back by full disk encryption?

First thing I did when I got my Surface Pro 2: activated BitLocker.

I turned it on, selected for it to encrypt my entire drive, and BAM. In thirty seconds, I was secured. Immediately backed up my secuirty key to my Microsoft Account and that was it. Haven't needed to worry since.

Made things really easy to do it out of the gate. Meant no risk of data loss, made the encryption really fast and ensures that I'm protected going for. Noiw should anything happen to my precious Surface, I can at least rest assured my data is safe.

However, hearing that OneDrive isn't encrypted bothers me... Microsoft: could we at least have it as an optional feature? Granted, I don't really have anything top secret, and I'm only 16: so hackers would only really find vacation photos and homework assignments if they hacked my Surface/OneDrive. Nonetheless, I appreciate the notion of privacy (something that seems lost amoungst my peers, the Sharing Generation), and also highly value security.

As such: if I want to keep my homework assignments out of the hands of the NSA, then let me damnit!

I've been using Bitlocker on internal and external drives for a couple of years now. A while ago, I bought an SSD for use as a system drive, while all data is on an encrypted secondary HD. The data drive is backed up to an encrypted external drive weekly. I had a drive crash a few years ago and lost my entire music collection, which I'd ripped from my CDs (about 500 of them). I'm all about backups now and having all the data secure is a nice plus. Really nice article, Michael.

I use Bitlocker to encrypt sensitive files on external hard drives. My biggest pet peeve with Bitlocker is that it's not easy to re-lock a drive without shutting down the computer. There is a workaround where you can use the Command Prompt to re-lock the drive, but why in the heck don't they have the same right-click context menu option to re-lock the drive that they have to un-lock the drive?

FWIW, I've been using BL since the Vista days and currently have it enabled on my G1 Surface Pro with TPM + Startup PIN option working perfectly. I also use BL2GO for all of my external drives with no issues. If you do go through with this, be sure to select the option to save recovery key information to OneDrive - this was a lifesaver for me with an external USB drive. As for using this at work, we're getting ready to roll it out to all company-issued W7 laptops in the next couple weeks at the completion of a pilot. Exciting times ahead!

Thanks for the informative article.

But was the disclaimer really necessary? I guess by now everyone in the tech world knows the NSA probably has backdoors through every encryption program ever made or will be made...which will eventually be leaked, exploited by hackers and then closely followed by an embarrassed PR statement and security patches.

So much for security...

I've encountered issues with BitLocker randomly asking me to input the key on my Surface 2 (RT) - it seems to happen when updates are installed and the device is rebooted. It's only happened twice, but it's a PITA to have to go and login to the MS site for a key from a phone. Just an FYI - keep the key handy in case this happens to you too.

The fact that you need to make a huge guide on how to encrypt a hardrive on W8 shows how poorly designed the system is for non-business uses.

The average user just won't go through all that, therefore the average Win laptop is not secure.