Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
Encrypting your hard drive is one of the easiest and fastest ways to increase your security. Windows 10 has a drive encryption program built in. BitLocker is a full drive encryption tool available to Windows 10 Pro, Enterprise, and Education users.
Drive encryption sounds intimidating. If you lose your password, your drive remains locked—forever. Nonetheless, the security it grants you is almost unrivaled.
Here’s how you can encrypt your hard drive using BitLocker in Windows 10.
What Is BitLocker?
BitLocker is a full volume encryption tool included in Windows 10 Pro, Enterprise, and Education. You can use BitLocker to encrypt a drive volume. (A drive volume can mean part of a drive, rather than the entire drive.)
BitLocker offers strong encryption to regular Windows 10 users. By default, BitLocker uses 128-bit AES encryption (also written as AES-128). As far as encryption goes, that’s strong. At the current time, there is no known method of brute forcing a 128-bit AES encryption key. A research team did come up with one potential attack on the AES encryption algorithm, but it would take millions of years to crack the key. That’s why people refer to AES as “military grade encryption.”
So, BitLocker using AES-128 is secure. Still, you can also use BitLocker with a larger 256-bit key, making the drive key essentially impossible to unlock. I’ll show you how to switch BitLocker to AES-256 in a moment.
BitLocker has three different encryption methods:
- User authentication mode. The “standard” user authentication mode encrypts your drive, requiring authentication before unlocking. Authentication takes the form of a PIN or password.
- Transparent operation mode. This is a slightly more advanced mode that uses a Trusted Platform Module (TPM) chip. The TPM chip checks that your system files have not been modified since you encrypted the drive using BitLocker. If your system files have been tampered with, the TPM chip will not release the key. In turn, you will not be able to input your password to decrypt the drive. The transparent operation mode creates a secondary security layer over your drive encryption.
- USB Key mode. USB Key mode uses a physical USB device that boots into the encrypted drive.
How to Check If Your System Has a TPM Module
Unsure if your system has a TPM module? Press Windows Key + R, then input tpm.msc. If you see information about the TPM on your system, you have a TPM module installed. If you meet the “Compatible TPM cannot be found” message (like me!), your system does not have a TPM module.
It isn’t a problem if you do not have one. You can still use BitLocker without a TPM module. See the following section to understand how.
How to Check If BitLocker Is Enabled
Before progressing to the BitLocker drive encryption tutorial, check whether BitLocker is enabled on your system.
Type gpedit in your Start Menu search bar and select the Best Match. The Group Policy Editor will open. (What is Group Policy and how do you use it?)
Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.
Select Require additional authentication at startup, followed by Enabled.
If your system doesn’t have a compatible TPM module, check the box to Allow BitLocker without a compatible TPM.
How to Use BitLocker Drive Encryption on Windows 10
First up, type bitlocker in your Start Menu search bar, then select the Best Match.
Select the drive you want BitLocker to encrypt, then select Turn BitLocker On.
Now you must Choose how you want to unlock this drive. Here you have two options.
- Use a password.
- Use a smart card.
Select the first option to Use a password to unlock the drive.
Choose a BitLocker Password
Here’s the fun part: choosing a suitably strong password that you can also remember. As the BitLocker wizard helpfully suggests, your password should contain upper and lower case letters, numbers, spaces, and symbols. Need help? Check out exactly how you can make a strong password that you will never forget.
Once you create a suitable password, enter it, then retype it to confirm.
The next page contains options for creating a BitLocker recovery key. A BitLocker recovery key is unique to your drive and is the only way you can safely and securely create a backup of sorts. There are four options to choose from. For now, select Save to File, then select a memorable save location. Once saved, hit Next.
How Much Drive to Encrypt With BitLocker and Which Encryption Mode to Use
At this point, you choose how much of your drive to encrypt.
The BitLocker wizard strongly suggests encrypting the entire drive if you are already using it to make sure you encrypt all available data, including deleted but not removed from the drive. Whereas if you are encrypting a new drive or new PC, “you only need to encrypt the part of the drive that’s currently being used” because BitLocker will encrypt new data automatically as you add it.
Finally, choose your encryption mode. Windows 10 version 1511 introduced a new disk encryption mode, known as XTS-AES. XTS-AES provides additional integrity support. However, it is not compatible with older Windows versions. If the drive you are encrypting with BitLocker will remain in your system, you can safely choose the new XTS-AES encryption mode.
If not (if you are going to plug your drive into a separate machine), select Compatible mode.
Encrypt Your Drive with BitLocker
You have reached the final page: it is time to encrypt your drive using BitLocker. Select Start encrypting and wait for the process to complete. The encryption process can take some time, depending on the amount of data.
When you reboot your system or attempt to access the encrypted drive, BitLocker will prompt you for the drive password.
Using AES-256 with BitLocker
You can make BitLocker use much stronger 256-bit AES encryption, instead of 128-bit AES. Even though 128-bit AES encryption will take forever to brute force, you can always make it take forever and a day using the additional strength.
The main reason to use AES-256 instead of AES-128 is to protect against the rise of quantum computing in the future. Quantum computing will be able to break our current encryption standards more ease than our current hardware.
Open the Group Policy Editor, then Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
Select Choose drive encryption method and cipher strength. Select Enabled, then use the dropdown boxes to select XTS-AES 256-bit. Hit Apply, and you’re good to go.
Backup Your Windows BitLocker Password
You now know how to encrypt your Windows 10 drive using BitLocker. BitLocker is a fantastic encryption tool integrated into Windows 10. You don’t have to bother with a third-party encryption tool.
However, that is no good for Windows 10 Home users. Check out these disk encryption alternatives for Windows 10 Home users.