What Is Full-Disk Encryption in Windows 10, and Should I Use It?

Full-disk encryption means that without your user password, the data on your hard drive is completely inaccessible. If a disk is not encrypted, it’s possible to remove the disk from your computer, mount it to the attacker’s computer, and access all your files with no restrictions. Encrypted disks don’t suffer from this security hole. Because their data is hopelessly scrambled without the key, it’s totally unintelligible to a key-less attacker.

Should I Use Full-Disk Encryption in Windows 10?

Yes, especially so if you have a laptop or have files you want to keep secure. Desktop computers are less of a security risk since they don’t travel. However, the downsides of full-disk encryption are so few that there isn’t much reason not to. Modern computers are fast enough to handle the computational overhead of encryption without even pausing. The major downside is that if you forget your password and lose your recovery key, your files are toast. It might also limit your ability to use third-party backup solutions, but we haven’t been able to test that ourselves.

Full-Disk Encryption in Windows 10 Using BitLocker

BitLocker is Microsoft’s proprietary disk encryption software for Windows 10. Because it’s designed by a large, for-profit company, and because the U.S. government approached Microsoft about adding a “back door” to its encryption scheme, BitLocker hasn’t enjoyed the greatest reputation. However, well-respected security researcher Bruce Schneier still recommends it, and it’s perfectly adequate for average Windows users. If using software produced by a giant corporation with ambiguous intent and potential backroom dealings with the U.S. government, that’s reasonable. VeraCrypt is a good, open-source option.

  1. Locate the hard drive you want to encrypt under “This PC” in Windows Explorer. We’ll be encrypting my boot disk for this tutorial.

  2. Right-click the target drive and choose “Turn on BitLocker.”

  3. If you see an error message about needing a “Trusted Platform Module” or TPM, you’ll need to add a Group Policy Exception to allow BitLocker to run anyway. If you don’t see this error message, proceed to step 10.

Running BitLocker without a TPM

  1. Type gpedit.msc into the Run menu (accessible by the “Win +R” shortcut) and press “Enter” to open the Local Group Policy Editor.

  2. Navigate to “Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives” in the side bar.

  3. Double-click on “Require additional authentication at startup” in the main window.

  4. Click the radio button next to “Enabled.”

  5. Also make sure that “Allow BitLocker without a compatible TPM” is checked, then click “OK.”

  6. Finally, we can turn on BitLocker. Right-click the target drive again and choose “Turn on BitLocker.”

Finishing the BitLocker Setup

  1. Choose “Enter a password.”

  2. Enter a secure password.

  3. Choose how to enable your recovery key which you’ll use to access your drive if you lose your password. I like to print mine, but it’s your choice. If you don’t have a printer, you can also save a file to your hard drive, save a file to a USB drive, or save the key to your Microsoft account.

  4. Choose “Encrypt entire drive,” which is the more-secure option that encrypts files that have been marked for deletion but haven’t yet been overwritten.

  5. Unless you need your drive to be compatible with older Windows machines, choose “New encryption mode.”

15. Click “Start Encrypting” to begin the encryption process. Note that this will require a computer restart if you’re encrypting your boot drive. The encryption will take some time, but it will run in the background, and you’ll still be able to use your computer while it runs.

Conclusion

BitLocker is powerful and easy to enable. Turning it on should be a no-brainer for anyone with a portable computer or secure data to protect.