Using Windows Bitlocker
BitLocker is the whole-volume encryption technology in Windows. Under BitLocker, the contents of the hard disk can only be accessed once the appropriate password (“key”) has been provided.
BitLocker is available in the following editions of Windows:
- Windows Vista Ultimate & Enterprise;
- Windows 7 Ultimate & Enterprise; and
- Windows 8/8.1/10/11 Pro & Enterprise
Depending on the capabilities of your computer, the password may be in the form of a PIN or password that is entered when the machine is turned on, or by the use of a USB key. If the machine has a TPM (Trusted Platform Module) chip, the password is stored in the hardware, so no intervention is required at startup.
- If using a PIN or startup password, do not write this on the machine. You should memorise it only.
- If using a USB key, do not leave the USB key in the machine permanently. Keep it attached to your key ring so that it follows where you are, rather than where the machine is.
For example, if you leave your machine at home you will take your keys with you when you leave, and hence the USB key.
This could be if it is left in a car, at the office, or in your home when you are not there. The machine being in transit also poses a risk, such as in taxis, aircraft etc.
- If the machine is in an environment where theft is a possibility, it should be shut down or in hibernation.
This is particularly important for notebook machines, which can be easily moved without powering off. Desktop machines can only be moved by disconnecting from the power, and so the need to shut them down when left unattended is not as great.
BitLocker is most useful to mitigate against the loss of data if a machine is stolen. However, this only works if the machine is off when the attacker attempts to gain access. If the machine is on or the drive is unlocked via TPM, some methods of data retrieval are available.
- If the drive is unlocked via TPM, but your appetite for risk is extremely low, configure Bitlocker to use a startup PIN.