BitLocker Encryption
1. General Information
Microsoft offers the BitLocker tool for disk encryption in Windows 10. It works relatively simply and the system load is minimal. Within VŠE, we have prepared for you how to encrypt data on a station (laptop) that has a standard image. While you follow these instructions, you can decrypt with the help of Help Desk of CI if you forget your key or damage your hardware.
Before encryption, it recommends backing up the current data, either to a portable drive or to Microsoft OneDrive or to ownCloud from Cesnet.
2. Requirements
To encrypt data using Bitlocker, your device must meet the following prerequisites:
- Microsoft Windows 10 school edition is installed on the device
- the device is equipped with a TPM (Trusted Platform Module) chip
- the device is connected by cable to VŠE network (encryption keys are stored in VŠE network environment)
- you have admin rights on this device
- ~500 MB of free space is available on the system disk C:\
3. How to Encrypt a Disk
Notice: Encryption MUST be performed on drive C: first, then drive D:, otherwise you will no longer log in to the system and data may be lost!
To disable disk encryption, you must first turn off the Bitlocker on drive D: and then drive C:.
At the same time, we recommend to write down the computer name in the appropriate way (description of the computer icon on the desktop in the format “Computer VSE-xxxxx”, where xxxxx is a five-digit number). This is required if the computer is damaged to decrypt the disk outside the original computer. Without knowing the name, it may be difficult to find the correct decryption key in Active Directory.
Encryption of C: drive
- Type “bitlocker” into Windows search and run it:
- For the C:\ drive – enable the “Turn on BitLocker” option; the configuration of the computer will be checked:
- The BitLocker installation will be done in a few steps. There may be a deviation depending on the computer configuration. Before the encryption itself, it is necessary to activate the TPM chip, which is a part of computers and notebooks. The particular TPM chip activation will be done by the installation utility itself, but the user’s cooperation will be required. On some older machines, you may need to turn on TPM in the BIOS (it can be done by the CI HelpDesk on request):
- Individual steps are described in the following dialog box, where we click the “Next” button:
- We need to emphasize again that data needs to be backed up and the system informs us that the encryption time depends on the size and content of the drive – but an important parameter is the speed of the drive:
- The C: \ drive is modified to create a bootable part on the drive that must not be encrypted and must be a different partition than the operating system partition. Its size is small up to 500 MB:
- 7. After the restart, the wizard should boot into the BitLocker Drive Encryption (C:) dialog box. Press the “Next” button. The system will turn on the TPM chip, so we have to restart again:
- It is likely that in order to activate the TPM chip, you will need to be cooperative. E.g. HP All-in-One requires F1 key acceptance and F10 key for Dell Optiplex 9010 PC:
- We will return to the wizard, where we have fulfilled two of the required points and we can proceed to the actual encryption of the drive. Continue by selecting “Next”:
- When encrypting, we are asked for the encryption mode. From Windows 10 on, we choose already the new XTS-AES encryption algorithm:
- In the last step, we can choose to perform a system check (working with keys in TPM and others are tested), otherwise the disk encryption will start immediately and in case of any complications, we may not be able to decrypt it anymore.
- After selecting Continue, we will get to restart your computer:
This encrypts the C drive and stores the encryption key information in the TPM chip and the Computer object in Active Directory.
Encryption of D:\ drive
- In order to encrypt also the document storage – we also need to encrypt D drive. So we need to call the Bitlocker tool again. After we see the utility, we will see that C drive is already encrypted (Turn off BitLocker is available), while D drive has the option “Turn on Bitlocker” (you must first click the arrow next to drive D: \), which we now call:
- A window pops up that has limited options (set by a system administrator). The only option now is “Automatically Unlock this Drive on this Computer”. If you check this option, the “Next” button will appear in the wizard:
- Again, select the encryption mode for the D: \ drive:
- Use the “Start Encryption” button in the next window to start encrypting the D: \ drive:
- You are informed by the following dialog box when encryption is complete:
- If you call the BitLocker tool again, you will see that both disks are encrypted:
- The manage-bde -status X: command (where X is the drive letter) can be used to invoke more detailed information about the encryption status (via the command prompt with administrative rights):
4. Frequently Asked Questions
Can I encrypt without TPM on my device?
No, data encryption without TPM is not supported.
How do I know if my device has a TPM chip?
The vast majority of devices have the TPM chip. If it is enabled in BIOS, it is possible to call it by command tpm.msc.
How do data on shared storage (OneDrive, OwnCloud, etc.) behave when it is encrypted on one device – will I open it on another device that does not have encryption set?
A particular physical storage is encrypted in block, not the files on it, so the synced storage has unencrypted data. For clients of this online storage, encryption is transparent; they do not know about it.
How do I turn off disk encryption?
In Bitlocker management, simply select “Turn off Bitlocker”. However, it is necessary to first disable the encryption of D: drive and only then C: drive.
What happens if the device turns off during encryption?
If the encryption process is interrupted because the device is turned off/hibernated, the encryption will continue where it left off when it is turned on – this, according to Microsoft, should work even in the event of a power failure.
Is it possible to encrypt the drive if the device is connected only via eduroam wireless network?
Yes, however, due to the lower reliability of the connection compared to the fixed network, we do not recommend this.