BitLocker is a tool built into Windows that lets you encrypt an entire hard drive for enhanced security. Here’s how to set it up.

Oct 05, 2017  The easiest way to enable BitLocker for a drive is to right-click the drive in a File Explorer window, and then choose the “Turn on BitLocker” command. If you don’t see this option on your context menu, then you likely don’t have a Pro or Enterprise edition of Windows and you’ll need to seek another encryption solution. Jul 29, 2016  Turn On or Off BitLocker for Operating System Drive in Windows 10 Option One: To Turn On BitLocker for Operating System Drive in BitLocker Manager. Option Two: To Turn Off BitLocker for Operating System Drive in BitLocker Manager. Option Three: To Turn Off BitLocker. Nov 30, 2018  Tutorial to Turn On BitLocker in Windows 10 Home Edition. Download and install Hasleo BitLocker Anywhere. Launch Hasleo BitLocker Anywhere, right-click the drive letter you want to encrypt. In this step, you are required to specify a password for encrypting the.

When TrueCrypt controversially closed up shop, they recommended their users transition away from TrueCrypt to using BitLocker or Veracrypt. BitLocker has been around in Windows long enough to be considered mature, and is an encryption product generally well-regarded by security pros. In this article, we’re going to talk about how you can set it up on your PC.

RELATED:Should You Upgrade to the Professional Edition of Windows 10?

Note: BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 8 or 10, or the Ultimate version of Windows 7. However, starting with Windows 8.1, the Home and Pro editions of Windows include a “Device Encryption” feature (a feature also included in Windows 10) that works similarly. We recommend Device Encryption if your computer supports it, BitLocker for Pro users who can’t use Device Encryption, and VeraCrypt for people using a Home version of Windows where Device Encryption won’t work.

Encrypt an Entire Drive or Create an Encrypted Container?

Many guides out there talk about creating a BitLocker container that works much like the kind of encrypted container you can create with products like TrueCrypt or Veracrypt. It’s a bit of a misnomer, but you can achieve a similar effect. BitLocker works by encrypting entire drives. That could be your system drive, a different physical drive, or a virtual hard drive (VHD) that exists as a file and is mounted in Windows.

RELATED:How to Create an Encrypted Container File With BitLocker on Windows

The difference is largely semantic. In other encryption products, you usually create an encrypted container, and then mount it as a drive in Windows when you need to use it. With BitLocker, you create a virtual hard drive, and then encrypt it. If you’d like to use a container rather than, say, encrypt your existing system or storage drive, check out our guide to creating an encrypted container file with BitLocker.

For this article, we’re going to concentrate on enabling BitLocker for an existing physical drive.

How to Encrypt a Drive with BitLocker

RELATED:How to Use BitLocker Without a Trusted Platform Module (TPM)

To use BitLocker for a drive, all you really have to do is enable it, choose an unlock method—password, PIN, and so on—and then set a few other options. Before we get into that, however, you should know that using BitLocker’s full-disk encryption on a system drive generally requires a computer with a Trusted Platform Module (TPM) on your PC’s motherboard. This chip generates and store the encryption keys that BitLocker uses. If your PC doesn’t have a TPM, you can use Group Policy to enable using BitLocker without a TPM. It’s a bit less secure, but still more secure than not using encryption at all.

You can encrypt a non-system drive or removable drive without TPM and without having to enable the Group Policy setting.

On that note, you should also know that there are two types of BitLocker drive encryption you can enable:

  • BitLocker Drive Encryption: Sometimes referred to just as BitLocker, this is a “full-disk encryption” feature that encrypts an entire drive. When your PC boots, the Windows boot loader loads from the System Reserved partition, and the boot loader prompts you for your unlock method—for example, a password. BitLocker then decrypts the drive and loads Windows. The encryption is otherwise transparent—your files appear like they normally would on an unencrypted system, but they’re stored on the disk in an encrypted form. You can also encrypt other drives than just the system drive.
  • BitLocker To Go: You can encrypt external drives—such as USB flash drives and external hard drives—with BitLocker To Go. You’ll be prompted for your unlock method—for example, a password—when you connect the drive to your computer. If someone doesn’t have the unlock method, they can’t access the files on the drive.

In Windows 7 through 10, you really don’t have to worry about making the selection yourself. Windows handles things behind the scenes, and the interface you’ll use to enable BitLocker doesn’t look any different. If you end up unlocking an encrypted drive on Windows XP or Vista, you’ll see the BitLocker to Go branding, so we figured you should at least know about it.

So, with that out of the way, let’s go over how this actually works.

Step One: Enable BitLocker for a Drive

The easiest way to enable BitLocker for a drive is to right-click the drive in a File Explorer window, and then choose the “Turn on BitLocker” command. If you don’t see this option on your context menu, then you likely don’t have a Pro or Enterprise edition of Windows and you’ll need to seek another encryption solution.

It’s just that simple. The wizard that pops up walks you through selecting several options, which we’ve broken down into the sections that follow.

Step Two: Choose an Unlock Method

The first screen you’ll see in the “BitLocker Drive Encryption” wizard lets you choose how to unlock your drive. You can select several different ways of unlocking the drive.

If you’re encrypting your system drive on a computer that doesn’t have a TPM, you can unlock the drive with a password or a USB drive that functions as a key. Select your unlock method and follow the instructions for that method (enter a password or plug in your USB drive).

RELATED:How to Enable a Pre-Boot BitLocker PIN on Windows

If your computer does have a TPM, you’ll see additional options for unlocking your system drive. For example, you can configure automatic unlocking at startup (where your computer grabs the encryption keys from the TPM and automatically decrypts the drive). You could also use a PIN instead of a password, or even choose biometric options like a fingerprint.

If you’re encrypting a non-system drive or removable drive, you’ll see only two options (whether you have a TPM or not). You can unlock the drive with a password or a smart card (or both).

Step Three: Back Up Your Recovery Key

BitLocker provides you with a recovery key that you can use to access your encrypted files should you ever lose your main key—for example, if you forget your password or if the PC with TPM dies and you have to access the drive from another system.

You can save the key to your Microsoft account, a USB drive, a file, or even print it. These options are the same whether you’re encrypting a system or non-system drive.

If you back up the recovery key to your Microsoft account, you can access the key later at https://onedrive.live.com/recoverykey. If you use another recovery method, be sure to keep this key safe—if someone gains access to it, they could decrypt your drive and bypass encryption.

You can also back up your recovery key multiple ways if you want. Just click each option you want to use in turn, and then follow the directions. When you’re done saving your recovery keys, click “Next” to move on.

Note: If you’re encrypting a USB or other removable drive, you won’t have the option of saving your recovery key to a USB drive. You can use any of the other three options.

Step Four: Encrypt and Unlock the Drive

BitLocker automatically encrypts new files as you add them, but you must choose what happens with the files currently on your drive. You can encrypt the entire drive—including the free space—or just encrypt the used disk files to speed up the process. These options are also the same whether you’re encrypting a system or non-system drive.

RELATED:How to Recover a Deleted File: The Ultimate Guide

If you’re setting up BitLocker on a new PC, encrypt the used disk space only—it’s much faster. If you’re setting BitLocker up on a PC you’ve been using for a while, you should encrypt the entire drive to ensure no one can recover deleted files.

When you’ve made your selection, click the “Next” button.

Step Five: Choose an Encryption Mode (Windows 10 Only)

If you’re using Windows 10, you’ll see an additional screen letting you choose an encryption method. If you’re using Windows 7 or 8, skip ahead to the next step.

Windows 10 introduced a new encryption method named XTS-AES. It provides enhanced integrity and performance over the AES used in Windows 7 and 8. If you know the drive you’re encrypting is only going to be used on Windows 10 PCs, go ahead and choose the “New encryption mode” option. If you think you might need to use the drive with an older version of Windows at some point (especially important if it’s a removable drive), choose the “Compatible mode” option.

Whichever option you choose (and again, these are the same for system and non-system drives), go ahead and click the “Next” button when you’re done, and on the next screen, click the “Start Encrypting” button.

Step Six: Finishing Up

The encryption process can take anywhere from seconds to minutes or even longer, depending on the size of the drive, the amount of data you’re encrypting, and whether you chose to encrypt free space.

If you’re encrypting your system drive, you’ll be prompted to run a BitLocker system check and restart your system. Make sure the option is selected, click the “Continue” button, and then restart your PC when asked. After the PC boots back up for the first time, Windows encrypts the drive.

If you’re encrypting a non-system or removable drive, Windows does not need to restart and encryption begins immediately.

Whatever type of drive you’re encrypting, you can check the BitLocker Drive Encryption icon in the system tray to see its progress, and you can continue using your computer while drives are being encrypted—it will just perform more slowly.

Unlocking Your Drive

If your system drive is encrypted, unlocking it depends on the method you chose (and whether your PC has a TPM). If you do have a TPM and elected to have the drive unlocked automatically, you won’t notice anything different—you’ll just boot straight into Windows like always. If you chose another unlock method, Windows prompts you to unlock the drive (by typing your password, connecting your USB drive, or whatever).

RELATED:How to Recover Your Files From a BitLocker-Encrypted Drive

And if you’ve lost (or forgotten) your unlock method, press Escape on the prompt screen to enter your recovery key.

If you’ve encrypted a non-system or removable drive, Windows prompts you to unlock the drive when you first access it after starting Windows (or when you connect it to your PC if it’s a removable drive). Type your password or insert your smart card, and the drive should unlock so you can use it.

In File Explorer, encrypted drives show a gold lock on the icon (on the left). That lock changes to gray and appears unlocked when you unlock the drive (on the right).

You can manage a locked drive—change the password, turn off BitLocker, back up your recovery key, or perform other actions—from the BitLocker control panel window. Right-click any encrypted drive, and then select “Manage BitLocker” to go directly to that page.

Like all encryption, BitLocker does add some overhead. Microsoft’s official BitLocker FAQ says that “Generally it imposes a single-digit percentage performance overhead.” If encryption is important to you because you have sensitive data—for example, a laptop full of business documents—the enhanced security is well worth the performance trade-off.

READ NEXT
  • › How to Disable Interactive Pop-Up Ads on Your Roku TV
  • › What’s New in macOS 10.15 Catalina, Available Now
  • › How to Copy and Back Up Files To External Storage on iPhone and iPad
  • › Everything You Need to Know About Co-Authoring in Excel
  • › How to Work with Variables in Bash

When you store sensitive data on your computer, it's crucial that you take the necessary steps to protect that data (especially if you use a laptop or tablet). This is not just to stop the NSA from accessing your files, but it's more about preventing your private data from falling into the wrong hands in the slightly change you lose your device, or it gets stolen.

On way you can protect your data is by using encryption. Briefly, encryption is basically the process of making any type of data unreadable by anyone without proper authorization. If you use encryption to scramble your data, it will continue to be unreadable even after sharing it with other people. In other words, only you with the right encryption key can make the data readable again.

Windows 10, similar to previous versions, includes BitLocker Drive Encryption, a feature that allows you to use encryption on your PC's hard drive and on removable drives to prevent prying eyes from snooping into your sensitive data.

In this Windows 10 guide, we'll walk you through the steps to set up BitLocker on your PC to make sure your sensitive data stays secure.

Things to know before diving into this guide

  • BitLocker Drive Encryption is available only on Windows 10 Pro and Windows 10 Enterprise.
  • For best results your computer must be equipped with a Trusted Platform Module (TPM) chip. This is a special microchip that enables your device to support advanced security features.
  • You can use BitLocker without a TPM chip by using software-based encryption, but it requires some extra steps for additional authentication.
  • Your computer's BIOS must support TPM or USB devices during startup. If this isn't the case, you'll need to check your PC manufacturer's support website to get the latest firmware update for your BIOS before trying to set up BitLocker.
  • Your PC's hard drive must contain two partitions: a system partition, which contains the necessary files to start Windows, and the partition with the operating system. If your computer doesn't meet the requirements, BitLocker will create them for you. Additionally, the hard drive partitions must be formatted with the NTFS file system.
  • The process to encrypt an entire hard drive isn't difficult, but it's time-consuming. Depending the amount of data and size of the drive, it can take a very long time.
  • Make sure to keep your computer connected to an uninterrupted power supply throughout the entire process.

Important: While BitLocker is a stable feature on Windows 10, as any significant change you make to your computer has its risks. It's always recommended that you make a full backup of your system before proceeding with this guide.

How to check if your device has a TPM chip

  1. Use the Windows key + X keyboard shortcut to open the Power User menu and select Device Manager.
  2. Expand Security devices. If you have a TPM chip, one of the items should read Trusted Platform Module with the version number.

Note: Your computer must have a TPM chip version 1.2 or later to support BitLocker.

Alternatively, you can also check your PC manufacturer's support website to find out if your device includes the security chip, and for instructions to enable the chip in the BIOS (if applicable).

Devices, such as Surface Pro 3, Surface Pro 4, or Surface Book come with the TMP chip to support BitLocker encryption.

How to ensure you can turn on BitLocker without TPM

If your computer doesn't include a Trusted Platform Module chip, you won't be able to turn on BitLocker on Windows 10. /wifi-unlocker-software.html. In this is your case, you can still use encryption, but you'll need to use the Local Group Policy Editor to enable additional authentication at startup.

  1. Use the Windows key + R keyboard shortcut to open the Run command, type gpedit.msc, and click OK.
  2. Under Computer Configuration, expand Administrative Templates.
  3. Expand Windows Components.
  4. Expand BitLocker Drive Encryption and Operating System Drives.
  5. On the right side, double-click Require additional authentication at startup.

  6. Select Enabled.
  7. Make sure to check the 'Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)' option.
  8. Click OK to complete this process.

How to turn on BitLocker on the Operating system drive

Once you made sure BitLocker can be properly enabled on your computer, follow these steps:

  1. Use the Windows key + X keyboard shortcut to open the Power User menu and select Control Panel.
  2. Click System and Security.
  3. Click BitLocker Drive Encryption.

  4. Under BitLocker Drive Encryption, click Turn on BitLocker.

  5. Choose how you want to unlock your drive during startup: Insert a USB flash drive or Enter a password. For the purpose of the guide, select Enter a password to continue.

  6. Enter a password that you'll use every time you boot Windows 10 to unlock the drive, and click Next to continue. (Make sure to create a strong password mixing uppercase, lowercase, numbers, and symbols.)

  7. You will be given the choices to save a recovery key to regain access to your files in case you forget your password. Options include:

    • Save to your Microsoft account
    • Save to a USB flash drive
    • Save to a file
    • Print the recovery

    Select the option that is most convenient for you, and save the recovery key in a safe place.

    Quick Tip: If you trust the cloud, you can choose to save your recovery key in your Microsoft account using the Save to your Microsoft account option. In which case, you can retrieve your encryption key at this location: https://onedrive.live.com/recoverykey.

  8. Click Next to continue.

  9. Select the encryption option that best suits your scenario:

    • Encrypt used disk space only (faster and best for new PCs and drives)
    • Encrypt entire drive (slower but best for PCs and drives already in use)
  10. Choose between the two encryption options:

    • New encryption mode (best for fixed drives on this device)
    • Compatible mode (best for drives that can be moved from this device)

      On Windows 10 version 1511, Microsoft introduced support for XTS-AES encryption algorithm. This new encryption method provides additional integrity support and protection against new attacks that use manipulating cipher text to cause predictable modifications in clear text. BitLocker supports 128-bit and 256-bit XTS AES keys.

  11. Click Next to continue.

  12. Make sure to check the Run BitLocker system check option, and click Continue.

  13. Finally, restart your computer to begin the encryption process.
  14. On reboot, BitLocker will prompt you to enter your encryption password to unlock the drive. Type the password and press Enter.

After rebooting, you'll notice that your computer will quickly boot to the Windows 10 desktop. However, if you go to Control Panel > System and Security > BitLocker Drive Encryption, you'll see that BitLocker is still encrypting your drive. Depending on the option you selected and the size of the drive, this process can take a long time, but you'll still be able to work on your computer.

Once the encryption process completes, the drive level should read BitLocker on.

You can verify that BitLocker is turned on by the lock icon on the drive when you open This PC on File Explorer.

BitLocker Drive Encryption options

When BitLocker is enabled on your main hard drive, you'll get a few additional options, including:

  • Suspend protection: When you're suspending protection your data won't be protected. Typically, you would use this option when applying a new operating system, firmware, or hardware upgrade. If you don't resume the encryption protection, BitLocker will resume automatically during the next reboot.
  • Back up your recovery key: If you lose your recovery key, and you're still signed into your account, you can use this option to create a new backup of the key with the options mentioned on step 6.
  • Change password: You can use this option to create a new encryption password, but you'll still need to supply the current password to make the change.
  • Remove password: You can't use BitLocker without a form of authentication. You can remove a password only when you configure a new method of authentication.
  • Turn off BitLocker: In the case, you no longer need encryption on your computer, BitLocker provides a way to decrypt all your files. However, make sure to understand that after turning off BitLocker your sensitive data will no longer be protected. In addition, decryption may take a long time to complete its process depending on the size of the drive, but you can still use your computer.

How to turn on BitLocker To Go

BitLocker is not an encryption feature that you can enable globally on every drive connected to your computer at once. It has two part: you can use BitLocker Drive Encryption to encrypt your sensitive data on the main hard drive of your PC, and then you can use BitLocker To Go. This last feature will help you to use encryption on remove drives and secondary hard drives connected to your computer.

To turn on BitLocker To Go on a removable drive do the following:

  1. Connect the drive you want to use with BitLocker.
  2. Use the Windows key + X keyboard shortcut to open the Power User menu and select Control Panel.
  3. Click System and Security.
  4. Click BitLocker Drive Encryption.

  5. Under BitLocker To Go, expand the drive you want to encrypt.
  6. Click the Turn on BitLocker link.

  7. Check the Use a password to unlock the drive option, and create a password to unlock the drive. (Make sure to create a strong password mixing uppercase, lowercase, numbers, and symbols.)
  8. Click Next to continue.

  9. You will be given the choices to save a recovery key to regain access to your files in case you forget your password. Options include:

    • Save to your Microsoft account
    • Save to a file
    • Print the recovery

    Select the option that is most convenient for you, and click Next.

  10. Choose the encryption option that best suits your scenario:

    • Encrypt used disk space only (faster and best for new PCs and drives)
    • Encrypt entire drive (slower but best for PCs and drives already in use)
  11. Select between the two encryption options:

    • New encryption mode (best for fixed drives on this device)
    • Compatible mode (best for drives that can be moved from this device)

      In this step is recommended that you select the 'Compatible mode,' as it will ensure you can unlock the drive if you move it to another computer running a previous version of the operating system.

  12. Click Start encrypting to finish the process.

When encrypting a storage try to start with an empty removable media, as it'll speed up the process, then new data will encrypt automatically.

In addition, similar to BitLocker Drive Encryption, you will get the same additional options using BitLocker To Go, plus a few more, including:

How To Install Bitlocker On Windows 10 Home Edition

  • Add smart card: This option will allow you to configure a smart card to unlock the removable drive.
  • Turn on auto-unlock: Instead of having to type a password every time you re-connect the removable drive, you can enable auto-unlock to access your encrypted data without entering a password.

Quick access to manage your BitLocker drive

Whether you turn on BitLocker for your system hard drive or removable drive, you can always get quick access to the BitLocker settings for a particular drive using the following steps:

  1. Use the Windows key + E keyboard shortcut to open File Explorer.
  2. Click This PC from the left pane.
  3. Right-click the encrypted drive and select Manage BitLocker.

Wrapping things up

How To Turn On Bitlocker Windows 10 Free

While Microsoft only includes BitLocker on Windows 10 Pro and Enterprise, this is one of those features that should be standard in every edition, including on Windows 10 Home. Even more, considering that we continue to move into a digital world, where every day, we're creating more sensitive data on our computers than ever before, and data encryption is crucial to protect our data from prying eyes.

It's worth pointing out that enabling data encryption may slightly slow down the performance of your device due to the encryption process that will continue to run in the background. However, it's a feature worth using to keep your sensitive data secure.

How To Turn On Bitlocker Windows 10

Do you use data encryption on your computer? Tell us in the comments below.

More Windows 10 resources

How To Install Bitlocker On Windows 10 Pro

For more help articles, coverage, and answers on Windows 10, you can visit the following resources:

How To Turn On Bitlocker Windows 10 Download

We may earn a commission for purchases using our links. Learn more.