Encryption: Essential yet underused.

Bitlocker: Your Drive is Worth Encrypting

Encryption: Essential yet underused.
Encryption: Essential yet underused.

Bitlocker has been a feature of Windows since the Vista days. It shipped pretty fully featured and has gone from strength to strength. Now that almost all consumers will be using the Pro version of Windows 8, a large proportion of Windows 8 users will have Bitlocker on their systems. Yet most people do not encrypt their drives.

 

What & Why

In a nutshell, drive encryption ensures that your data is scrambled and unreadable unless the correct key, password or pin is used. We tend to think that our data is safe or we don’t really have anything sensitive to hide. But think again. Your passwords, personal documents, accounts, bills, receipts, all leave an electronic trail that makes it easy for identity theft should the data fall into the wrong hands. I could go in length about this but here’s a summary on why you need to encrypt:

  1. Thumb drives and laptops are easily misplaced and that usually means someone has picked your drive up.
  2. Mechanical drives have relatively high failure rates. When you send your drive back to the manufacturer  the engineer replacing your drive can easily glean data off your old drive.
  3. Unless you securely wipe your drive before handing it to others, your data (even deleted) is likely to be recoverable. Secure wiping can take hours. It is easier to encrypt it and never bother about wiping again.

You should be encrypting your drive. Even more so because it is free, stable, easy to use and effective. Every drive is encryptable – from your boot drive to your thumb drive. You should be encrypting everything unless it is a throwaway / public device.

 

Encryption

Bitlocker is found in control panel. You select the drive you want to encrypt and choose ‘Turn on BitLocker’. You then choose a password or use a smart card (if you have one) as the key to your drive.

If you are encrypting your boot drive, you choose either a password or a USB stick as the key. Also, if you have a TPM chip on your motherboard, you can skip the above. Bitlocker will look for that unique chip and use it as the key.

Bitlocker then generates a recovery key that will save you in case you forgot your password, lost your smart card, lost your USB key or for some reason your TPM chip got fried. You can then choose to save the recovery key or keep it stored securely in a separate portion in SkyDrive. I recommend the latter due to its security and ease. If you need to recover a key from SkyDrive, you have to go to a separate section that requires 2 factor authentication.

The Encryption Process: You can encrypt multiple drives at the same time.
The Encryption Process: You can encrypt multiple drives at the same time.

After that the encryption process takes over. You can pause it any time if you need to remove the drive or shut down your PC. You can also continue working with the drive as it is being encrypted. The time encryption takes varies based on the size and type of your drive. My SSDs (256gb/128gb) encrypted really quickly. Mechanical drives took significantly longer.

Once it completes, you’re done. Your drive is encrypted. No one can access it unless they have the key.

 

Access

The biggest fear about encryption is on ease of access. Sure, you made it really tough for people to steal your data but you also want to make sure that it is easy for you to work on it on a day to day basis. Good news. It is really easy.

Unlocking a boot drive on start up. You won't see this if you use TPM or a thumb drive.
Unlocking a boot drive on start up. You won’t see this if you use TPM or a thumb drive.

Boot Drives: If you chose to have a password on boot, the only extra step you need is to key in a password on boot up. If your key is a thumb drive, make sure it is plugged in before turning the computer on. You can remove it after Windows boots. For desktops and other devices that you are almost certain you won’t misplace, you can leave the thumb drive attached permanently and forget about it. This would mean that the encrypted hard drive is only accessible if removed from your system. Of course, if you have a TPM chip, there’s nothing for you to do at all. It just works.

Other Drives: Bitlocker allows auto unlock for all other drives as long the drive has been recognized and unlocked on that particular system at least once. This means you never have to unlock your other internal / external drives every time once the drive is registered on the system.

Unlocking Non Boot Drives: It can be automated (left) or manual (right).
Unlocking Non Boot Drives: It can be automated (left) or manual (right).

If you prefer not to auto-unlock, Windows will prompt for your Bitlocker password when you plug in the drive.

 

Recovery

Say you forgot your password, your dog ate your USB key or some nasty person ripped off your TPM chip. Don’t worry, recovery is easy. Retrieve the recovery key you saved earlier and just key it in. You’re done.

As mentioned before, it is smarter to save that key on SkyDrive. The key will not be accessible from your usual SkyDrive directories but rather from a special site (https://skydrive.live.com/RecoveryKey) that requires you to log in and then supply an authentication code sent to your email. SkyDrive (A.K.A Microsoft Account) stores your keys securely and retrieving it in emergencies is both easy and secure.

Retrieve your recovery keys securely from SkyDrive (Windows 8 Only)
Retrieve your recovery keys securely from SkyDrive (Windows 8 Only)

 

Why Wait?

Encryption wasn’t important for home users in the past. But with the amount of digital footprints we leave and the increasing numbers of identity thefts, it is smart to encrypt. Taking into account that the solution is very well integrated into Windows 8 and its security and ease of access is excellent, encryption is too simple to be continually underutilized.