The surge in remote work means that off-site devices have access to highly-sensitive information. If these devices are lost or stolen, then an attacker may gain access to the data that they contain.
BitLocker is a full-disk encryption tool built into the Windows operating system. Enabling disk encryption is essential to protecting an organization against data breaches.
What is BitLocker?
BitLocker is a full-disk encryption tool that Microsoft has built into the Windows operating system. BitLocker is available in the business-focused versions of Windows with a more limited version of data encryption included in the Home edition.
The full disk encryption (FDE) functionality is designed to protect data at rest on a Windows computer. Without a FDE solution like BitLocker, all data is stored unencrypted in the computer’s storage system, meaning that an attacker can have access to sensitive data directly off of the disk.
With BitLocker, data is stored encrypted using the Advanced Encryption Standard (AES). The keys used to encrypt and decrypt data are stored encrypted when not in use and stored in the trusted platform module (TPM). A TPM is a chip within the computer that has hardware-based protections that secures the data stored on it.
When the user authenticates to the system, the disk encryption keys are unlocked. This makes it possible for Windows to decrypt the files stored on the drive.
Why Are BitLocker And Data Encryption Important?
Encryption is the most effective method for ensuring data security. Modern encryption algorithms are secure against all known attacks. This means that only someone with knowledge of the encryption key can access the protected data.
The full disk encryption solution is designed to protect against cases where an attacker has access to a device. This could occur in a number of different scenarios, such as:
- Lost/Stolen Devices: Laptops are increasingly used in business, and they are easy to lose or have stolen from homes or businesses or in public places like coffee shops or public transport. In 2019, the home was the most common place for devices to be lost or stolen, a trend that is expected to continue in 2020.
- Discarded Devices: Computers are commonly discarded without properly wiping or destroying their storage. Some groups purchase these discarded devices to look for sensitive information that they may contain.
- Rogue Employees: Rogue employees are behind many data leaks. If an IT administrator is notified of these threats via a threat detection tool, BitLocker can be used to mitigate the issue by revoking access to the data stored on the device.
Under any of these circumstances, an attacker’s physical access to the device (even without knowledge of the password) could result in a data breach or provide the opportunity to install malware on the computer. Full disk encryption provides protection against these threats because a computer is not usable and its data is unreadable without knowledge of the associated password.
BitLocker is an easy-to-use solution to this problem. By enabling it on a computer, all data is encrypted and protected by the user’s password. As long as the password is strong and random, BitLocker is secure against attack barring unknown vulnerabilities or unusual circumstances like cold boot attacks.
Who Should Be Using BitLocker?
Full disk encryption is a necessary part of a data security strategy. It provides protection against threats where theft or negligence provides an attacker with direct access to a corporate device.
All organizations should be using BitLocker to protect their Windows computers, and this is especially true for organizations and computers with access to high-value, sensitive information. Many data protection regulations, such as HIPAA, require a data encryption solution to be in place on any device storing protected health information (PHI).
The use of data encryption protects an organization against legal liability and regulatory penalties. If a data breach occurs but all breached data is encrypted (and the encryption key is not exposed), the breach is not reportable under most data protection laws. The encryption algorithms used in tools like BitLocker are strong enough that regulatory authorities have no concerns about attackers being able to break them and access the protected data.
How To Set Up BitLocker for Data Encryption
BitLocker is designed to be easy to use on Windows. To enable, take these three steps:
- Open Device Encryption: Using an Administrator account, type Device encryption in the Windows Search bar and select the Device Encryption Option.
- Enable Device Encryption: Click the Turn On button to enable encryption and follow any additional prompts.
- Get Recovery Key: Click on BitLocker settings, then select Back up your recovery key. Store a copy of this key in a safe place in case the computer is locked and the unlocking password is lost.
- Open BitLocker: Type Manage BitLocker in the Windows Search bar and select it from the list of results.
- Enable BitLocker: Click the Turn on Bitlocker button to turn on BitLocker’s device encryption and follow any additional prompts.
- At this point, full disk encryption should be enabled on the device.
Additional measures to make the most out of BitLocker for Windows 10
While BitLocker is a very powerful tool, you can make it even safer by taking additional safety measures. Sure, these won't change the way the software is used, but it will add additional security layers and will protect you agains't more mundane mistakes like losing your recovery keys.
Adding additional authentication methods:
Adding additional authentication methods will give you an extra layer of protection for your data. For example, you can add a USB key to act as your recovery key, that way you can still protect your information even if a third party gets access to your passwords. If they don’t have the USB key then they won’t be able to decrypt your device.
Keep track of your recovery keys
Losing your recovery key is a quick way to lock yourself out of your information or your device. Make sure to use a strong but easy-to-remember recovery key, don’t share it with unauthorized individuals, and don’t write it in a place that would make it easy for others to find, like a post-it note on your desktop. If you’re using a USB recovery key, then make sure to store it in a safe place where it can’t get lost or damaged.
Keeping BitLocker up to date:
BitLocker, just like any other cybersecurity software, is constantly updating itself to become even safer against attacks. Make sure to update it regularly, as these updates usually add security patches and features to protect your data.
Backing up data regularly:
Even if BitLocker makes the removal and theft of data a very difficult task, you should still back up your data. There’s always a risk of data loss due to hardware failure or theft, so backing up your data is always a good idea. This way, you can still recover your information even if you can’t access the hardware it was stored on anymore.
Protecting against physical theft of the device:
It doesn’t matter how safe your information is if the device storing it isn’t properly safeguarded. Make sure to have measures against hardware theft, like controlling who has access to your business’ devices or installing tracking and location tools, this way you can choose who has access to your hardware and locate it even if it gets lost.
Changing BitLocker settings after encryption:
After encrypting your data with BitLocker, you can still change your original settings, add or remove authentication methods, change the encryption method, and even turn it off. But keep in mind that each of these changes will require your recovery key, so make sure to have it at hand whenever you need it.
Using Bitlocker with Prey
Prey makes it possible to easily enable BitLocker for any managed device running Windows Professional, Enterprise, or Education. To learn how to do so, check out this section.