Managing Device Encryption
Only the Pro and Enterprise versions of Windows 10 support the Bitlocker drive and volume encryption technology, which I’ll detail in full, shortly. Microsoft mandated with Windows 8.1, however, that all devices with screens larger than 8 inches should be equipped with a TPM security chip.
This means that some but not all Windows 10 devices will support a feature called Device Encryption. This is effectively Bitlocker with a friendly face, and it’s a way to help ensure that consumers, and nontechnical PC owners can carry tablets and laptops around with them, while keeping their personal and sensitive files and data protected.
To activate Device Encryption, open the Settings app and navigate to System , and then to About . This will display, if your device supports it, a Device Encryption option, see below image
So what happens with your decryption key, as it’s all well and good encrypting your device, but if something goes wrong, such as the PC not starting properly, and all of a sudden you find yourself locked out and asked to enter your decryption key: where do you find it?
If you have signed into the device using a Microsoft account, you will find your Device Encryption key online at https://onedrive.live.com/recoverykey . I find it useful to keep a link to this in the browser on my smartphone, just in case. If you use Bitlocker with a company Domain, the recovery key is stored in Active Directory.
You can manually back up your encryption key, however, should you want a copy on a USB Flash Drive, or if you have signed into the PC using a local account. In the Start Menu or Cortana, search for device encryption and choose the option to Back up your recovery key when it appears. This will display a wizard that allows you to create a backup of the key.
■ Caution Do not store the backup copy of your recovery key on a drive encrypted by Device Encryption or Bitlocker (or EFS for that matter), as you will be unable to recover the key later should you become locked out of the drive.
Encrypting Your PC with Bitlocker
On PCs running Windows 10 Pro or Enterprise, you will have an option to use the Bitlocker drive and volume encryption system to encrypt the contents of your PC. Bitlocker can be found in the Control Panel, and while it doesn’t require that a TPM chip be installed on the PC, there are very compelling reasons to have one.
Bitlocker encrypts full disks and partitions on your PC. You can individually select which drives are encrypted, though you must have the partition on which Windows 10 installed encrypted if you want to encrypt any other drives, or have those drives auto-unlock when the PC starts. Before you start encrypting drives, however, you need to activate the TPM, as this is the chip on which Windows 10 stores its encryption keys. The TPM ensures that if a drive that’s encrypted is removed from the PC, it cannot be decrypted. This is because the TPM is part of the motherboard on the PC and cannot be removed.
Managing a TPM on Your PC and in Windows 10
The TPM chip on a PC must be activated in the BIOS or UEFI firmware. Should you want to use Bitlocker on your TPM-equipped PC, but you’re receiving the message that a TPM chip isn’t installed, it’s because you need to go into the firmware on your PC and activate it.
You manage your TPM by opening the Bitlocker options in the Control Panel, or by searching for Bitlocker in the Start Menu or Cortana (it is also available by searching for tpm.msc ). When the Bitlocker panel is open on your screen, click the TPM Administration link in the bottom left of the window.
The TPM Management screen is standard Microsoft Management Console fare with three vertical panels, see below image . Here there are options in the right panel to prepare the TPM (basically to turn it on), turn it off, and more. If you prepare the TPM and begin using it to encrypt drives, an owner password is created automatically and stored in the chip itself. Should a problem arise and you find yourself locked out of a drive, you can use the Reset TPM lockout option to automatically reset your Bitlocker access permissions. You might want to set the password manually however (though there’s no need to do so), and you can do this by selecting the Change Owner Password option.
Some desktop PCs come with the TPM as a removable module, usually purchased separately from the motherboard itself. In these circumstances, the TPM can be moved to a different PC containing a compatible module slot (usually with a motherboard from the same manufacturer), and should unlock any encrypted drives that are moved with it once it has been enabled in the BIOS or UEFI firmware.
The Clear TPM option can be useful if you are performing a full, clean reinstallation of Windows 10 and are not keeping any drives or partitions that have been encrypted with Bitlocker. This will delete any and all encryption keys from the TPM chip. These can build up over time as you encrypt, decrypt, and re-encrypt drives, and there’s only a finite amount of storage available in the chip.
Using Bitlocker Without a TPM
It’s possible to use Bitlocker on your PC without having a TPM chip installed, though I don’t recommend it. Instead, you will need to have a USB Flash Drive that contains the Bitlocker key plugged into the PC every time the computer starts. While this might seem like a great way to ensure nobody can use the PC or access your data when you’re away from it, a USB Flash Drive is not the same thing as a security smartcard.
The problem arises because a USB Flash Drive has a normal file system, like any drive on your PC, and this file system can become corrupt. With USB Flash Drives, an operation as simple as unplugging the drive from the PC while it’s being read can cause a corruption, and as such, you really can’t rely on a Flash Drive to remain stable for such a critical role as providing TPM access to a PC.
That said, should you really want to use Bitlocker on your PC without a TPM you can activate the option in the Group Policy editor (search for gpedit in the Start Menu or Cortana) and navigate to Computer Configuration ➤ Administrative Templates ➤ Windows Components ➤ Bitlocker Drive Encryption ➤ Operating System Drives , see below image.
Double-click the Require additional authentication at Startup option and enable the policy. You will be given a verbose description of what enabling the policy will do, and presented with a check box , which will already be checked, to require a startup key on a USB Flash Drive, see the above image . Once the policy is enabled, restart the PC to allow Bitlocker to be used without a TPM.
Managing Bitlocker Encryption on Your PC
You manage Bitlocker encryption from the main Bitlocker panel, accessible in the Control Panel, but also by searching for Bitlocker in the Start Menu or Cortana. You will see collapsible panels for each of your installed hard disks (and partitioned volumes), see below image .
Expanding a drive’s panel will present various options for managing Bitlocker on that particular drive. These include options for encrypting and re-encrypting the drive (fairly obviously), as well as creating a backup copy of your recovery key, adding a password or smartcard to unlock the drive, or activating or deactivating auto-unlock of the drive. You can also temporarily suspend protection, which can be useful if you are trying to undertake intentive file management tasks, while the system is encrypting your drive for the first time.
Caution If you are updating the BIOS or UEFI firmware on your PC from the desktop, you should suspend Bitlocker protection. This is because on some firmware, Bitlocker will see what it thinks is “new” hardware and require input of your recovery key on the next restart.
Managing Your Bitlocker Recovery Key
When you encrypt a drive using Bitlocker , you will be prompted to create a backup copy of your encryption key and, unlike EFS, the process simply won’t progress until you’ve done so, see below image. If you have signed into your PC using a Microsoft account, you will be prompted to save a copy of the recovery key directly to the cloud. This can be very useful should you find yourself locked out of the machine; simply point a browser on any device at https://onedrive.live.com/recoverykey and sign in to view the 48-character unlock code.
Additionally, there are options to save the recovery key to a USB Flash Drive (you’ll need to plug one in at this point obviously), save it to a file, or print it. It should be noted that for your Windows 10 drive, the option to save the key to a USB Flash Drive doesn’t appear. This is a little odd, but you can choose the Save to a file option instead, and merely point to an attached USB Flash Drive on the PC instead.
Caution Do not store the backup copy of your Bitlocker recovery key on a drive encrypted by Device Encryption or Bitlocker (or a folder encrypted with EFS), as you will be unable to recover the key later should you become locked out of the drive. Also, if you choose to carry a USB Flash Drive with the recovery key with you when you travel, do not keep it in the same bag as your laptop or tablet, which will prevent them from being stolen together should a thief strike.
The encryption facilities in Windows 10 are both extensive and easy to use. They should, however, always be used with care, and some basic rules should be followed. The primary rule is always to make sure you have a backup copy of your recovery or encryption key. You should always make sure that you never store this key in a folder or on a drive that is, itself, encrypted, as you may not be able to recover it when you need to. Encryption is a great way to prevent thieves and unwanted eyes from getting access to your files and data. This is in the same way that we use antivirus software to prevent the spread of malware to our PCs, a subject we’ll be looking at in depth in the very next chapter, including how we can troubleshoot and remove malware after a PC has become infected.