Skip to main content

Beginner's guide to Windows 10 encryption

In order to add a layer of protection to the sensitive data on your PC, you might want to encrypt it. Encryption essentially means that you're turning data into something unreadable without proper authentication.

Encrypting a drive or a folder or a file generally means you have a single password that must be used in order to decrypt and access. Not only does this stop outside parties from hacking their way into your files, it also protects in the event that you forget your PC somewhere or, worst case, it's stolen.

There are two encryption methods built into Pro, Enterprise, and Education versions of Windows 10. For everyone else, there's a third way to encrypt your data. Let's take a look at how all three work to help you choose which encryption method is best for you.

Encrypting File System

Encrypting File System (EFS) is a file encryption service in Windows 10 Pro, Enterprise, and Education editions. It's very easy to use, often requiring just a couple of clicks to encrypt a file or folder. When the user who encrypted the files is logged in, the files are accessible. If another user is logged in, the files are inaccessible. For that reason, you want to choose a strong password for the account on your PC.

Compared to BitLocker whole-drive encryption, EFS isn't quite as secure. Windows itself creates the encryption key, and it is saved locally. The key is also protected with encryption, but it's not the same level of security you'd find with a Trusted Module Platform (TPM) chip.

Despite the steps taken to protect EFS keys, someone with the time and means could eventually decipher the key. A user might also forget to manually encrypt a sensitive file, further leaving it open to snooping. Finally, since the entire drive is not encrypted, there's a chance of data leaking into temporary files where it could potentially be accessed.

EFS is best viewed as a quick way to protect files and folders on a PC with multiple users. Not even administrators have access to the encrypted files, and, if your password was changed without your knowledge, your encrypted files would remain encrypted.

BitLocker

BitLocker is another drive encryption feature special to Windows Pro, Enterprise, and Education. While it's generally recommended that the PC has a Trusted Platform Module (TPM) chip, there is a way you can turn on BitLocker without.

A TPM chip is a special bit of hardware added to your motherboard that is used to hold bits of encryption keys. TPM chips are designed to sniff out unauthorized or tampering users quickly, in which case the chip will not give up the part of the decryption key it's holding.

Rather than choosing single files and folders for encryption, BitLocker encrypts your entire drive. No matter the user logged in, the drive remains encrypted. Any new files you create will fall under the same layer of protection, so there's no chance you'll forget to encrypt a sensitive file. To unlock a drive that's protected with BitLocker, you can either enter a password or you can set up a USB drive that, when inserted, unlocks the PC.

How to use BitLocker Drive Encryption on Windows 10

Third-party encryption software

Until EFS and BitLocker become available in Windows 10 Home (any time now, Microsoft), there are numerous third-party encryption programs that can fill the void.

These programs differ in what they can protect. Some will encrypt whole drives, just like BitLocker, while others will encrypt files and folders, just like EFS. The best encryption software also usually comes with a bunch of extra features, like file shredders, cloud storage, and password managers.

The best encryption software also lets you set a master password that is only saved where you choose. That means that you can write it down, save it to a USB drive, or keep it in your head. Without the password, your files will remain encrypted forever. Software-based encryption is open to certain attacks, but in most cases, encryption is still better than no encryption.

See the best third-party encryption software

More resources

Cale Hunt
Cale Hunt

Cale Hunt is a Senior Editor at Windows Central. He focuses mainly on laptop reviews, news, and accessory coverage. He is an avid PC gamer and multi-platform user, and spends most of his time either tinkering with or writing about tech.

17 Comments
  • While I do enjoy the convenience of using BitLocker with a TPM, I opted not to put the TPM on my motherboard and carry a USB key with me. This way, even someone with physical access to my PC can't even boot it to the Windows login screen without the key, whereas the TPM would usually still allow booting. I think you can secure the TPM with a PIN, maybe.
  • I generally don't recommend software-based encryption because it bloody slow, even on SSD. Using EFS is the exception because it gives you fine grain file/folder level control. I usually recommend a SED SSD. These are more expensive due to higher over-provisioning than normal SSD, but is needed due to data being harder to compress after encryption. All SED I know of works with Secure Boot/TPM/BitLocker out of the box in Windows 10 now, including Win 10 Home Edition. The key feature is speed, because the encryption happens on the SED SSD's controller with almost no performance loss. Even with AVX, software-based AES-256 is much slower than a hardware solution.
  • "I generally don't recommend software-based encryption because it bloody slow, even on SSD." Benchmarks may show a 5% to 20% performance hit, but, these are typically benchmarks on older hardware. With SSDs the percentage time spent waiting for disk I/O is minimal so a benchmark performance hit doesn't translate into a real-world hit. If all you're doing is playing games or running Photoshop, sure, don't bother encrypting your drive (Photoshop thrashes drives). But, if you store any sensitive files or save any passwords in your browser encryption is a modern must--even if those sensistive files are psd :). Encryption prevents data thieves from accessing your files if they walk off with your device.
  • Dude, I work in the insurance industry. EVERYTHING must be encrypted. I've been using FDE or SED since 2007 more or less. I've tested software and hardware solutions since 2010 because software-based FDE is WAY too slow.   And yes, I've seen colleagues who has a Core i7 Surface Pro 3 being forced to run McAfee software-based FDE, which is ridiculous since Hardware-based BitLocker is ON by default in Surface devices since way back.   No, I don't use benchmarks. I use a stopwatch to time Windows boot-up, IE11 startup time, our Enterprise program startup time etc. Here are some real-world figure, on Intel CPU without AVX support, bootup time is 4 times longer. Resume from Hibernation time is also 4x longer but if you have 8GB RAM, resume from HIbernation can take 4-5 minutes on a WD Black 7200RPM laptop HDD (no hardware encryption support). On the SAME laptop (Fujitsu T2415), a Kingston V series SSD from 2012 or so, bootup is just 10 sec with encryption on (WinXP).   On the Surface Pro 3, McAfee encryption causes a Core i7 (with AVX) machine to boot up in 1.2 minute. Resume from Hibernation (8GB RAM) is around 2 minutes. This is to the password login page, NOT desktop. In contrast, a normal BitLocker enabled Surface Pro 3 loads up in 10+sec, ignoring UEFI BIOS bootup. Resume from Hibernation takes a bit longer at 20sec or so. The Surface Pro 3 has a Samsung EVO 830-generation SSD IIRC, which can saturate SATA-2.   Oh, I just refreshed the Samsung SSD on a SP3 last week and installed Creator Update, that SP3 with Bitlocker on boots up in less than 5 sec. ;)   So yah, I do stand by my statement that software-based FDE is NOT the way. Hardware-based solutions is the way forward and has been for the past 3 years with most eMMC 4.x and SSD controllers supporting encryption in silicon. I have a Dell Venue 8 Pro and an Asus Vivotab 8. Both have hardware-based eMMC solutions which works really well. 
  • @Eric Tay You've got a lot of acronyms in there so perhaps you can dumb it down for those of us who don't have the time to research them. My tl;dr for your post is that you're comparing Bitlocker to McAfee. AFAIK Bitlocker is software-based encryption. All I got from skimming your post is that you're complaining about McAfee. McAfee makes horrible anti-virus so I can't imagine that their encryption software is any good either. So, my reading of things is that you compared two software implementations. I've compared my computers before and after Bitlocker was turned on (no doubt software-based because they run older Toshiba SSDs) and there's no perceptable difference. Certainly not a 4 times longer bootup time.
  • OK OK. I don't do tl;dr. Don't skim my post bro.   I'm comparing software-based full disk encryption (FDE) to hardware-based solutions. BitLocker, McAfee, TrueCrypt, VeraCrypt are ALL software-based solution. It does not matter which vendor you choose for your software-based encryption, they are all slow.   If you switch on Bitlocker for a SSD that supports hardware-based full disk encryption, well obviously there is no difference! :) Bitlocker is integrated in Windows and supports hardware-based solution and doesn't use the slow software-based approach, unlike Mcafee, TrueCrypt and VeraCrypt.   On the software-side, BitLocker, Truecrypt and Veracrypt also supports new Intel CPU instructions like AVX, which is a set of AES128/256 instructions that is much faster than using INT64 (64-bit integer registers) to do AES encryption & decryption. Got it? Any headache yet? :D
  • You forgot Wannacry.
  • Device Encryption for WIndows 10 Home You missed (Bitlocker) Device Encryption. It's baked into Windows 10 (all versions), as long as your device supports both InstantGo and TPM (which most modern devices do). In case you need Microsoft's own instructions on how to turn it on: https://support.microsoft.com/en-ca/help/4028713/windows-turn-on-device-.... In fact, Microsoft's instructions are slightly out-of-date (despite an August 11, 2017 update date) and can be simplified. Go to "Change device encryption settings" (which is in the About section of the Settings application) and scroll down. If your device supports Device Encryption it is right there. Click "Turn on". Your own website includes (outdated) Device Encryption activation instructions: https://www.windowscentral.com/how-enable-device-encryption-windows-10-m... PS I compared two of my Home vs. Pro computers and there's a distinct difference in the Control Panel. On Windows 10 Home the control panel is called "Device Encryption" and on Home all I can do is "Back up your recovery key"; while, on Pro it's called "Bitlocker Device Encryption" and I can also Suspend Protection and Turn off Bitlocker. Additionally, the Pro version also has "See Also" links to the TPM Admininstration interface and to Disk Management.
  • Did they really? Maybe you should read to the end...
  • @Tre916: can you clarify? Without context your comment makes no sense.
  • Bitlocker. I'm pretty sure there's a whole section on bitlocker in the article.
  • Bitlocker is a Windows Pro technology. This article by WindowsCentral lists no Microsoft-provided encryption option for Windows 10 Home while there is one for eligible devices. Granted, it's not universal to Home since it requires your device to support TPM and InstantGo but for those devices that are supported, it's there and it's seamless.
  • Bitlocker is a Windows Pro feature. This article by WindowsCentral lists no Microsoft-provided encyrption option for Windows Home, but, Microsoft does provide such a feature for devices that sport InstantGo and TPM. Of course, that is not a universal option for Home users but it is there for that subset that have those features on their device.
  • Using Windows 10 Home here, I don't see any "Change device encryption settings" from typing it at the Start menu, nor do I see an About section on the Settings app.  Since I cannot even get to the section that it's supposed to be, am I to assume that my two year old Dell XPS simply doesn't have the right hardware features to access this (InstantGo and/or TPM) or am I just looking in the wrong place?  This is the first I've ever heard there was any disk encryption baked into Windows 10 Home. At the present time, I don't think I'm going to the right place to even look for this feature.  
  • What model of XPS is it? I'd be surprised if a two year old "performance" machine did not support TPM, but, I suppose InstantGo is a different story since the XPS is focussed on brute force rather than convenience.
  • Re: About.  Windows Settings application > System > About This gets you to the About screen. What's interesting is I'm now on a third device (Windows 10 Pro, home built rig) running 1703 (Creators Update) as well and I don't se the "Change device encryption settings". All I see is "Related settings" on the side where it says Bitlocker. In my case I've got BitLocker turned off on this computer. The difference could be that the other two devices I looked at were Dell and HP laptop or tablet while this is a desktop. My motherboard does not sport TPM (and, I'm also 99% sure it doesn't support InstantGo).
  • This is an XPS 8700 desktop. So I suppose Dell (and maybe HP) decided it didn't need those features on desktops.