What Is BitLocker? Windows Security Feature Overview

Any sensitive file on a Windows device is vulnerable to unauthorized access. For that reason, securing your digital life is necessary. BitLocker is one tool that helps encrypt your computer hard drive. It comes built-in with specific editions of Windows. In this article, learn what BitLocker is, how the recovery works, and how to enable it.

What is BitLocker?

BitLocker protects Windows devices.

BitLocker is a security feature in certain Microsoft Windows versions that enables you to encrypt an entire hard drive for enhanced security. It encrypts everything on the drive that Windows installed upon.

In a nutshell, encryption is a way to make data unreadable without proper authorization. Encrypting your files with BitLocker assures that only the person with the correct recovery key can decrypt and access them. If you lack this secret key, then you can't access the data.

BitLocker, also known as BitLocker Drive Encryption, uses Advanced Encryption Standard (AES) with 128-bit or 256-bit keys to keep your secrets safe from exposure. It became popular when TrueCrypt controversially announced that they had ended the development of their encryption tool. They recommended Microsoft's BitLocker as the best safety alternative for Windows users. Since then, it has been an essential part of Windows.

The encryption tool first came out with Windows Vista in 2007. Now, most Windows installations enable it by default. However, if you forget your BitLocker recovery key, it will be difficult to bypass your drive again without the help of IT professionals or Microsoft support.

How does BitLocker work?

BitLocker secures the boot process on a Windows PC. It uses a Trusted Platform Module (TPM), which is a security chip on your PC's motherboard, to protect user data. A TMP stores encryption keys in a place the user chooses, like their cloud account.

The TPM and BitLocker work together to ensure that your computer isn't tampered with while offline. Even if someone took your hard drive out, they'd have no way of deciphering the data. However, even when using TPM, BitLocker require additional user authentication to grant access to the encrypted drive. It prompts for the user's personal identification number (PIN) or the startup key stored on a removable device such as a USB.

Only after successful user authentication will the operating system resume from hibernation. Some machines don't have a TPM installed, while others don't have it enabled.

In these cases, the computers can still use BitLocker to fortify Windows operating system drives. This implementation, however, requires you to have either a startup key or a password.

Two more important tools are used to manage BitLocker: the Recovery Password Viewer and the Drive Encryption Tools.

BitLocker Recovery Password Viewer is specifically designed for administrators in an Active Directory Domain Services (AD DS) environment. It helps them locate recovery passwords that have been saved.

BitLocker Drive Encryption Tools isn't actually a single tool, but rather a suite of command-line tools included with Windows. Administrators and advanced users use these tools in disaster recovery attempts on drives.

Features of BitLocker

BitLocker is a great security tool for Microsoft Windows devices. The following features characterize the software.

  • Full disk encryption. BitLocker can encrypt the entire hard drive, which means it protects all the data on a computer's disk. This includes the operating system, applications, and user files.
  • Multi-factor authentication methods. The feature supports different methods of verifying a user's identity before granting access to the encrypted data. This includes passwords, smart cards, and USB keys. Using multiple authentication methods adds additional layers of security.
  • Recovery keys. A recovery key is generated when BitLocker is set up. Users use this key to access the encrypted data if they forget their password or lose their authentication device.
  • Integration with Active Directory. The tool can be integrated with Active Directory, a directory service used by Windows networks. This integration allows administrators to manage encryption policies centrally across a network of computers.
  • Hardware-based encryption. Many modern computer hardware components, such as the central processing unit and storage drives, have built-in encryption capabilities. BitLocker can leverage these hardware-based encryption features to improve performance.
  • Compatibility. The tool is designed to work with a wide range of hardware, including Windows devices. Users can encrypt their data regardless of the type of computer they are using as long as it meets the system requirements.

System requirements

If you want to use BitLocker, then you must meet certain system requirements, including:

  • A PC that runs Windows
  • Trusted Platform Module (TPM) version 1.2 or higher
  • A USB startup key
  • Motherboard firmware in UEFI mode
  • UEFI BIOS, which provides security capabilities and support

You also must make sure to have disk partitioning and adequate disk space to store the boot files and encryption certificates. Additionally, the user must have administrator privileges in order to enable BitLocker and manage its settings.

How to turn on BitLocker in Windows

Getting started with encrypting your drive is a straightforward process. Assuming that your Windows PC complies with the requirements above, follow this step-by-step guide on how to enable BitLocker on your computer.

  1. Open File Explorer. Click on the folder icon in the taskbar or press Windows + E on your keyboard to open File Explorer.
  2. Locate the drive. In File Explorer, right-click on the drive you want to encrypt with BitLocker. This could be your primary hard drive or another drive storing sensitive data.
  3. Select "Turn on BitLocker" from the right-click menu. If you don't see this option, it may not be available for the selected drive.
  4. Choose how to unlock the drive. The program will prompt you to choose how you want to unlock the drive. Enter a password that you'll need to enter each time you start your computer or unlock the drive.
  5. Back up your recovery key. This step is crucial for accessing your drive if you forget your password. You can save the recovery key to your Microsoft account if you have signed into one.
  6. Start the encryption process. Next, it will ask you how much of the drive you want to encrypt. After selecting your encryption option, click Next to proceed.
  7. Restart your computer. Once the encryption process is complete, restart your computer to finalize the changes.

What is a BitLocker recovery key?

A BitLocker recovery key is a unique 48-digit alphanumeric password that acts as a backdoor to your BitLocker-encrypted drive. As a recovery option, it's like a master key you can use to access your file if you're ever locked out of your drive due to a forgotten PIN or password, lost startup key, or TPM issues.

Where can you find your BitLocker recovery key?

There are a few places you can get your recovery key from, depending on the choice you made during the setup.

  • Your Microsoft Account. If you enabled BitLocker on your personal Windows machine using a Microsoft account, you'll likely retrieve it from there.
  • A printout. You may have printed a copy of your recovery key when you first activated the software. Check where you keep important computer-related paperwork.
  • A USB flash drive. Users who choose to save the recovery key to a USB flash drive when activating the feature can get their password from there. Just insert the USB drive into your computer and open it to view the recovery key file.
  • Cloud storage. Check any online storage recovery services, such as OneDrive, Dropbox, or Google Drive, where you might have stored the recovery key file.
  • The Windows active directory. If your computer is a part of an Active Directory domain, then the recovery key might be stored in Active Directory. Your system administrator can help with retrieving.

Frequently asked questions

What is a BitLocker pin?

This type of PIN is used for convenient, everyday access to your BitLocker encrypted-drive during normal system startup.

Who should be using BitLocker?

The security feature is for anyone storing sensitive files on their computer, like personal or financial records.

Does it work on solid-state drives (SSDs)?

Yes, it works on solid state drives, though some SSDs come with their own built-in encryption methods.

Can I use BitLocker on a virtual machine?

Yes, though with limitations. BitLocker works best on physical drives with TPM chips. Virtual machines lack TPM, but some OS versions allow encryption with alternative methods.

Can BitLocker encrypt more than one drive?

Yes, it secures your data on multiple drives, like an internal disk and an external USB drive.