How to encrypt disks and protect data with BitLocker

How to encrypt disks and protect data with BitLocker

05/01/2024

This technical and educational article is intended to guide security analysts, IT administrators, and systems engineers in enabling, configuring, and managing BitLocker, Microsoft's full-disk encryption solution. Protecting data at rest is fundamental to information security, especially on mobile devices such as laptops and tablets, which are susceptible to theft or loss. BitLocker helps mitigate the risk of unauthorized data access in the event of a physical device compromise [1].

Introduction

With the increasing mobility of the workforce and the proliferation of devices that store sensitive information, disk encryption has become an indispensable security measure. BitLocker, built into the Windows operating system, offers a robust way to encrypt entire volumes, ensuring that data remains unreadable to anyone without the correct decryption key. This is crucial to meeting compliance requirements and protecting intellectual property [2].

This practical guide will cover enabling BitLocker in different scenarios (OS drives and fixed/removable data drives), managing recovery keys, validating encryption status, and best practices for deploying it in corporate environments. Step-by-step instructions, actual commands, and descriptions will be provided so that the reader can effectively implement and manage disk encryption, protecting data at rest and strengthening your organization's security posture.

Why use BitLocker?

  • Data at Rest Protection: Ensures that data stored on the hard drive is protected from unauthorized access, even if the device is stolen or lost.
  • Compliance: Helps meet regulatory and compliance requirements that require data encryption (e.g. HIPAA, GDPR, LGPD).
  • Integration with Windows: As an integral part of Windows, it offers a simplified management experience and integration with other Microsoft tools.
  • Breach Prevention: Prevents attackers from accessing sensitive data by booting alternative operating systems or removing the hard drive.

Prerequisites

To enable and configure BitLocker, you will need the following items:

  1. Windows version: BitLocker is available in the Pro, Enterprise, and Education editions of Windows 10 and 11. The Home edition has a more basic version called "Device Encryption" [3].
  2. TPM (Trusted Platform Module): For operating system drive encryption, a TPM version 1.2 or higher is highly recommended (and generally required for automatic activation). The TPM is a microchip that stores encryption keys and helps verify system integrity [4].
  3. Administrative Permissions: An account with local administrator privileges on the device.
  4. Recovery Key: A secure location to store the BitLocker recovery key (Microsoft account, file, USB, or Azure AD/Active Directory).

Step by Step: Enabling and Configuring BitLocker

Let's cover enabling BitLocker for the operating system drive and for data drives.

1. Checking TPM Status

It is important to verify that the TPM is enabled and ready to use, especially for the operating system drive.

  1. Press Win + R, type tpm.msc and press Enter.
  2. In the TPM Management window, check the TPM Status and Version.
    • If the status is TPM is ready to use, you can proceed.
    • If not, you may need to enable it in your computer's BIOS/UEFI.

2. Enabling BitLocker for the Operating System Drive

This is the most common way to protect a laptop or desktop.

  1. Open Control Panel.
  2. Navigate to System and Security > BitLocker Drive Encryption.

  3. In the Operating system drives section, click Enable BitLocker for the C: drive.

  4. The BitLocker wizard will start. Choose how you want to back up your recovery key:

    • Save to your Microsoft account: Recommended for home users. The key is stored in your online Microsoft account.
    • Save to a file: Saves the key to a fileof text. Make sure you store it in a safe location (e.g. separate USB drive, secure network share).
    • Print recovery key: Prints the key. Store it in a safe physical location.
    • Corporate Tip: In corporate environments, the recovery key should be automatically stored in Azure AD or Active Directory Domain Services (AD DS) via GPO or Intune for centralized management [5].

  5. Choose how to encrypt your drive:

    • Encrypt only used disk space: Fastest, ideal for new or empty drives.
    • Encrypt entire drive: Slower, but ensures that all data (including deleted data) is encrypted. Recommended for drives with existing data.

  6. Choose encryption mode:

    • New encryption mode (XTS-AES): Recommended for fixed drives.
    • Compatible mode (AES-CBC): For removable drives that can be used on older systems.

  7. Confirm the settings and click Start Encryption.

  8. BitLocker will require a restart to begin the encryption process. After rebooting, encryption will continue in the background.

3. Enabling BitLocker for Data Drives (Fixed and Removable)

The process is similar, but with some differences in unlocking options.

  1. Open Control Panel > System and Security > BitLocker Drive Encryption.
  2. In the Fixed Data Drives or Removable Drives section, click Enable BitLocker for the desired drive.

  3. Choose how to unlock the drive:

    • Use a password to unlock the drive: Set a password to access the drive.
    • Use a smart card to unlock the unit: Requires a smart card.
    • Automatically unlock on this machine: For fixed drives, allows the drive to be automatically unlocked when the operating system starts (if the OS drive is also encrypted with BitLocker).

  4. Back up the recovery key (per options described in Section 2).

  5. Choose the encryption type and mode and start the process.

4. Managing BitLocker Recovery Keys

The recovery key is essential to access data in case of problems (forgotten password, TPM failure, etc.).

  1. In Control Panel > System and Security > BitLocker Drive Encryption.
  2. Click Back up your recovery key to the desired drive.

  3. You can save to a file, print, or save to a Microsoft account again.

  4. Command to check status and get key ID: Open Command Prompt (Admin) and run: cmd manage-bde -status To obtain the recovery key ID: cmd manage-bde -protectors C: -get The Key ID can be used to locate the recovery key in Azure AD or Active Directory.

Validation and Testing

It is crucial to validate that BitLocker is active and working correctly.

1. Checking Encryption Status

  1. Open File Explorer.

  2. You should see a lock icon on the encrypted drive, indicating that BitLocker is active.

  3. Open Command Prompt (Admin) and run the manage-bde -status command.

  4. Verify that the Conversion Status is Fully Encrypted and the Protection Status is Protection Enabled.

2. Testing the Recovery Key

  1. Simulate a recovery situation: In a test environment or out of caution, you can try to temporarily disable the TPM in BIOS/UEFI or move the disk to another computer.
  2. When you start Windows, BitLocker should enter recovery mode and ask for the recovery key.
  3. Enter the recovery key you saved to check if it works.

Security Tips and Best Practices

  • Centralized Management: In enterprise environments, use Microsoft Intune or Group Policy Objects (GPOs) to centrally manage BitLocker, including enforcing encryption policies and automatically backing up recovery keys to Azure AD or AD DS [5].
  • Secure Key Storage: Never store the recovery key on the same disk that is being encrypted. Use a separate, secure location, such as a password vault, afrom encrypted USB or a directory service.
  • TPM is Essential: Prioritize devices with TPM 2.0 for greater security and easier BitLocker management.
  • Preboot PIN/Password: For greater security of your operating system drive, consider setting up a preboot PIN or password in addition to the TPM. This requires the user to enter a PIN before Windows even loads, protecting against cold boot attacks.
  • Removable Drive Encryption: Encourage or require encryption of all removable drives (USB, external HDs) that may contain sensitive data.
  • Periodic Review: Regularly check the encryption status of devices and the accessibility of recovery keys.
  • User Education: Educate users about the importance of BitLocker, how to manage their recovery keys, and what to do if they experience problems.

Common Troubleshooting

  • BitLocker does not activate: Check if the TPM is activated and configured correctly in BIOS/UEFI. Make sure the disk has an EFI/UEFI system partition (if it is an operating system drive). Check group policies that may be preventing activation.
  • Asking for Recovery Key at Startup: This may occur if there have been hardware changes (e.g. BIOS/UEFI update, motherboard change) or if the TPM has been disabled. Enter the recovery key. If it is frequent, investigate the root cause (e.g. unstable TPM, hardware problem).
  • Lost Recovery Key: If the recovery key is lost and there is no backup in an accessible location, the data on the encrypted drive may be unrecoverable. This is why secure backup is so critical.
  • Reduced Performance: Real-time encryption and decryption may cause a small drop in performance, especially on older hardware. Make sure the hardware meets performance requirements.
  • GPO/Intune issues: If BitLocker is being managed via GPO or Intune and there are issues, check policy enforcement, event logs on devices, and connectivity to Azure AD/AD DS for key backup.

Conclusion

Disk encryption with BitLocker is a powerful and essential tool for protecting data at rest on Windows devices. By implementing BitLocker, organizations can ensure that sensitive information is secure from unauthorized access in the event of hardware theft, loss, or improper disposal. Correct configuration, secure management of recovery keys, and adherence to best practices are critical to maximizing the effectiveness of BitLocker. With this guide, security analysts, IT administrators and systems engineers will be equipped to strengthen data security in their environments, contributing to a more robust security posture that complies with current requirements.

References:

[1] Microsoft Learn. BitLocker overview. Available at: https://learn.microsoft.com/pt-br/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview [2] Microsoft Learn. BitLocker Planning Guide. Available at: https://learn.microsoft.com/pt-br/windows/security/operating-system-security/data-protection/bitlocker/planning-guide [3] Microsoft Learn. Device encryption on Windows. Available at: [https://support.microsoft.com/pt-br/windows/cryptia-de-dispósito-no-windows-cf7e2b6f-3e70-4882-9532-18633605b7df] (https://support.microsoft.com/pt-br/windows/cryptia-de-dispósito-no-windows-cf7e2b6f-3e70-4882-9532-18633605b7df) [4] Microsoft Learn. Trusted Platform Module Technology Overview. Available at: https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-overview [5] Microsoft Learn. Back up BitLocker recovery keys. Available at: https://learn.microsoft.com/pt-br/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan#bitlocker-recovery-key-storage