Data Privacy Legislations

Windows 10: The Microsoft Bitlocker Data Encryption Guide

The surge in remote work means that off-site devices have access to highly-sensitive information.  If these devices are lost or stolen, then an attacker may gain access to the data that they contain.

BitLocker is a full-disk encryption tool built into the Windows operating system.  Enabling disk encryption is essential to protecting an organization against data breaches.

What is BitLocker?

BitLocker is a full-disk encryption tool that Microsoft has built into the Windows operating system.  BitLocker is available in the business-focused versions of Windows with a more limited version of data encryption included in the Home edition.

The full disk encryption (FDE) functionality is designed to protect data at rest on a Windows computer.  Without a FDE solution like BitLocker, all data is stored unencrypted in the computer’s storage system, meaning that an attacker can have access to sensitive data directly off of the disk.

With BitLocker, data is stored encrypted using the Advanced Encryption Standard (AES).  The keys used to encrypt and decrypt data are stored encrypted when not in use and stored in the trusted platform module (TPM).  A TPM is a chip within the computer that has hardware-based protections that secures the data stored on it.

When the user authenticates to the system, the disk encryption keys are unlocked.  This makes it possible for Windows to decrypt the files stored on the drive.

laptop with code

Why Are BitLocker And Data Encryption Important?

Encryption is the most effective method for ensuring data security.  Modern encryption algorithms are secure against all known attacks.  This means that only someone with knowledge of the encryption key can access the protected data.

The full disk encryption solution is designed to protect against cases where an attacker has access to a device.  This could occur in a number of different scenarios, such as:

  • Lost/Stolen Devices: Laptops are increasingly used in business, and they are easy to lose or have stolen from homes or businesses or in public places like coffee shops or public transport.  In 2019, the home was the most common place for devices to be lost or stolen, a trend that is expected to continue in 2020.
  • Discarded Devices: Computers are commonly discarded without properly wiping or destroying their storage.  Some groups purchase these discarded devices to look for sensitive information that they may contain.
  • Rogue Employees: Rogue employees are behind many data leaks.  If an IT administrator is notified of these threats via a threat detection tool, BitLocker can be used to mitigate the issue by revoking access to the data stored on the device.

Under any of these circumstances, an attacker’s physical access to the device (even without knowledge of the password) could result in a data breach or provide the opportunity to install malware on the computer.  Full disk encryption provides protection against these threats because a computer is not usable and its data is unreadable without knowledge of the associated password.

BitLocker is an easy-to-use solution to this problem.  By enabling it on a computer, all data is encrypted and protected by the user’s password.  As long as the password is strong and random, BitLocker is secure against attack barring unknown vulnerabilities or unusual circumstances like cold boot attacks.

Who Should Be Using BitLocker?

Full disk encryption is a necessary part of a data security strategy.  It provides protection against threats where theft or negligence provides an attacker with direct access to a corporate device.

All organizations should be using BitLocker to protect their Windows computers, and this is especially true for organizations and computers with access to high-value, sensitive information.  Many data protection regulations, such as HIPAA, require a data encryption solution to be in place on any device storing protected health information (PHI).

The use of data encryption protects an organization against legal liability and regulatory penalties.  If a data breach occurs but all breached data is encrypted (and the encryption key is not exposed), the breach is not reportable under most data protection laws.  The encryption algorithms used in tools like BitLocker are strong enough that regulatory authorities have no concerns about attackers being able to break them and access the protected data.

How To Set Up BitLocker for Data Encryption

BitLocker is designed to be easy to use on Windows. To enable, take these three steps:

Home Edition

  1. Open Device Encryption: Using an Administrator account, type Device encryption in the Windows Search bar and select the Device Encryption Option.
  2. Enable Device Encryption: Click the Turn On button to enable encryption and follow any additional prompts.
  3. Get Recovery Key: Click on BitLocker settings, then select Back up your recovery key.  Store a copy of this key in a safe place in case the computer is locked and the unlocking password is lost.

Business Editions

  1. Open BitLocker: Type Manage BitLocker in the Windows Search bar and select it from the list of results.
  2. Enable BitLocker: Click the Turn on Bitlocker button to turn on BitLocker’s device encryption and follow any additional prompts.
  3. At this point, full disk encryption should be enabled on the device.  

Using bitlocker with Prey

Prey makes it possible to easily enable BitLocker for any managed device running Windows Professional, Enterprise, or Education.  To learn how to do so, check out this post.

About the author

Norman Gutiérrez

Norman Gutiérrez is our Security Researcher at Prey, one of the leading companies in the security and mobility industry, with more than 8 million users worldwide. In addition to this, Norm is Prey's Content and Communication Specialist, and our Infosec ambassador. Norm has worked for several tech media outlets such as FayerWayer and Publimetro, among others. In his free time, Norman enjoys videogames, cool gadgets, music, and fun board games.