How to encrypt your drive with BitLocker in Windows 10

Encrypting your hard drive is one of the easiest and fastest ways to increase its security. So Windows 10 has an encryption program of built-in disk, called BitLocker. Which is a full disk encryption tool available for Windows 10 Pro, Enterprise and Education users.

The unit's encryption may sound intimidating, since if you lose your password, your unit will remain locked forever. However, the security it gives you is almost unmatched. Here’s how you can encrypt your hard drive with BitLocker in Windows 10.

What is the BitLocker tool?

BitLocker is a full-volume encryption tool included in Windows 10 Pro, Enterprise and Education. So you can use this utility to encrypt a volume of a unit. Thus, a unit volume is part of a unit, rather than its entirety.

This tool offers secure encryption for regular Windows 10 users. By default, BitLocker uses 128-bit AES encryption, (also written as AES-128). As for this type of security, it is very robust.

So at present, there is no known method to brutely force a 128-bit AES encryption key.

A research team devised a possible attack on the AES encryption algorithm, but it would take millions of years to decipher the key. That is why people refer to AES as "military grade encryption."

So, BitLocker using AES-128 is very safe. Even so, you can also use BitLocker with a larger 256-bit key, which makes the drive key impossible to unlock.

BitLocker has three different encryption methods:

  • User authentication mode: this is the "standard" mode, it encrypts your disk, requiring authentication before unlocking it. Authentication takes the form of a PIN or password.
  • Transparent operation mode: this is a slightly more advanced mode that uses a Trusted Platform Module (TPM) chip. The TPM chip verifies that your system files have not been modified since you encrypted the unit with BitLocker. If the files on your system have been manipulated, the TPM chip will not release the key. In turn, you will not be able to enter your password to decrypt the unit. The transparent mode of operation creates a secondary security layer over the encryption of your disk drive.
  • USB key mode: USB key mode uses a physical USB device that starts in the encrypted drive.

How to verify if your system has a TPM module

Not sure if your system has a TPM module? Press the Windows + R keys, then enter: tpm.msc. If you see information about the TPM on your system, you have it installed. If it complies with the message "The compatible TPM cannot be found", then your system does not have a TPM module.

It is not a problem if you do not have one. You can still use BitLocker without a TPM module. See the next section to understand how.

How to check if BitLocker is enabled

First, type "gpedit" in the search bar of the Start menu and select the best match. This will open the Group Policy Editor.

You must go to Computer Configuration and then Administrative Templates. Then, click on Windows Components and then BitLocker Drive Encryption. Finally, you should go to Operating System Units.

Now, select "Require additional authentication at startup", followed by "Enabled."

If your system does not have a compatible TPM module, check the "Allow BitLocker without a compatible TPM" box.

How to use BitLocker drive encryption in Windows 10

First, type "bitlocker" in the search bar of the Start menu, then select the best match.

Select the unit you want BitLocker to encrypt, then select the option «Activate BitLocker».

Now, you must choose how you want to unlock this unit. Here you have two options:

  • Use a password
  • Use a smart card.

Select the first option to: «Use a password to unlock the unit».

Choose an appropriate password

Here is the fun part: choose a suitable and secure password that you can also remember. As the BitLocker wizard suggests, your password must contain upper and lower case letters, numbers, spaces and symbols.

Once you create an appropriate password, enter it and retype it to confirm.

The next page contains options to create a BitLocker recovery key. A recovery key is unique to your drive and is the only way you can create a backup safely.

There are four options to choose from. For now, select Save to file. Then, select a memorable save location. Once saved, press Next.

What encryption model to use?

First, the BitLocker wizard suggests encrypting the entire drive if you are already using it to make sure it encrypts all available data, including those you deleted. But that not removed from the unit completely.

While if you are encrypting a new drive or a new PC, you only need to encrypt the part of the drive that is currently being used. Because BitLocker will automatically encrypt new data as you add it.

Finally, choose your encryption mode. Windows 10 version 1511 introduced a new disk encryption mode, known as XTS-AES. XTS-AES provides additional integrity support. However, it is not compatible with earlier versions of Windows.

If the drive you are encrypting with BitLocker will remain on your system, you can safely choose the new XTS-AES encryption mode.

Otherwise, if you are going to connect your unit to a separate machine, select the Compatible mode for it.

Encrypt your drive with BitLocker

You have reached the final part: it is time to encrypt your disk using BitLocker. Select Start encryption and wait for the process to complete. Such encryption process may take some time, depending on the amount of data.

When you restart your system or try to access the encrypted drive, BitLocker will ask you for the password with which you have configured the utility.

Using AES-256

You can make BitLocker use 256-bit AES encryption much stronger, instead of the 128-bit AES. Although 128-bit AES encryption will prevent brute force forever, you can always make it take an eternity one more day, using additional force.

The main reason to use AES-256 instead of AES-128, is to protect you against the increase in quantum computing in the future. Quantum computing can break our current encryption standards more easily than our current hardware.

Now, open the Group Policy Editor, then go to Computer Configuration and then Administrative Templates. Then to Windows Components and finally, to BitLocker Drive Encryption.

Select "Choose unit encryption method and encryption strength". Select "On." Then, use the drop-down boxes to select 256-bit XTS-AES. Press Apply and you're done.