Company News

BitLocker & The Joys of Full Disk Encryption For Microsoft Windows

Understanding Full Disk Encryption

Full disk encryption protects against two main styles of attacks:
1. An attacker lifts the hard disk from your computer and is able to read your data straight off the disk, side-stepping protections built-in to the OS.
2. an attacker is able to recover file data after you have deleted them from your computer.
Full disk encryption solution makes it very difficult for an attacker to recover any file data either straight off the disk and from deleted file data using strong encryption algorithms.

BitLocker vs. Other Full Disk Encryption Solutions

Full disk encryption is enabled on all modern Apple macOS computers by default. If you are running Microsoft Windows 10
BitLocker then … it depends. The BitLocker disk encryption is included for free … but only if you have the Professional, Enterprise, or Education editions of Microsoft Windows 10.

There are other full disk encryption products available.

  1. They might not decrease the overall security of your computer. At best some products might not encrypt your computer well, at worst they might introduce security vulnerabilities onto your computer. Microsoft is by no means perfect, but BitLocker provides a reasonable full disk encryption solution.
  2. They might be unexpectedly discontinued. TrueCrypt is one example of an open source full disk encryption software that was suddenly discontinued. Security vulnerabilities are found in all software, and unless the software is maintained then your computer will be susceptible to those vulnerabilities. Being a Microsoft product, BitLocker will be maintained for the foreseeable future.
  3. They might not be available for home consumers. Maybe you need to go to a reseller or partner company because they are designed for corporate buyers not home consumers. The Microsoft product is targeted at home consumers and is immediately available in the Professional, Enterprise, or Education editions of Microsoft Windows 10.
  4. Other full disk encryption products are not cheap. The cost of other
    Equivalent full disk encryption solutions cost a similar amount to the Microsoft Windows 10 edition upgrade from Home to Professional edition.

To those readers currently running Microsoft Windows 10 Home edition it is worth considering the upgrade fee for the Microsoft Windows 10 edition upgrade from Home to Professional edition.

Windows 10 Upgrade From Home To Professional Edition

You can buy Windows 10 Pro from the Microsoft Store.
Select the Start button > Settings > Update & Security > Activation
From the Activation screen select Go to Microsoft Store.

WinProActivation.png

From the Microsoft Store select Upgrade to Windows 10 Pro.
Follow the on-screen instructions to complete the upgrade purchase.
Follow the on-screen instructions to download and install your computer. This process will require two restarts and some patience.
When the installation process is complete a Success message will be displayed.

WinProSuccessSmol.png

Turning On BitLocker

Select the Start button > type BitLocker > select Manage BitLocker.
From the BitLocker Drive Encryption screen you will notice that your hard drives have BitLocker off.
For your hard drive select Turn BitLocker on.
Follow the on-screen instructions to do the following:
– Enter a memorable password for password unlock.
– Save the recovery key to a USB memory.
– Select the XTS-AES.
– Encrypt entire hard drive.
– Run BitLocker system check.
A restart is required for the encryption to begin encryption. Depending on the size of the disk and speed of the disk drive, encryption should be left running overnight.

WinProBitLocker.png

WinProBitLockerTPMDrive.png

TPM then the error message

If your computer does not have a TPM then the error message below is displayed.
Select the Start button > type gpedit.msc > select gpedit.msc.
From the Local Group Policy Editor screen select Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption > Operating System Devices > Require additional authentication at startup.
From the Require additional authentication at startup screen select:
– Require additional authentication at startup is enabled
– Allow Bit Locker without a compatible TPM checkbox is checked.
Do not change any other configuration points and select OK.

WinProBitLockerNoTPM.png
This device cannot use a Trusted Platform Module. Your administrator must set the “Allow BitLocker without a compatible TPM” option in the “Require additional authentication at start-up” policy for OS volumes.

Select the Start button > type gpedit.msc > select gpedit.msc.
From the Local Group Policy Editor screen select Computer Configuration > Administrative Templates > Windows Components > Bit Locker Drive Encryption > Operating System Devices > Require additional authentication at startup.
Funnily enough there are two options, you need to change the first:
– Require additional authentication at startup
– Require additional authentication at startup (Windows Server 2008 and Windows Vista)
From the Require additional authentication at startup screen select:
– Require additional authentication at startup is enabled
– Allow Bit Locker without a compatible TPM checkbox is checked.
– Do not change any other configuration points and select OK.
Return to the steps described above.

WinProBitLockerGroupPolicy2.png

We hope this helps, @SanitySecurity

Standard