Hello Sunil
How to set up BitLocker encryption on Windows 10

A definitive guide on BitLocker, Windows 10 built-in encryption tool

When you store sensitive data on your laptop, it’s crucial that you take the necessary steps to protect that data. This is especially true for corporate business people who travel frequently with important documents with them. It’s more about preventing your corporate private data from falling into the wrong hands.

The way you can protect your data is by using encryption. It is a method of making readable information unrecognizable to unauthorized users. When you encrypt your information, it remains usable even when you share it with other users. In other words, only you with the right encryption key can make the data readable again. BitLocker is a tool built into Windows 10 that lets you encrypt an entire hard drive or a removable device such as an USB flash drive to prevent prying eyes from snooping into your sensitive data.

Also Read: How to use VeraCrypt to encrypt an USB flash drive

In this step by step guide, we will walk you through the steps to set up BitLocker on Windows 10 PC to make sure your sensitive data stays secure.

Outline of this post:

  • What is BitLocker?
  • BitLocker system requirements
  • Check if your Windows 10 PC has a TPM chip
  • Check if your computer has TPM hardware that is disabled
  • How to turn on BitLocker without TPM
  • Setup BitLocker on Windows 10
Important: While BitLocker is a stable feature on Windows 10, as any significant change you make to your computer has its own risks. It’s always recommended that you make a backup of your system before proceeding with this guide.

What is BitLocker?

BitLocker is Microsoft’s easy-to-use, proprietary encryption program for Windows that can encrypt your entire drive as well as help protect against unauthorized changes to your system.

What are the minimum system requirements for BitLocker

  • BitLocker drive encryption is available only on Windows 10 Pro and Windows 10 Enterprise.
  • For best results your computer must be equipped with a Trusted Platform Module (TPM) chip.
  • A storage drive with at least two partitions.
  • Additionally, the hard drive partitions must be formatted with the NTFS file system.

“TPM is a special microchip that enables your device to support advanced security features. You can use BitLocker without a TPM chip by using software-based encryption.”

TPM (Trusted Platform Module) is normally soldered to the motherboard on most new PCs. It provides tamper resistant way to store encryption keys on Windows 10 PC. Here is how to check whether your Windows 10 PC has a TPM chip or it is absent on your computer’s motherboard.

How to check if your Windows 10 PC has a TPM chip

Method #1: By using device manager

Step 1: Press  + R to open the Run dialog window. Type devmgmt.msc into it and click OK.

Check if Your Windows 10 PC has TPM using device manager

 

Step 2: This opens Device Manager. Expand Security devices. If you have a TPM chip, one of the items should read Trusted Platform Module with the version number.

TPM with the version number under Security devices section of Device Manager

Method #2: By using TPM management tool

Step 1: Press  + R to open the Run dialog window. Type tpm.msc into it and click OK.

Check if Your Windows 10 PC has TPM using TPM management tool

Step 2: This opens the built in utility – Trusted Platform Module (TPM) Management. If you see a message at the bottom right corner of the window informing you which TPM specification version your chip supports then your PC does have a TPM.

Built in utility – Trusted Platform Module (TPM) management

If you see a “Compatible TPM cannot be found” message instead, your Windows 10 PC does not have a TPM or it’s turned off in the BIOS/UEFI.

Compatible TPM cannot be found message

How to check if your computer has TPM hardware that is disabled

If you are unable to find any TPM on your Windows 10 PC using the above methods, it’s possible that the TPM is disabled in the BIOS/UEFI firmware. Here are the instructions to check:

Step 1: Restart your Windows 10 PC. Press the hotkey usually F2 or Delete to enter the BIOS.

Step 2: Once in the BIOS, locate the section that configures Security. In the Security section, locate the TPM option.

In the Security section, locate the TPM option

If there is no such setting, your computer probably doesn’t have TPM chip.

Step 3: Select TPM On checkbox to switch on the TPM. After switching the TPM on, select the option to Enable the TPM.

Enable TPM 2.0

Step 4: Now TPM has activated successfully, save the changes and Exit from the BIOS.

Alternatively, you can also check your PC manufacturer’s support website to find out if your device includes TPM chip, and for instructions to enable the TPM chip in the BIOS.

How to ensure you can turn on BitLocker without TPM

If your Windows 10 PC doesn’t include a Trusted Platform Module (TPM) chip, you won’t be able to turn on BitLocker. If it’s your case, you can still use BitLocker encryption, but you will need to use the Local Group Policy Editor to enable additional authentication at startup. Follow the steps to enable it:

Step 1: Press  + R to open the Run dialog window. Type gpedit.msc into it and click OK.

Ensure you can turn on BitLocker without TPM using Local group policy editor

Step 2: Under Computer Configuration, expand Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives. On the right side, double click Require additional authentication at startup.

Double click on Require additional authentication at startup option

Step 3: Select Enabled. Make sure to check the Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) option. Click OK button to complete this process.

Require additional authentication at startup 

How to setup BitLocker on Windows 10 

To use BitLocker, all you really have to do is enable it, choose an unlock method such as password or PIN and then set a few other options. However, you should know that there are two types of BitLocker which you can enable and they are:

  • BitLocker Drive Encryption
  • BitLocker To Go

You can use BitLocker Drive Encryption to encrypt your sensitive data on the main hard drive of your Windows 10 PC, and then you can use BitLocker To Go. This feature will help you to use encryption on USB flash drives and external hard drives connected to your computer.

How to turn on BitLocker on system drive

To turn on BitLocker on system drive do the following:

Step 1: Open Control Panel >> System and Security >> BitLocker Drive Encryption.

Open BitLocker Drive Encryption from Control Panel

Step 2: Select any of your fixed drive or system drive which you want to encrypt then click Turn on BitLocker.

Select fixed drive for encryption through BitLocker

Step 3: Choose how you want to unlock your drive during startup: Use a password to unlock the drive or use my smart card to unlock the drive. For the purpose of this guide, select Use a password to unlock the drive checkbox and enter a password that you will use to unlock the drive. Click Next to continue.

Select use a password to unlock the drive and enter a password

Step 4: You will be given four choices to save a recovery key to regain access to your files in case you forget your password. We are recommending select Save to your Microsoft account option. Click Next.

Save your recovery key at Microsoft account

Tip: If you have selected to store your recovery key at Microsoft account then you can retrieve the encryption key at this location: https://onedrive.live.com/recoverykey.

Recovery key at Onedrive from Microsoft account

Step 5: Choose the encryption option as Encrypt used disk space only (faster and best for new PCs and drives). Click Next.

Choose the encryption option that best suits your scenario

Step 6: On Windows 10 (v. 1511), Microsoft introduced support for XTS-AES encryption algorithm. It promises better encryption with 128-bit and 256-bit XTS AES keys. Select New encryption mode (best for fixed drives on this device). Click Next.

Select New encryption mode (best for fixed drives on this device) option

Step 7: Click Start encrypting to being the process. Just leave Windows to do its thing, and in a few hours you will have a BitLocker encrypted drive. The length of time it takes BitLocker to fully encrypt your files depends on the size of your drive, or how much data you are encrypting.

Click Start encrypting to being the process

Once the encryption process completes, the drive level should read as BitLocker on.

BitLocker drive encryption is successful 

In File Explorer, encrypted drives show a gold lock whereas it changes to gray and appears unlocked when you unlock the drive.

Locked and unlocked drive on File Explorer

How to turn on BitLocker To Go

To turn on BitLocker To Go on a USB flash drive or external hard drive, do the following:

Step 1: Connect your USB flash drive or external hard drive to your Windows 10 PC.

Step 2: Open Control Panel >> System and Security >> BitLocker Drive Encryption.

Open BitLocker Drive Encryption from Control Panel

Step 3: Under BitLocker To Go, expand the drive you want to encrypt (H drive) and click the Turn on BitLocker link.

Click the Turn on BitLocker link
Step 4: It takes few seconds to initiate your drive. Once this process is over, click on Use a password to unlock the drive option, and create a password to unlock the drive. Click Next to continue.

Enter your password after selecting use a password to unlock the drive option

Step 5: You will be given three choices to save a recovery key to regain access to your files in case you forget your password. We are recommending select Save to your Microsoft account option. Click Next.

Select Save to your Microsoft account option and click Next
Step 6: Choose the encryption option as Encrypt used disk space only (faster and best for new PCs and drives). Click Next.

Choose the encryption option that best suits your scenario

Step 7: In this step it is recommended that you select the Compatible mode, as it will ensure you can unlock the drive if you move it to another computer running a previous version of the Windows such as Windows 7 or Windows 8.

Select Compatible mode option 

Step 8: Click Start encrypting to being the process.

Click Start encrypting to being the process

Step 9: It can take few minutes to encrypt your drive.

Encryption is in process 

Step 10: Click on Close button to finish the encryption.

Click on Close button to finish the encryption

When encrypting USB flash drive or external hard drive try to start with an empty removable media, as it will speed up the process, then new data will encrypt automatically.

How to unlock BitLocker drive encryption 

If you have encrypted a non-system hard drive from your system or removable drive such as USB flash drive, Windows prompts you to unlock the drive when you first access it after starting Windows (or when you connect it to your Windows PC if it’s a removable drive). Type your password and the drive should unlock so you can use it.

Unlock BitLocker drive encryption using password

How to quickly access and manage your BitLocker drive

Whether you turn on BitLocker for your PC’s hard drive or removable drive, you can always get quick access to the BitLocker settings for a particular drive using the following steps:

Step 1: Use  + E to open File Explorer.

Step 2: Click This PC from the left pane and right click the encrypted drive and select Manage BitLocker.

Right click the encrypted drive and select Manage BitLocker

It will take you to the BitLocker control panel window where you can change the password, turn off BitLocker, back up your recovery key, or perform other actions.

Manage a locked drive from BitLocker control panel window

Conclusion 

BitLocker might not be for everyone, but for people who work in environments with sensitive data that you travel with, it is recommended. It’s worth pointing out that enabling data encryption may slightly slow down the performance of your device due to the encryption process that will continue to run in the background. However, it’s a feature worth using to keep your sensitive data secure.

Do you use data encryption on your Windows 10 PC? Tell us in the comments below.

Similar articles you may like

Was this article helpful to you?
[Total: 0 Average: 0]

 

Sunil Pradhan

Sunil is a front-end developer, illustrator and an online entrepreneur. He is the founder of "Hello Sunil" where he shares his love of technology with the world. He loves to write technical how-tos and tutorials. He is open minded and willing to explore beyond his knowledge.

Add comment