Bitlocker was introduced with Windows Vista by Microsoft as a full disk encryption feature. Its currently available only on Pro and Enterprise versions of Windows 10. Bitlocker is used to encrypt the entire disk from access or being altered. Once a disk is encrypted the user has a couple options for unlocking and accessing a locked disk.
PIN – On startup before Windows loads the user will be prompted for a PIN to unlock the disk and only then will Windows or the locked disk be accessible.
USB Key – during encryption, the recovery key is stored a USB thumbdrive. On startup the drives are checked for this recovery key and once found automatically unlocks the drive
TPM mode – if the device has a TPM chip built in the key is stored there and is used to unlock the disk automatically without user intervention. This is commonly used for laptops.
If a user or unauthorized person tries to modify the boot loader or boot into a Windows PE (preinstalled environment) such as booting an OS from USB the disk will be locked and a recovery key has to be entered.
For instance, if you are needing to boot into recovery mode to trouble shoot you will have to have one of the above methods or the recovery key available to unlock the disk to repair the drive.
Bitlocker is commonly used for laptops that are mobile and have the possibility of being stolen. Likewise if you have a external drive containing sensitive data you can encrypt that as well so when you plug it in you must unlock it with a key before it can be accessed. To enable this feature on the OS or another drive go to the system and security section of Control Panel and you can view if its enabled already or choose the option to enable
To enable for a drive, click on “Turn on Bitlocker”
You can then enter a password to unlock the drive. Keep in mind same rules apply for any password so the stronger the better. Also be aware that you will be given a recovery key. If you loose the recovery key and the password your data CANNOT be recovered.
Its recommended you store the recovery key in a safe place but NOT on the drive you are encrypting. You also have the option to store it on your Microsoft account or print it out.
Now you have the option to encrypt the whole drive or just the used space. If it’s a new PC its fine to encrypt only the used space but if this PC has been in use for some time it best to encrypt the whole drive. This can take several hours however and does use a lot of disk I/O.
And that’s it! Once you can kick off the encryption and its just a matter of waiting.
If you decide you need to disable the bit locker you can do so from the same control panel and again it does take some time to decrypt all of the files. Its best to leave the PC powered on during the encryption/decryption process to reduce the chance for issues.