The BitLocker Drive Encryption is a full disk encryption feature included with Microsoft’s Windows 11, Windows 10, Windows 8.1, Windows 7, and Windows Vista and Windows Server operating systems designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in CBC mode with a 128-bit key, combined with the Elephant diffuser for additional disk encryption specific security not provided by AES.
BitLocker prevents a thief who boots another operating system or runs a software hacking tool from breaking Windows file and system protections or performing offline viewing of the files stored on the protected drive. The feature ideally uses a Trusted Platform Module (TPM 1.2) to protect user data and to ensure that a PC running Windows has not been tampered with, while the system was offline.
BitLocker provides both mobile, and office enterprise information workers with enhanced data protection should their systems be lost or stolen and secure data deletion when it comes time to decommission those assets.
Unlike Encrypting File System (EFS), which enables you to encrypt individual files, BitLocker encrypts the entire system drive, including the Windows system files necessary for startup and logon. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password or access your hard disk by removing it from your computer and installing it in a different computer.
BitLocker can only help protect files that are stored on the drive that Windows is installed on.
To access Bitlocker, open Control Panel > Security > BitLocker Drive Encryption
Before you can turn on BitLocker Drive Encryption, you need to make sure that your computer’s hard disk has the following:
At least two volumes. If you create a new volume after you have already installed Windows, you will have to reinstall Windows before turning on BitLocker. One volume is for the operating system drive (typically drive C) that BitLocker will encrypt, and one is for the active volume, which must remain unencrypted to start the computer. The size of the active volume must be at least 1.5 gigabytes (GB). Both partitions must be formatted with the NTFS file system.
A TPM configuration available in specific hardware configurations is a must. If your configuration does not permit this feature, you will get a display as such:
Prepare your computer for BitLocker Drive Encryption
To encrypt drives and to verify boot integrity, BitLocker requires at least two partitions. These two partitions make up a split-load configuration. A split-load configuration separates the main operating system partition from the active system partition from which the computer starts.
The BitLocker Drive Preparation Tool automates the processes to make the computer ready for BitLocker. Creating the second volume that BitLocker requires:
- Migrating the boot files to the new volume
- Making the volume an active volume
When the tool finishes, you must restart the computer to change the system volume to the newly created volume. After you restart the computer, the drive will be configured correctly for BitLocker. You may also have to initialize the Trusted Platform Module (TPM) before you turn BitLocker on.
Recover BitLocker encrypted data from a corrupted disk volume
The BitLocker Repair Tool can assist administrators in recovering data from a corrupted or damaged disk volume that was encrypted with BitLocker.
This tool helps access data encrypted with BitLocker if the hard disk has been physically damaged. This tool attempts to reconstruct critical data from the drive and salvage any recoverable data.
To decrypt the data, a recovery password or recovery key is required. In some cases, a backup of the key package is also required.
Use this command-line tool if the following conditions are true:
- A volume has been encrypted by using BitLocker Drive Encryption.
- Windows does not start, or you cannot start the BitLocker recovery console.
- You do not have a copy of the data that is contained in the encrypted volume.
- BitLocker To Go in Windows
- Microsoft BitLocker Administration and Monitoring in Windows
- Recover files & data from inaccessible BitLocker encrypted drive
- Encrypt USB Flash Drives with BitLocker To Go
- Using BitLocker Drive Preparation Tool via Command Prompt in Windows
- Your Recovery Key Couldn’t Be Saved To This Location error for BitLocker.