Overview
This article provides the steps needed to enable BitLocker encryption, the compatible GFI products, and a summary of best practices tips.
BitLocker is a data protection feature that encrypts the hard drives on your machine to provide enhanced protection against data theft or exposure on computers and removable drives that are lost or stolen. It also provides more secure data deletion when BitLocker-protected computers are decommissioned as it is much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive.
Environment
- Windows Vista (Ultimate & Enterprise)
- Windows 7 (Ultimate & Enterprise)
- Windows 8 and 8.1 (Pro & Enterprise)
- Windows 10 (Education, Pro & Enterprise)
- Windows Server 2008 and later
Process
BitLocker is a built-in feature of the most recent Microsoft Operating Systems and does not have any additional cost. For further information see the Windows IP Pro article 'BitLocker.'
Important: When using virtual machines, BitLocker can be enabled on the physical server hosting the virtual machines. Consult the cloud solution support if you want to enable BitLocker in the virtual machine itself.
Gfi Products That Can Be Used with BitLocker
All GFI, Kerio, and Exinda products installed in a Microsoft Operating System are compatible with BitLocker.
BitLocker and GDPR
GDPR requires data controllers and processors to implement “data protection by design and by default,” using appropriate technical and organizational measures (Article 25). This can be demonstrated by an approved certification mechanism (Article 42). More specific security requirements include encryption and pseudonymization.
For further information, see the article 'Compliance is everybody’s business.'
How Does BitLocker Work?
You can use BitLocker to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
BitLocker works with a recovery password, and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to your Microsoft Account, or printed.
For removable data drives, the recovery password, and recovery key can be saved to a folder, saved to your Microsoft Account, or printed. By default, you cannot store a recovery key for a removable drive on the same removable drive.
Implementing BitLocker on a Workstation
BitLocker encryption works best on a computer equipped with a Trusted Platform Module (TPM) chip. TPM is a unique microchip that enables your device to support advanced security features.
How to Check If Your Device Has a TPM, Chip?
- Go to Start > Run and type:
Device Manager
- Expand Security devices. If you have a TPM chip, one of the items should read Trusted Platform Module with the version number.
Your computer must have a TPM chip version 1.2 or later to support BitLocker.
How to Ensure You Can Turn on BitLocker Without TPM
If your computer doesn’t include a TPM chip you still can use encryption, but you need to use the Local Group Policy Editor to enable additional authentication at startup:
- Go to Start > Run and type:
gpedit.msc
Click OK. - Go to Computer Configuration > Administrative Template > Windows Components > BitLocker Drive Encryption > Operating System Drives.
- On the right side, double-click Require additional authentication at startup.
- Select Enabled.
- Check Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
- Click OK.
How to Turn on BitLocker on the Operating System Drive
When enabling BitLocker, you need to create a password. Make sure to create a strong password mixing uppercase, lowercase, numbers, and symbols.
Important: Keep the password and recovery key in a safe location. If you lose both, you cannot access the content of your drive.
To Enable BitLocker:
-
Go to Start > Run and type:
Manage BitLocker
- Click Turn on BitLocker next to the drive you want to encrypt.
- Choose how you want to unlock your drive during startup: Insert a USB flash drive or Enter a password.
- Enter a password to be used every time you boot your machine to unlock the drive. Click Next.
- Select an option to save a recovery key to regain access to your files in case you forget your password. Options include:
- Save to your Microsoft account
- Save to a USB flash drive
- Save to a file
- Print the recovery
- Select the option that is most convenient for you, and save the recovery key in a safe place. Click Next.
- Select the encryption option that best suits your scenario:
- Encrypt used disk space only (faster and best for new PC’s and drives).
- Encrypt entire drive (slower but best for PC’s and drives already in use).
- Choose between these two encryption options:
- New encryption mode (best for fixed drivers on this device).
- Compatible mode (best for drives that can be moved from this device).
- Click Next.
- Select Run BitLocker system check and click Continue.
- Reboot your computer. On reboot, BitLocker prompts you to enter your encryption password to unlock the drive. Type the password and press Enter.
On computer startup, you have to enter your BitLocker password. Encryption is performed in the background. The process can take a long time depending on the size of the drive, but you can continue working on your computer while the operation completes.
Implementing BitLocker on a Windows Server Operating System
Windows Server 2008 and later support BitLocker.
To Enable BitLocker on a Windows Server Operating System:
- Click Start > Administrative Tools > Server Manager.
- Click Manage > Add Roles and Features.
- On the Select Features page, choose BitLocker Drive Encryption. Click Next.
- Click Install.
- When the installation is complete, click Close.
- Reboot the server.
On startup of the server, you can continue with the same procedure to enable BitLocker for a workstation.