windows full disk encryption - university of glasgow · windows full disk encryption this guide...

WindowsFullDiskEncryptionThisguidetakesyouthroughtheprocessofconfiguringMicrosoftBitLockerfulldiskencryptiononasystemrunningWindows7orlater.BitLockercanbeenabledonanexistingsystem–thatis,existingdataiskeptandthereshouldbenoneedtoreinstallthings.However,itishighlyrecommendedthatallimportantdatabebackedupfirst.

TPMFirst,wemustensuretheTrustedPlatformModule(TPM)chipisenabledandactive.YoushouldcheckthisinthesystemBIOS/UEFI.Ifyoufindthatyoucan’tenableBitLocker,it’sprobablyduetotheTPMnotbeingenabledoractivated.

EnableTPM

ActivateTPM

BitLockerToenableBitLocker,inWindowsExplorerright-clickonthesystemdrive(oranyotherdriveyouwanttoencrypt)andselectTurnBitLockeron.

Thiswillstarttheprocessbyfirstcheckingthesystem’sconfiguration.Afterthat,thesystemwillneedtoberestarted.BitLockerwillthenbeginitssetup.

NOTE:Youmaybeaskedhowmuchofyourdriveyouwishtoencrypt.Theoptionsareusedspaceonlyorentiredrive.Ifthisisabrandnewcomputer,youcanselecttheusedspaceoption.Otherwise,it’ssafesttochooseentiredisc.

NOTE:ForWindows10youmaybeaskedanadditionalquestionduringtheprocessaboutwhetheryouwanttousethenewerXTS-AESencryption.Werecommendyouselectthisoptionforsystemdriveencryption.

RecoveryKeyYouwillthenbeaskedhowyouwouldliketostoreyourrecoverykey.Thisisanimportantstep,asthekeymayberequiredatalaterdate.Forexample,whenevercertainchangesorupgradesaremadetothehardware,BitLockermayrequiretherecoverykeytobeentered.

Werecommendthatyoustoretherecoverykeyinasecurenetworkdrive,onamemorystick,orprintacopyandkeepitinasafeplace.(Considerdoingmorethanoneofthese).Forobviousreasons,thesystemwillnotallowstoringthekeyinthedriveyouareencrypting!

Oncetherecoverykeyissaved,thedriveisreadytobeencrypted.WerecommendthatyouruntheBitLockersystemcheck,toensurethatthesystemcansuccessfullyusetherecoverykey.

Thesystemwillthenneedtoberestartedagain,afterwhichtheencryptionprocessbegins.

Oncethesystemhasrestarted,youwillnownoticeinWindowsExplorerthatthereisapadlockonthedrive,whichdenotesthatBitLockeristunedonforthisdrive.

IntheBitLockerDriveEncryptioncontrolpanel,you’llseethatthedriveisEncrypting.Oncecompleted,theBitLockercontrolpanelwillconfirmthatBitLockerison.

You’llbeabletousethesystemwhilstthedriveisbeingencrypted,howeverwhilstthisisinprogress,itmaybesluggish,andthenreturntonormaloncetheencryptionprocessiscomplete(whichcouldbeafewhours,orlonger,soconsiderlettingitrunovernight).Thereafter,BitLockershouldhavenonoticeableeffectonsystemperformance.

AdvancedmanagementThecommandlinetoolprovidesfurtherinformationaboutthesystem’sdisksandtheirBitLockerstatus,aswellasallowingyoutocontrolotheraspectsofdiskencryption.Wecanuseittoalsomonitorthediscencryptionprogress,shownbelowviathecommand,manage-bde-status.Formorefunctionalityseetheoutputfromthecommandmanage-bde-?.

NOTE:Yourequirelocaladminrightstorunmanage-bdecommands.