BitLocker is a drive encryption tool owned and developed by Microsoft for Windows operating systems. BitLocker helps to ensure the safety of your system’s files by locking them with strong encryption algorithms. BitLocker encrypts your specified hard drives with strong AES encryption.
BitLocker is secure without a PIN because there are multiple ways to setup BitLocker. You can use a trusted platform module (TPM) or a traditional password or backup the recovery key to your Microsoft account or flash drive for decryption.
How does BitLocker work?
BitLocker encrypts your hard drive to prevent unauthorized access and theft. A main use case of an encrypted hard drive is for a traveling employee for an organization that works with proprietary or sensitive data.
Encrypting the employee’s devices will allow that data to be protected should the devices be stolen. Upon powering the machine on, an attacker would be presented with a decryption prompt but will be stopped in their tracks.
Decrypting a BitLocker encrypted hard drive is near impossible without the recovery key, PIN, or password. A good practice is to always backup the recovery key for your encrypted devices in case you forget the PIN or password to unlock it.
BitLocker requires you to have a trusted platform module (TPM) on your motherboard in order to be enabled. A trusted platform module (TPM) has several functions such as:
- Scanning the motherboard firmware (BIOS) for unauthorized modifications
- Holding the data from notepad and laptop fingerprint readers or smart card readers. It is an awesome piece of hardware!
- Protection against rootkits, and some bootkits which are malware that infects the device at the root level and BIOS.
- Storage of encryption keys, certificates, and passwords.
You can also configure BitLocker to use the TPM with or without a PIN. If you don’t have a PIN you can opt to use a password or USB flash drive for decrypting your hard drive on startup.
The setup for BitLocker is relatively simple. You must select the hard drive you want to encrypt and then go through the setup process. You will need to choose your unlock settings; you have two options:
- Insert a USB Flash Drive
- Enter a Password
In my opinion you can never have too many security measures in place, it is wise to choose both options for additional protection. Make sure your USB flash drive is free of data and you have nothing important on it before using it for BitLocker.
Ensure that you create a strong password as well. Remember, just because you are using encryption and other security measures doesn’t mean your password practice should be lacking; choose a strong password with at least 12 characters and a mixture of numbers, letters (upper case/lower case), and special symbols.
Backing up your recovery key is absolutely essential in order to keep your data safe and be able to access it later. Again, there are many options here to choose from. If you have an activated Microsoft account, backing up your recovery key is a good idea.
Your account is in the cloud and it will be safe as long as your account has strong sign-in security such as two-factor authentication (2FA) and a strong password.
Saving your recovery key to a flash drive is great but make sure you don’t lose it! It is a good idea to save the recovery key to two or three flash drives. You can also store one on your keychain, give it to your most trusted friend for worst case scenarios, and store one in a secret place in your house.
Saving your recovery key to a file is a good idea too. You set this up by saving is a .TXT file on your local machine. NOTE: you cannot save the recovery key file on the hard drive you are encrypting with BitLocker.
In my opinion, it is wise to have a fail-safe in place and choose all of these 3 methods to backup your recovery key. If you are concerned about your key being in the cloud then opt for the offline techniques (USB flash drive & save to file) to backup your recovery key.
In addition to implementing some or all of the mentioned options for recovery key backup, you should have a printed form or physical copy of the key. Digital storage is great and convenient but you can’t go wrong with a physical copy as well.
Drives you should encrypt
Encrypting your hard drives with the most sensitive data is probably a good idea.You can also backup your operating system (OS) hard drive but you must have a USB recovery drive setup.
Before using BitLocker you must determine why you are using it. Ask yourself these questions:
- Do I need to protect my data from unauthorized disclosure
- Am I going to be traveling with my device in areas it could be stolen?
- Do I need protection for my operating system or other connected drives?
- What data is sensitive on my device and does it need to be there or can it be moved somewhere else?
The way you answer these questions will help you to decide if BitLocker is the best choice for your device or hard drives.BitLocker is great but it isn’t always necessary; remember it is not a free tool for the basic home version of Windows. You must have a professional license or pay $100 for a professional license which includes BitLocker in the features.
What are the features of BitLocker?
- Can encrypt removable storage media (USB flash drives, external HDDs/SSDs etc.)
- Utilizes a TPM for a robust security defense against a variety of attacks and for storage of PIN’s, fingerprints, and digital certificates
- Easy to setup and deploy
- Uses AES-128 or AES-256 encryption algorithms which are extremely difficult to break
- Multiple setup and recovery key options
To summarize, BitLocker is a great tool to encrypt your hard drives or removable storage devices. It supports a very powerful encryption algorithm, many setup options, and is very easy to use.
If you have a Windows Professional License or are willing to pay to upgrade, you can have access to many features like device encryption with BitLocker, Hyper-V (for virtualization), and more!