Data security is so important in today’s world! If you have any form of sensitive data on your laptop or computer, for instance customers’ details, company files and documents then you (or your IT department) should strongly consider encrypting it, especially if it’s a laptop you take offsite as there is a bigger risk of theft or loss.

There are lots of different encryption Software on the market, but in this guide we look at Bitlocker Encryption which is already built into some versions of  the Windows Operating System (this article looks at Windows 10), so by the end of the article you could encrypt your laptop or computer. 

What is Encryption?

Encryption is where text or any other data is converted from a form that can be easily read to an encoded version.  It can then only be decoded by if the correct decryption key is used.

When you enable Full Disk Encryption and shutdown your laptop it scrambles all the data making the files, folder, pictures, etc, unreadable to anyone trying to access the hard drive. The only way to access the data is using the encryption key, this will then de-crypt all the data making it readable again.

Bitlocker is available on these versions of Windows 

  • Windows 7 (Ultimate & Enterprise)
  • Windows 8 & 8.1 (Pro & Enterprise)
  • Windows 10 (Pro, Enterprise & Education)

If you do not have a version of Windows that is compatible then you would need to look at alternative encryption methods, but this article will help you understand how encryption works.

What is TPM Encryption?

Bitlocker Encryption can be used with the Trusted Platform Module (version 1.2 or higher) on your computer or laptop. TPM is a security chip within your motherboard that stores encryption keys and checks the integrity of the boot sequence making sure the computer or laptop has not been tampered with before it proceeds to boot. If there is any issues it will lock the system and the recovery details will need to be entered.

Here are the options methods you can use Bitlocker with TPM:

TPM only– This method is transparent to the user and only TPM validates the boot sequence.

TPM with PIN – TPM will validate boot sequence and then the user must enter a PIN.

TPM with USB key – TPM will validate the boot sequence and then then checks a USB drive containing the key is present.

How can Bitlocker (TPM only) Encryption be secure when no PIN or USB is needed at startup?

The most common question we are asked is how can Bitlocker work in the TPM only method because it doesn’t ask for a PIN or USB startup key when it boots, so surely its not encrypted?

Well lets say I was to take your un-encrypted hard drive from your PC (with a secure windows password set) and plug it into an alternative device I could easily access all your data from the hard drive without any hacking skills. However if your hard drive was encrypted with Bitlocker and I plugged it into alternative device this time it would ask for the recovery key and no data could be viewed without it.

Whilst TPM only mode is transparent for the user and secures your hard drive if it’s stolen. It is worth remembering if the whole laptop or computer is stolen then the only thing stopping them is your Windows password which is why its important to have a secure Windows password too.

How do I Encrypt my computer using Bitlocker without TPM?

If your Windows 10 computer or laptop does not come with a TPM chip,  then you can still encrypt it by following the guide below.

Stage 1 – Modify Group Policy

  1. Click Windows key + R together and the run box opens
  2. Type gpedit.msc and click ok

3. Go to Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Operating System Drives (see image below)

4. Double click on “Require additional authentication at startup”

5. Change the following settings in the pop up box that appears (see image below)

  • Change “Not Configured” to “Enabled”
  • Select the tick box to “Allow Bitlocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
  • Click OK 

Stage 2 – Turn on Bitlocker

1. Click the Start Button

2. Type “Manage Bitlocker and select the box when it appears

3. Then click on “Turn on Bitlocker”

4. Then you should choose USB or Password option, this is how you will unlock your computer each time you boot it up. |For the tutorial we will use a password.

5. Enter a secure password and click next

6. This next stage is very important, you must take a backup of the recovery key using one of the methods in the screenshot. If you lose your USB or forget your password you can use the recovery key to access the computer.

7. Then select the New Encryption which is best for fixed drives in your laptop or computer. If you were encrypting a portable hard drive then the other option would be best suited.

8. The next step is to tick the box “Allow Bitlocker to do a system check and click continue. The computer will then asked to be restarted and the encryption process will be complete.

9. When the computer restarts you will be asked to input your password OR USB Key if you choose this method) 

10. Once your computer has booted back up go back to the Bitlocker page (Start Menu > Manage Bitlocker) and it should look like the screen below.

Note: If you see a progress bar then its still encrypting your data, once that completes it will be done.

Using Bitlocker with TPM

If your computer does come with a TPM chip and you want to enable Bitlocker then you can follow the same guide as above the only differences is you would not need to follow Stage 1 regarding the Group Policy.

You can then set one of the TPM methods to secure the laptop. If you want the most invisible option then go with TPM only which protects your laptop if it is lost or stolen providing you also have a Windows password set.

If you would like further information on Encryption, help deciding which type is best for your business, or us to help with the setup please get in touch today.

Our next article will cover the best practises regarding your Windows Password