Microsoft’s BitLocker feature provides full-volume encryption to help mitigate data loss from lost, stolen, or otherwise misappropriated laptops and computers. This feature is available in the Pro and Enterprise versions on Windows 8 and the Enterprise and Ultimate editions on Windows 7. BitLocker ,by default, requires a Trusted Platform Module (TPM) chip to be both present and enabled in the Bios to encrypt hard drives. Hard drive encryption be accomplished without TPM present. Here are the steps to perform this properly, images are from a Windows 8 Pro machine. I am not going to cover encrypting computers that have TPM chips in them. This is due to the fact that other than the first few steps regarding Group Policy, the process for BitLocker setup is identical.
What can be encrypted? Internal hard drives, SSD drives, External hard drives, USB memory sticks (USB memory sticks are ideal for encryption due to the fact that they are so easily lost)
What are the things you will need to get started?
- Unique Password (ideally each system will have a unique password)
- Admin Access to the Computer
- Printer or USB device, these are used to print out or store the encryption key used for recovery.
Please be aware! After drives are encrypted do not lose the password or recovery key. Doing so will render the system inoperable, all data will be lost. This is what you want if the laptop is ever stolen or lost. Consider regular backups of user data when enabling encryption.
Configuring Local Policy Settings for a non-TPM system
From the Metro UI or the search box, type GPEDIT.MSC and press enter
Open Computer Configuration => Administrative Templates => Windows Components => BitLocker Drive Encryption => Operating System Drives.
From the right pane double-click "Require additional authentication at startup"
Click the Enable radio button.
Leave the default configuration in the Options window.
Click Apply then OK. Now close out the Group Policy Editor.
Setting Up BitLocker
Open the Control Panel, select BitLocker Drive Encryption
Click Turn on BitLocker
BitLocker Drive Encryption Click Enter Password
Put in a "good" password. This is a password you will be prompted for each time that you boot the device. It needs to have a good enough complexity to prevent someone from guessing it. Make sure that if you are enabling BitLocker on multiple computers that each computer has a different password. Click Next
Print the recovery key, store in a safe place with a label for what computer it goes with (this is critical if you have more than one computer). You can also save the keys, don't put them on the computer, don't put them in an easily accessible location on your network.
Select the first option for new computers, the second option is best for a computer that has been in use. Click Next
Keep the check for the "Run BitLocker system check", this is the safest way to proceed. click continue. The system will perform a number of checks, then reboot.
This will be the screen that you see during boot up. Congratulations, you are finished and everything worked as planned.
The option to have a password enabled device works very well: I have tested it on USB Memory, External Hard Drives, Internal Hard Drives and on SSD.
Note: I have not tested using a USB key to startup the computer.