Safe Computing - Encrypt Your Computer
Recommended Configuration:
Turning BitLocker On:
- Click Start , click on the settings icon
- On the search box and type BitLocker
- Select Manage BitLocker.
- Click Turn on BitLocker.
- BitLocker will run checks to make sure the computer meets requirements.
- Click Next.
- The message “Preparing your drive for BitLocker” will display. Click Next.
- Click Next to start encrypting the drive.
- A message will appear asking you how you want to back up your key. This key will be used to decrypt your drive if maintenance is needed or changes are made to the drive. It is very important that you can provide the key. The options are:
- Save to your Microsoft account: It can save the key to the Microsoft servers if you use your Microsoft account on your computer. --- DO NOT USE!! as your NDSU login is not tied to your OneDrive or Microsoft account.
- Save to a file: You will be asked to provide a flash drive or a network location. The hard drive on the computer cannot be used because it will be encrypted and you won’t be able to access it during maintenance or if changes are made to the computer. Store the flash drive on a secure location.
- Save to a USB flash drive: Saves the key to a USB drive attached to your computer.
- Print the recovery key: If you choose to print the key, store the printout in a secure location so you can provide the key if maintenance is needed or changes are made to the drive.
- Once the encryption has finished you can also get this key by going to Manage Bitlocker and selecting one of the above options
- For computers in the domain, your encryption key may be recovered by the system administrator.
- After choosing one of the options above, click Next.
- The recommended setting is to encrypt entire drive. Click Next.
- The recommended setting is Compatible mode. Click Next.
- Check the box Run BitLocker system check and click Next. The computer will restart or you may need to click on Restart Now.
The computer will start encrypting the drive. You can work as it is encrypted but it may be better to leave it work overnight. Depending on the size of the drive it will take between 2 and 4 hours.
If your computer does not meet your requirements:
Computer has no TPM:
If you have Windows 10 but your computer does not have a TPM, you will see the message asking to enable the policy to “Allow BitLocker without a compatible TPM”
Open the Group Policy Editor by opening a Run window and typing gpedit.msc. Then browse to:
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
Set Require additional authentication at startup to enabled.
If it the computer is managed through Active Directory, the administrator may need to set the policy.
After enabling the policy, you can proceed to encrypt the drive with the caveat explained in the next paragraph.
Important note: This method will not be completely transparent to the user. Since there is no TPM to store encryption keys, the user will either have to plug in a flash drive with the key every time the computer is started, or, enter a password at startup to decrypt the key and then the account password to log in to Windows.
If your drive or computer needs maintenance:
If your computer suffers a hardware failure other than the hard drive, your information can be transferred to another computer, however, when the drive is removed and connected to a different computer, you will be prompted to enter the key you printed or saved to the flash drive:
After you enter the key, you will see the files in a similar manner to any unencrypted media.