This is a short guide with pictures that will hopefully explain how to set up Bitlocker drive encryption for your Windows system, and get you on your way towards a more secure computer.
Bitlocker allows for full system encryption or just a partition to be encrypted. It uses AES 128bit by default but we can move it to AES 256bit. Let me just say that 128bit is entirely sufficient, and there is very little reason to use 256bit as it can cause performance issues.
Setting AES 256bit
If you’re dealing with highly classified information or your systems performance is not of concern you can change Bitlocker settings to use 256bit AES. 256bit mode will also increase the rounds used from 10 to 14. To implement AES 256bit we type the following into our search:
The path is:
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption
“Choose drive encryption method and cipher strength”
Set this value to Enabled and then choose the strength you want.
Setting Up Bitlocker Without TPM
Many systems don’t have TPM so we can disable the requirement for one. After doing the above you can go to “Operating System Drives”.
Go to “Require additional authentication” and disable.
Set Up Of Bitlocker
Restart the system if you’ve done either of the above. Now we get to the set up of Bitlocker itself. It’s very simple:
First we choose the drive to encrypt.
You can encrypt your OS or any other partition. For the most security you’ll want the OS encrypted, this will prevent attackers from manipulating an offline machine.
Once you choose the drive it’s time to set a password.
Remember, a good password will have at least one of every character type: lower case, upper case, symbol, number (aB#4). Do not use special ASCII characters – Bitlocker lets you enter them but won’t let you use them at boot up – you’ll be locked out.
You will be asked to save a recovery key. This is very dangerous. You have three options if you want to be secure:
1) Print the key and hide it well. My least favorite option.
2) Save the key to a file and keep it on a separate USB, which you can hide or encrypt.
3) Safe the key to a file and delete that file after a reboot.
Now you choose whether to encrypt the full partition or just the used space. If you choose to skip encryption of free space an attacker may be able to gain valuable information. I highly suggest you encrypt the full partition.
Bitlocker Should Be Set Up
If you’ve followed these steps Bitlocker should be set up properly. For the average user performance hit (with default settings) should be very little.
It’s important to state that Bitlocker is only good for preventing access to your information while the system is off. If the system is on you are vulnerable. It will not prevent keyloggers, viruses, or any type of malware – all it prevents is tampering of data on the device.