A Detailed Guide to BitLocker for Windows 11 Users
The information your computer device holds today is more important than the actual device itself, so it is essential to keep it safe from unauthorized access. While there are several third-party apps that help you achieve this, Windows comes with its own built-in encryption tool, BitLocker.
BitLocker functions by encrypting all data on the drive where the Windows operating system is installed. In this guide, we will thoroughly examine the functioning of this security feature and outline steps to use it on the latest version of Windows.
The BitLocker System and Hardware Prerequisites
For BitLocker to work on Windows, there are certain hardware and system requirements that must be met.
1. Trusted Platform Module (TPM)
The security feature works best when it is used with Trusted Platform Module (TPM 1.2 or later versions) which offers hardware security protection by carrying out cryptographic operations. With TPM, BitLocker offers pre-startup system integrity verification, which means that it will verify the integrity of early boot components and boot configuration data every time you boot into the system automatically.
A computer that supports TPM must also have firmware that is compatible with the Trusted Computing Group (TCG).
You can use BitLocker without TPM, but then the security feature will operate in the software-only mode. The encryption key will therefore need to be entered manually each time you log into Windows, which automatically reduces the overall security.
In the event that your device does not support TPM, you can store the encryption key on a USB drive and insert it at boot time. Having the encryption key stored on a physically secure device will provide you with an additional layer of security.
2. Hard Drive
Your hard disk must at least have two partitions of the drives; one for the operating system and one to store the data. The system or the boot drive must use the NTFS file system and must be 64MB or larger.
It is also important to keep in mind that BitLocker does not encrypt removable drives.
3. BIOS and UEFI Firmware Settings
UEFI and BIOS firmware must also support reading USB drives during the boot process, regardless of whether the computer uses TPM. Additionally, the Secure Boot feature in the UEFI firmware must be enabled to prevent unauthorized boot loaders from running.
How Does BitLocker Work in Windows?
Once you have enabled the BitLocker, it will encrypt the hard drive using AES encryption algorithms with a 128- or 256-bit key. TPM will secure the encryption key and when the computer loads, it will release the key after verifying that the boot process is secure.
If your device does not support TPM, BitLocker will require a password or a smart card to unlock the drive.
1. If Your Device Supports TPM
If your device supports TPM, follow these steps to encrypt your drive using BitLocker in Windows 11:
- Log into your Windows account as an administrator.
- Press the Win + R keys together to open a Run dialog.
- Type control in Run and press Enter.
- In the Control Panel, navigate to System and Security > BitLocker Drive Encryption.
- Now, click on Turn on BitLocker. If your computer supports TPM and it is disabled, you will need to restart it to enable the feature.
- Once the computer restarts, you will see a BitLocker Device Encryption setup prompt. Click Next on it.
- Choose how you want to back up your recovery key and click Next. You can make use of the BitLocker recovery key to access the drive if you forget your password.
- Next, choose how much of your drive you want to encrypt. You have the option to encrypt the entire drive or the used disk space only.
- Pick an encryption mode.
- Finally, click on the Start encrypting button to proceed. If you would like BitLocker to run a system check to ensure that it can read the recovery and encryption keys correctly, checkmark the box associated with Run BitLocker system check.
- Wait for the encryption process to complete. It might take a while, so hang in there. If you are prompted to restart your computer after the process is completed, reboot to complete the process.
2. If Your Device Does Not Support TPM
If your device does not support TPM, you can enable BitLocker by making some modifications in the Group Policy Editor.
Here is how you can do that:
- Press the Win + R keys together to open a Run dialog.
- Type gpedit.msc in Run and press Enter.
- Click Yes in the User Account Control prompt.
- In the Group Policy Editor, navigate to the location mentioned below:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
- Double-click on Require additional authentication at startup and choose Enabled.
- Checkmark the box for Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
- Click Apply > OK to save the changes.
Once this is done, you need to complete the BitLocker setup process using the Control Panel. Follow these steps to proceed:
- Access the BitLocker Drive Encryption page of the Control Panel using the steps we described above.
- Click on Turn on BitLocker.
- Click Next in the following two dialogs.
- Hit the Restart now button and then click Next.
- Now, choose an encryption method. You will be presented with two options; Insert a USB flash drive and Enter a password.
- If you choose the password option, you will be asked to create a password and confirm it.
- Click Next.
- Choose how you want to back up your recovery key and click Next.
- Choose whether to encrypt the entire drive or only the used disk space and then pick an encryption mode.
- Finally, click on the Start encryption button. You can also check the Run BitLocker system check box to ensure BitLocker can read encryption and recovery keys correctly.
- Hang in there until the encryption process is complete. Reboot your computer if you are prompted to do so after the process is complete.
Are There Any Downsides of Enabling BitLocker in Windows?
BitLocker provides an added security layer to safeguard valuable data, but it can also potentially result in some system-related challenges. In some cases, encrypting and decrypting the drive can slow down the overall performance of the system slightly.
If BitLocker is not compatible with some of the older hardware, it can also run into issues while encrypting the drive. In any case, you can always disable BitLocker on Windows if you no longer need it.
Enhance Your Data Protection With BitLocker Encryption
You now know how to get the most out of BitLocker in the most recent version of Windows. If your device supports TPM, we highly recommend enabling it if you wish to increase the security levels offered by BitLocker.
There are also several great third-party alternatives to this tool available online that you can look into if you do not want to use BitLocker.