How To Encrypt A Hard Drive On Windows, And Why You Might Need To
Your Windows device is likely protected with a passcode — the PIN or password you enter when signing in. For most users, login security prevents unauthorized access to the data saved on your computer, but not always. Determined attackers can bypass security and get into your hard drive to access data without login credentials.
If your computer was stolen, or you're throwing away an old machine; malicious parties can take out the hard drive, plug it into a different device, and gain access to your data without any authorization. Firstly, you should destroy an old drive before you throw it away. While it's still in use, consider encrypting it.
Encrypting a hard drive secures it and its contents, making it inaccessible without authorization. According to Microsoft, even if the hard drive is plugged into another computer, the data inside remains hidden and safe behind a password prompt.
On Windows, disk encryption is provided via an app called BitLocker. It's prepackaged with the OS, but you have to enable and configure it manually. BitLocker is a user-friendly feature, and it only takes a few steps to encrypt a drive.
Once it has been encrypted, the data on the BitLocker-protected volume becomes irretrievable without authentication.
BitLocker requirements
Your system likely already meets all the requirements for BitLocker to work, but a prerequisite of note is a partitioned hard drive. BitLocker needs two partitions to run — one partition that's being encrypted, and the other where the encryption information is stored. If your computer only has a single volume, BitLocker will automatically create an extra partition when it's initialized.
Partitions split your hard drive into usable volumes, and you can either encrypt entire volumes or just the space currently in use. Lastly, you'll need to log into Windows with an Administrator account.
The only caveat is that the Windows 10 Home Edition version of the OS doesn't feature the BitLocker app. Instead of the standard BitLocker encryption, Windows 10 Home offers standard Device Encryption, which can be enabled with a single click in Settings.
BitLocker also integrates with TPM (Trusted Platform Module), a hardware component built into modern computers for preserving encryption keys and safeguarding against hard drive tampering.
How BitLocker works
BitLocker can be accessed in a few different ways. You can use the command line, Windows Explorer, PowerShell, or the Control Panel to deploy BitLocker. But the Control Panel applet is the simplest method.
You can encrypt all or as many volumes as you like, including the Operating System volume (the one with the Windows logo on it).
If the operating system drive is encrypted with BitLocker, the rest of the drives can be configured to auto-unlock whenever the operating system drive is. Click Turn on auto-unlock next to an encrypted fixed drive to enable that feature.
When encrypting a drive, BitLocker lets you pick whether you want to encrypt the space in use or the entire disk. If your hard drive is new or doesn't have much data, select the Encrypt used disk space only option. BitLocker will automatically encrypt any new data written on it.
But if your drive has been in use for some time with lots of data on it, encrypt the whole disk. It takes longer, but the process happens in the background while you use the computer. Full disk encryption also encrypts the free space, which means deleted files cannot be recovered by data recovery products and services.
To disable BitLocker for a drive, click Turn Off BitLocker next to that encrypted drive in the BitLocker Drive Encryption applet. Turning off BitLocker decrypts that drive and its data.
How to encrypt your hard drive
Open Control Panel> System and Security > BitLocker Drive Encryption.
Search "manage bitlocker" from the Start menu.
The BitLocker Control Panel opens with all available drives listed alongside their encryption status. They're separated under Operating System, and Fixed Drives sections. You can encrypt any or all of these drives.
To encrypt any of the drives:
1. Click Turn on BitLocker.
2. Wait for BitLocker to verify system requirements.
5. Click Next.
6. Save the recovery key to your preferred location.
7. Click Next.
8. Select Encrypt used disk space only or Encrypt the entire drive.
9. Click Next.
10. Unless you're planning on plugging your hard drive into another computer, select New encryption mode. If the hard disk needs to work with multiple PCs, select compatible mode (via Microsoft).
11. Click Next.
12. Keep the Run BitLocker system check enabled.
13. Click Continue.
Reboot if prompted. Upon reboot, you'll find the volume encrypted, as indicated by a lock icon next to the disk. Repeat the process for any or all of the fixed data drives.
BitLocker will also prompt you to save a recovery key during the process. Recovery key is an auto-generated string of random digits that can be used to unlock your drive if you've forgotten the password or if TPM cannot authenticate it properly.