How to Enable BitLocker Device Encryption with TPM [Data Theft Protection]

by

For TL;DR folks Here is a Gide to How to Enable BitLocker for Data Theft Protection:

What is BitLocker in Microsoft Windows OS?

In simple words, BitLocker is Microsofts own Data encryption tool it is available from Windows Vista. BitLocker has a full drive encryption option to protect data from unauthorized users. It can only protect data when you lost or your pc/laptop/hard drive stolen.

Note: Once you power on your device and enter the BitLocker encryption password it cannot protect data.
BitLocker uses the AES encryption algorithm in cipher block chaining (CBC) or XTS mode by default with a 128-bit/256-bit key. Cipher block chaining is not used when you encrypt the whole disk, it is applied to the only each individual sector.
Side note: BitLocker was designed to protect information on devices such as PCs, Laptops, Desktops, and hard drives when that device lost or stolen.
BitLocker is compatible with TPM (Trusted Platform Module). This only Available on limited editions of Windows OS such as:

Availability of BitLocker on Windows:

  • Ultimate and Enterprise editions of Windows Vista and Windows 7
  • Pro and Enterprise editions of Windows 8 and 8.1
  • Pro, Enterprise, and Education editions of Windows 10.
  • Windows Server 2008 and later.

In Windows 7 and Windows Server 2008, R2 has added the ability to encrypt removable drives too. In addition to this BitLocker can manage through Windows Powershell too.

How to Enable BitLocker Encryption:

Enabling BitLocker is very simple if, you just need to follow the below-mentioned step by step guide:

Right click on drive and select turn on BitLocker

To enable BitLocker Right-click on the disk drive and select Turn on BitLocker, now you will get another window to Choose how to unlock your drive at startup. See the below image for more information.

Choose how to unlock your drive at startup

Here will get two ways to unlock your drive at startup.

  1. Insert a USB flash drive (USB Device Unlocking method).
  2. Enter a password (Password Method).

We have chosen the password method by selecting to enter a password. Now you need to enter the password.

Note: The password must be strong that uses uppercase, lowercase letters, numbers, symbols, and spaces.
After entering the password you will get options to back up the recovery key. See the below image for more information.How do you want to back up your recovery key

You can save your recovery key directly to Microsoft Account, USB flash drive, safe to fine and even you can print it. This backup` recovery key very important, if you forget the BitLocker password this will help you to reset the old password. Now you have to choose how much of your drive encrypt?choose how much of your drive encrypt

Here you will get two options to choose:
  1. Encrypt used disk space only (faster and best for new PCs and drives)
  2. Encrypt entire drive (slower but best for PCs and drives already in use)

I have selected the 2nd option to encrypt the entire drive. Now you need to Choose which encryption mode to use?

Choose which encryption mode to use

Here you will get again 2 options:

  1. New encryption mode (best for fixed drives on this device)
  2. Compatible mode (best for drivers that can be moved from this device)

Here I have selected 1st option because im encrypting my internal drive. Now BitLocker will ask you to are you ready to encrypt this drive?Are you ready to encrypt this drive

Now Click on continue, it will ask for a restart. Select restart now you need to enter the password while startup. see the below image for more information.

Enter Your BitLocker password on startup

Here you need to enter the BitLocker password to unlock the drive which you have encrypted.

Enable BitLocker for Operating System Drives:

By default, you cannot encrypt Operating System Drives. You need to do small changes in your group policy editor.

  • Open Run command prompt
  • Type gpedit.msc
  • and press enter.

BitLocker for C Drive Required additional authenticaton at startup

Go to: Group Policy Editor > Computer Configuration > Administrative Tools > Windows Components > BitLocker Drive Encryption > Operating System Drive > BitLocker for C Drive Required additional authentication at startup. 

Open properties of BitLocker for C Drive Required additional authentication at startup by double-clicking. Now you will get another window, see the below image for more details.

enable additional authentication at startup for bit locker

By default, the not configured option is selected. You just need to not configured to enable. Now you can encrypt Operating System Drive also.

What is BitLocker Recovery Key:

We have saved Recovery Key in PDF file, you may see in the below image. BitLocker Drive Encryption recovery key contains the Identifier and Recovery key, these two will help you in recovering the BitLocker password when you forget the password.

What is Bitlocker Recovery Key

What is Trusted Platform Module:

TPM is an international standard for a secure cryptoprocessor that is installed on the mainboard of your computer. It is a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

Note: If you want to enable BitLocker for Home editions of Windows Operating systems? You need a TMP (Trusted Platform Module).

Thanks for reading keep sharing, follow us on Facebook and Twitter for more latest updates from techlurn. Let us know your opinions in the comments section.

Also Read:

Leave a Comment