BitLocker¶
Warning
This section will cover how to use Bitlocker to enable full disk encryption on your device. This section contains multiple warnings which must all be read and understood. Failure to do so could result in permanent data loss! There is a video showing Bitlocker hardening and being enabled. I recommend using it to follow along with the guide.
BitLocker tutorial
Throughout this guide, using TPM and Secure Boot is mentioned. You don’t need to have or use these to enable Bitlocker, but they add to the security of Bitlocker. Be careful of resetting the TPM, updating the BIOS, changing a CPU if using fTPM, and disabling or modifying Secure Boot/TPM when Bitlocker is active. Doing so will send it into recovery mode!
Bitlocker is a feature of Windows Pro edition and above and is not available to Home users. This guide will show you how to use it, as well as some of the best practices for it. This is a very important step for data security and privacy. For more in-depth info on why encryption is important, refer to the OPSEC section.
To start, go to the search bar and type in Group Policy. We’ll be using this to harden Bitlocker before turning it on. Don’t be alarmed by the complexity of Group Policy. We’ll just be using a small section for this part. To go to the Bitlocker settings, use the navigation menus on the right hand side. Go to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Bitlocker Drive Encryption.
We won’t be going over most of these options, as most of them are fine as is. The first one to cover is the option to disable new DMA (direct memory access) devices when the computer is locked. For home users, you likely won’t gain much by enabling this. This option is considered extremely important for business and government employees though, as leaving it disabled could result in an attacker being able to get the keys using a DMA device, which could result in things like stolen IP or compromised national security. If you want to learn more about this type of attack, feel free to Google it. Again, it isn’t something that’s all that important for a home user.
The next option to click on is choose drive encryption method and cipher strength. There are currently three options in Windows and each one covers different versions of Windows. The middle option should be for Windows version 1511 and later, which covers the most recent version of Windows.
By default, the OS and fixed data drives will use XTS-AES 128-bit encryption. 128-bit encryption is great as is, but I recommend turning it up to 256-bit. Some people would say that’s overboard, but it doesn’t cost anything to do so and 256-bit encryption is considered to be quantum resistant. This is critical for business and government settings. Imagine a government drive with national security secrets falls into the hands of a foreign adversary. The government would want the encryption to be as strong as possible to delay the adversary from being able to see what’s on there, even decades into the future.
As for the option of the encryption method for removable drives, XTS-AES is the more secure option, whereas AES-CBC has better backwards compatibility with Windows editions. If you need backward compatibility, the CBC option may be needed.
Now that that’s set, open up the operating system drives folder. There’s a few things here that should be hardened as well. The first option is to allow Secure Boot for integrity validation. See the Secure Boot tab for more information about what this feature is used for. This will help prevent tampering with Bitlocker.
Warning
Don’t enable this option if you don’t have/use Secure Boot. Doing so with Bitlocker on can result in the immediate activation of recovery mode. Also, as mentioned in the group policy page, disabling the policy could result in Bitlocker going into recovery mode when the BIOS is updated. If you disable the policy, suspend Bitlocker before applying BIOS updates.
Next, open up require additional authentication at startup. Once you select enabled, the default settings will be to allow TPM. These are fine as is and shouldn’t be changed if you don’t know what you’re doing. 👉If you don’t have or use a TPM, DO NOT enable this option.👈
The last important option for home users is to allow enhanced startup PINs. Without this option, you can only use numbers for your PIN. With it, you can use letters, number, and symbols, which will make the encryption much stronger. Don’t use a joke of a password like “donkey.” A dictionary attack would be able to blow right past that (if you don’t have a TPM). It should be long and complex, but also something you can remember. Bitlocker allows for up to 20 characters. If you are able to remember a password that long, then that’s a great security enhancer.
Warning
When opening the page to turn on enhanced PINS, it will says some computers won’t support it and that Windows recommends users to run a system check during Bitlocker setup. You should ALWAYS run the system check!
Note
You can forgo these options if you either don’t have or don’t want to use Secure Boot/TPM. You can still turn it on and just use a PIN for protection. Keep in mind that it is much more secure if you use Secure Boot and a TPM.
Now let’s get Bitlocker turned on. Go to the Windows search bar and type Manage Bitlocker and open it up. You’ll see a list of drives when you do. If you only have one drive and one partition (C:), then that’s the only one you can encrypt. If you have multiple drives or want to encrypt a USB drive, you can do that as well when the options show up.
Let’s start with (C:). Select the option to turn on Bitlocker. It will run a quick check to make sure it can be turned on for your computer. Afterwards, you’ll have an option to choose how you want your drive to unlock with three options.
*Enter a PIN - This is the recommended option. This is something only you should know for maximum security. You can use a short PIN such as six characters, but you should use something much stronger, ideally at least 12. USE SOMETHING YOU’LL REMEMBER.
*Insert a USB flash drive - The issue with this option is that you could lose the drive or end up mistaking it for a spare drive and overwrite it with other stuff. If it got in the hands of an attacker, then the encryption is useless.
*Let Bitlocker automatically unlock my drive - This is a standard set up with a lot of Bitlocker protected drives but isn’t a good option for security. First, if someone were to already have your user login password, then encryption with this method is worthless. Second, this option is vulnerable to the encryption key being captured during startup. The way to mitigate this is to use a startup PIN. Auto unlock would not be acceptable in a business or government environment and I wouldn’t recommend it for home users either.
After picking your unlock method, you’ll be asked how you want to back up your recovery key.
Warning
Make sure your recovery keys are backed up somewhere safe where you’ll be able to access them. If Bitlocker goes into recovery mode, which could be for a number of different reasons, you will not have the option to use your PIN. You will be required to use the recovery key. If you can’t access it, you will permanently lose access to all your data!
You’ll have three options here. The first is to back up to a Microsoft account. This would allow you to access the keys online from your MS account. The obvious concern here is privacy. The second option is to save to a file. You can’t save this file to the drive that’s being encrypted. The third option is to print the key. Choose whatever option you prefer.
Next, Bitlocker will ask if you want to encrypt the used disk space which is slightly faster, or if you want to encrypt the entire drive, which is more secure. The issue with only encrypting used space would be an issue if you reinstalled Windows on that drive or had other data saved there previously. If you only have the used space encrypted, someone could access the drive and recover anything not encrypted.
Next, it will ask if you are ready to encrypt the drive. It says the computer can still be used. I’ve been able to even restart without issue and the encryption has picked up where it left off.
Note
It will ask if you want to run a system check. You should ALWAYS select this option. It will make sure your computer will work properly before encrypting. If you don’t do this and something is misconfigured, your drive will immediately go into recovery mode on reboot. If you don’t have your recovery key, you will lose all your data!
Once you start the process, a Bitlocker window will pop up and show the progress of the encryption. If you are running this on older hardware and/or a hard drive, you may notice some slowdown while it encrypts. Once it’s done, your data will be encrypted!