When you store sensitive data on your laptop, it’s crucial that you take the necessary steps to protect that data. This is especially true for corporate business people who travel frequently with important documents with them. It’s more about preventing your corporate private data from falling into the wrong hands.
The way you can protect your data is by using encryption. It is a method of making readable information unrecognizable to unauthorized users. When you encrypt your information, it remains usable even when you share it with other users. In other words, only you with the right encryption key can make the data readable again. BitLocker is a tool built into Windows 10 that lets you encrypt an entire hard drive or a removable device such as an USB flash drive to prevent prying eyes from snooping into your sensitive data.
In this step by step guide, we will walk you through the steps to set up BitLocker on Windows 10 PC to make sure your sensitive data stays secure.
Outline of this post:
- What is BitLocker?
- BitLocker system requirements
- Check if your Windows 10 PC has a TPM chip
- Check if your computer has TPM hardware that is disabled
- How to turn on BitLocker without TPM
- Setup BitLocker on Windows 10
What is BitLocker?
BitLocker is Microsoft’s easy-to-use, proprietary encryption program for Windows that can encrypt your entire drive as well as help protect against unauthorized changes to your system.
What are the minimum system requirements for BitLocker
- BitLocker drive encryption is available only on Windows 10 Pro and Windows 10 Enterprise.
- For best results your computer must be equipped with a Trusted Platform Module (TPM) chip.
- A storage drive with at least two partitions.
- Additionally, the hard drive partitions must be formatted with the NTFS file system.
“TPM is a special microchip that enables your device to support advanced security features. You can use BitLocker without a TPM chip by using software-based encryption.”
TPM (Trusted Platform Module) is normally soldered to the motherboard on most new PCs. It provides tamper resistant way to store encryption keys on Windows 10 PC. Here is how to check whether your Windows 10 PC has a TPM chip or it is absent on your computer’s motherboard.
How to check if your Windows 10 PC has a TPM chip
Method #1: By using device manager
Step 1: Press + R to open the Run dialog window. Type devmgmt.msc into it and click OK.
Step 2: This opens Device Manager. Expand Security devices. If you have a TPM chip, one of the items should read Trusted Platform Module with the version number.
Method #2: By using TPM management tool
Step 1: Press + R to open the Run dialog window. Type tpm.msc into it and click OK.
Step 2: This opens the built in utility – Trusted Platform Module (TPM) Management. If you see a message at the bottom right corner of the window informing you which TPM specification version your chip supports then your PC does have a TPM.
If you see a “Compatible TPM cannot be found” message instead, your Windows 10 PC does not have a TPM or it’s turned off in the BIOS/UEFI.
How to check if your computer has TPM hardware that is disabled
If you are unable to find any TPM on your Windows 10 PC using the above methods, it’s possible that the TPM is disabled in the BIOS/UEFI firmware. Here are the instructions to check:
Step 1: Restart your Windows 10 PC. Press the hotkey usually F2 or Delete to enter the BIOS.
Step 2: Once in the BIOS, locate the section that configures Security. In the Security section, locate the TPM option.
If there is no such setting, your computer probably doesn’t have TPM chip.
Step 3: Select TPM On checkbox to switch on the TPM. After switching the TPM on, select the option to Enable the TPM.
Step 4: Now TPM has activated successfully, save the changes and Exit from the BIOS.
Alternatively, you can also check your PC manufacturer’s support website to find out if your device includes TPM chip, and for instructions to enable the TPM chip in the BIOS.
How to ensure you can turn on BitLocker without TPM
If your Windows 10 PC doesn’t include a Trusted Platform Module (TPM) chip, you won’t be able to turn on BitLocker. If it’s your case, you can still use BitLocker encryption, but you will need to use the Local Group Policy Editor to enable additional authentication at startup. Follow the steps to enable it:
Step 1: Press + R to open the Run dialog window. Type gpedit.msc into it and click OK.
Step 2: Under Computer Configuration, expand Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives. On the right side, double click Require additional authentication at startup.
Step 3: Select Enabled. Make sure to check the Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) option. Click OK button to complete this process.
How to setup BitLocker on Windows 10
To use BitLocker, all you really have to do is enable it, choose an unlock method such as password or PIN and then set a few other options. However, you should know that there are two types of BitLocker which you can enable and they are:
- BitLocker Drive Encryption
- BitLocker To Go
You can use BitLocker Drive Encryption to encrypt your sensitive data on the main hard drive of your Windows 10 PC, and then you can use BitLocker To Go. This feature will help you to use encryption on USB flash drives and external hard drives connected to your computer.
How to turn on BitLocker on system drive
To turn on BitLocker on system drive do the following:
Step 1: Open Control Panel >> System and Security >> BitLocker Drive Encryption.
Step 2: Select any of your fixed drive or system drive which you want to encrypt then click Turn on BitLocker.
Step 3: Choose how you want to unlock your drive during startup: Use a password to unlock the drive or use my smart card to unlock the drive. For the purpose of this guide, select Use a password to unlock the drive checkbox and enter a password that you will use to unlock the drive. Click Next to continue.
Step 4: You will be given four choices to save a recovery key to regain access to your files in case you forget your password. We are recommending select Save to your Microsoft account option. Click Next.
Tip: If you have selected to store your recovery key at Microsoft account then you can retrieve the encryption key at this location: https://onedrive.live.com/recoverykey.
Step 5: Choose the encryption option as Encrypt used disk space only (faster and best for new PCs and drives). Click Next.
Step 6: On Windows 10 (v. 1511), Microsoft introduced support for XTS-AES encryption algorithm. It promises better encryption with 128-bit and 256-bit XTS AES keys. Select New encryption mode (best for fixed drives on this device). Click Next.
Step 7: Click Start encrypting to being the process. Just leave Windows to do its thing, and in a few hours you will have a BitLocker encrypted drive. The length of time it takes BitLocker to fully encrypt your files depends on the size of your drive, or how much data you are encrypting.
Once the encryption process completes, the drive level should read as BitLocker on.
In File Explorer, encrypted drives show a gold lock whereas it changes to gray and appears unlocked when you unlock the drive.
How to turn on BitLocker To Go
To turn on BitLocker To Go on a USB flash drive or external hard drive, do the following:
Step 1: Connect your USB flash drive or external hard drive to your Windows 10 PC.
Step 2: Open Control Panel >> System and Security >> BitLocker Drive Encryption.
Step 3: Under BitLocker To Go, expand the drive you want to encrypt (H drive) and click the Turn on BitLocker link.
Step 5: You will be given three choices to save a recovery key to regain access to your files in case you forget your password. We are recommending select Save to your Microsoft account option. Click Next.
Step 7: In this step it is recommended that you select the Compatible mode, as it will ensure you can unlock the drive if you move it to another computer running a previous version of the Windows such as Windows 7 or Windows 8.
Step 8: Click Start encrypting to being the process.
Step 9: It can take few minutes to encrypt your drive.
Step 10: Click on Close button to finish the encryption.
When encrypting USB flash drive or external hard drive try to start with an empty removable media, as it will speed up the process, then new data will encrypt automatically.
How to unlock BitLocker drive encryption
If you have encrypted a non-system hard drive from your system or removable drive such as USB flash drive, Windows prompts you to unlock the drive when you first access it after starting Windows (or when you connect it to your Windows PC if it’s a removable drive). Type your password and the drive should unlock so you can use it.
How to quickly access and manage your BitLocker drive
Whether you turn on BitLocker for your PC’s hard drive or removable drive, you can always get quick access to the BitLocker settings for a particular drive using the following steps:
Step 1: Use + E to open File Explorer.
Step 2: Click This PC from the left pane and right click the encrypted drive and select Manage BitLocker.
It will take you to the BitLocker control panel window where you can change the password, turn off BitLocker, back up your recovery key, or perform other actions.
BitLocker might not be for everyone, but for people who work in environments with sensitive data that you travel with, it is recommended. It’s worth pointing out that enabling data encryption may slightly slow down the performance of your device due to the encryption process that will continue to run in the background. However, it’s a feature worth using to keep your sensitive data secure.
Do you use data encryption on your Windows 10 PC? Tell us in the comments below.
Similar articles you may like
- How to create Windows 10 bootable USB drive
- How to password protect a folder in Windows 10
- Buy Windows 10 product key for the cheapest price in India
- How to Install and use Windows Subsystem for Linux (WSL) on Windows 10