Safe Computing - Encrypt Your Computer

BitLocker is a Microsoft Windows utility that encrypts a computer’s entire hard drive or other external media.
Justification: 

BitLocker is a tool that can be used to protect research data, confidential data such as student records and other Personally Identifiable Information(PII) or Protected Health Information(PHI) and ensure compliance with regulation such as FERPA. 

If a Windows device is lost or stolen, the data on the encrypted drive cannot be accessed by an unauthorized party unless the appropriate decryption password is provided. 

Recommended Configuration: 

A computer with a built-in Trusted Platform Module (TPM) and Windows 10. Windows 11 requires TPM. All PC computers recommended by ITS meet the hardware requirements. 

If the computer meets the requirements above, the encryption process will be transparent to the user and should not notice any difference from a non encrypted computer. 

If the TPM is not enabled by default, it can be enabled on the computer BIOS configuration screen. Follow the manufacturer’s instructions on how to enable the TPM if it is not enabled by default. 

You can verify the TPM is enabled by clicking on Start, type on the search box Device Manager, and looking under Security Devices for the TPM. If it is present, it is enabled in the BIOS.


Turning BitLocker On: 

  1. Click Start , click on the settings icon 
  2. On the search box and type BitLocker 
  3. Select Manage BitLocker. 
  4. Click Turn on BitLocker. 
    1. BitLocker will run checks to make sure the computer meets requirements. 
  5. Click Next. 
  6. The message “Preparing your drive for BitLocker” will display. Click Next. 
  7. Click Next to start encrypting the drive. 
  8. A message will appear asking you how you want to back up your key. This key will be used to decrypt your drive if maintenance is needed or changes are made to the drive. It is very important that you can provide the key. The options are: 
    1. Save to your Microsoft account: It can save the key to the Microsoft servers if you use your Microsoft account on your computer.  ---  DO NOT USE!! as your NDSU login is not tied to your OneDrive or Microsoft account. 
    2. Save to a file: You will be asked to provide a flash drive or a network location. The hard drive on the computer cannot be used because it will be encrypted and you won’t be able to access it during maintenance or if changes are made to the computer. Store the flash drive on a secure location. 
    3. Save to a USB flash drive: Saves the key to a USB drive attached to your computer. 
    4. Print the recovery key: If you choose to print the key, store the printout in a secure location so you can provide the key if maintenance is needed or changes are made to the drive. 
      1. Once the encryption has finished you can also get this key by going to Manage Bitlocker and selecting one of the above options 
    5. For computers in the domain, your encryption key may be recovered by the system administrator. 
  9. After choosing one of the options above, click Next. 
  10. The recommended setting is to encrypt entire drive. Click Next. 
  11. The recommended setting is Compatible mode. Click Next. 
  12. Check the box Run BitLocker system check and click Next. The computer will restart or you may need to click on Restart Now.

The computer will start encrypting the drive. You can work as it is encrypted but it may be better to leave it work overnight. Depending on the size of the drive it will take between 2 and 4 hours. 


If your computer does not meet your requirements: 

Computer has no TPM: 

If you have Windows 10 but your computer does not have a TPM, you will see the message asking to enable the policy to “Allow BitLocker without a compatible TPM” 

Open the Group Policy Editor by opening a Run window and typing gpedit.msc. Then browse to: 

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives 

Set Require additional authentication at startup to enabled. 

If it the computer is managed through Active Directory, the administrator may need to set the policy. 


After enabling the policy, you can proceed to encrypt the drive with the caveat explained in the next paragraph. 

Important note: This method will not be completely transparent to the user. Since there is no TPM to store encryption keys, the user will either have to plug in a flash drive with the key every time the computer is started, or, enter a password at startup to decrypt the key and then the account password to log in to Windows. 


If your drive or computer needs maintenance: 

If your computer suffers a hardware failure other than the hard drive, your information can be transferred to another computer, however, when the drive is removed and connected to a different computer, you will be prompted to enter the key you printed or saved to the flash drive:

After you enter the key, you will see the files in a similar manner to any unencrypted media.



Keywords:
BitLocker, encrypting, TPM, bitlocker, Bitlocker, bit locker, Trusted, Platform, Module 
Doc ID:
107069
Owned by:
IT Security in NDSU IT Knowledge Base
Created:
2020-11-09
Updated:
2022-06-01
Sites:
NDSU IT Knowledge Base