Windows Full Disk Encryption - University of Glasgow · Windows Full Disk Encryption This guide...
5
Windows Full Disk Encryption This guide takes you through the process of configuring Microsoft BitLocker full disk encryption on a system running Windows 7 or later. BitLocker can be enabled on an existing system – that is, existing data is kept and there should be no need to reinstall things. However, it is highly recommended that all important data be backed up first. TPM First, we must ensure the Trusted Platform Module (TPM) chip is enabled and active. You should check this in the system BIOS/UEFI. If you find that you can’t enable BitLocker, it’s probably due to the TPM not being enabled or activated. Enable TPM Activate TPM
Transcript of Windows Full Disk Encryption - University of Glasgow · Windows Full Disk Encryption This guide...
WindowsFullDiskEncryptionThisguidetakesyouthroughtheprocessofconfiguringMicrosoftBitLockerfulldiskencryptiononasystemrunningWindows7orlater.BitLockercanbeenabledonanexistingsystem–thatis,existingdataiskeptandthereshouldbenoneedtoreinstallthings.However,itishighlyrecommendedthatallimportantdatabebackedupfirst.
TPMFirst,wemustensuretheTrustedPlatformModule(TPM)chipisenabledandactive.YoushouldcheckthisinthesystemBIOS/UEFI.Ifyoufindthatyoucan’tenableBitLocker,it’sprobablyduetotheTPMnotbeingenabledoractivated.
EnableTPM
ActivateTPM
BitLockerToenableBitLocker,inWindowsExplorerright-clickonthesystemdrive(oranyotherdriveyouwanttoencrypt)andselectTurnBitLockeron.
Thiswillstarttheprocessbyfirstcheckingthesystem’sconfiguration.Afterthat,thesystemwillneedtoberestarted.BitLockerwillthenbeginitssetup.
NOTE:Youmaybeaskedhowmuchofyourdriveyouwishtoencrypt.Theoptionsareusedspaceonlyorentiredrive.Ifthisisabrandnewcomputer,youcanselecttheusedspaceoption.Otherwise,it’ssafesttochooseentiredisc.
NOTE:ForWindows10youmaybeaskedanadditionalquestionduringtheprocessaboutwhetheryouwanttousethenewerXTS-AESencryption.Werecommendyouselectthisoptionforsystemdriveencryption.
RecoveryKeyYouwillthenbeaskedhowyouwouldliketostoreyourrecoverykey.Thisisanimportantstep,asthekeymayberequiredatalaterdate.Forexample,whenevercertainchangesorupgradesaremadetothehardware,BitLockermayrequiretherecoverykeytobeentered.
Werecommendthatyoustoretherecoverykeyinasecurenetworkdrive,onamemorystick,orprintacopyandkeepitinasafeplace.(Considerdoingmorethanoneofthese).Forobviousreasons,thesystemwillnotallowstoringthekeyinthedriveyouareencrypting!
Oncetherecoverykeyissaved,thedriveisreadytobeencrypted.WerecommendthatyouruntheBitLockersystemcheck,toensurethatthesystemcansuccessfullyusetherecoverykey.
Thesystemwillthenneedtoberestartedagain,afterwhichtheencryptionprocessbegins.
Oncethesystemhasrestarted,youwillnownoticeinWindowsExplorerthatthereisapadlockonthedrive,whichdenotesthatBitLockeristunedonforthisdrive.
IntheBitLockerDriveEncryptioncontrolpanel,you’llseethatthedriveisEncrypting.Oncecompleted,theBitLockercontrolpanelwillconfirmthatBitLockerison.
You’llbeabletousethesystemwhilstthedriveisbeingencrypted,howeverwhilstthisisinprogress,itmaybesluggish,andthenreturntonormaloncetheencryptionprocessiscomplete(whichcouldbeafewhours,orlonger,soconsiderlettingitrunovernight).Thereafter,BitLockershouldhavenonoticeableeffectonsystemperformance.
AdvancedmanagementThecommandlinetoolprovidesfurtherinformationaboutthesystem’sdisksandtheirBitLockerstatus,aswellasallowingyoutocontrolotheraspectsofdiskencryption.Wecanuseittoalsomonitorthediscencryptionprogress,shownbelowviathecommand,manage-bde-status.Formorefunctionalityseetheoutputfromthecommandmanage-bde-?.
NOTE:Yourequirelocaladminrightstorunmanage-bdecommands.
