BitLocker

What is BitLocker?

Newer Windows versions have BitLocker Drive Encryption. BitLocker encrypts everything on Windows’ disk to prevent theft or unwanted access.

By restricting data access, Microsoft BitLocker protects files and systems. Advanced Encryption Standard with 128- or 256-bit keys is used. BitLocker uses specialty key management and on-disk encryption.

Windows Vista introduced BitLocker in 2007, but starting with Windows 10 version 1511, Microsoft included additional encryption methods, group policy settings, OS drives, and detachable data drives. Update for Windows 11, 10, and Server 2016+. Windows Pro, Enterprise, and Education support BitLocker.

BitLocker, how does it work?

BitLocker needs a TPM chip. The TPM holds host-system Rivest-Shamir-Adleman encryption keys for hardware authentication. Original computer manufacturers install the TPM and employ BitLocker to safeguard user data.

BitLocker can lock the starting process until the user enters a PIN or inserts a flash drive with a startup key in addition to a TPM. BitLocker produces a hard disk recovery key in case the user forgets their password.

BitLocker can encrypt Windows OS disks on non-TPM computers. However, this method requires a USB startup key to boot or resume from hibernation. BitLocker with a TPM provides greater pre-startup system integrity checks, according to Microsoft.

Additional BitLocker management tools include BitLocker Recovery Password Viewer and BitLocker Drive Encryption Tools. BitLocker Recovery Password Viewer lets users find AD Domain Services-backed recovery passwords. This utility recovers encrypted disk data. BitLocker Drive Encryption Tools include command-line tools, Windows PowerShell BitLocker cmdlets, and manage-bde and repair-bde. Disaster recovery efforts employ Repair-bde when BitLocker-protected disks cannot be opened manually or via the recovery console. BitLocker is enabled or disabled with Manage-bde. Turning off BitLocker decrypts all disk files when they no longer need protection.

How to utilize BitLocker?

BitLocker is activated by default. If it’s off, look for Manage BitLocker in Windows. If BitLocker is on the device, the control panel will provide an option to enable it. Suspend protection, back up your recovery key, then disable BitLocker.

Windows checks system settings once BitLocker is enabled. The user must generate a password for every PC or disk access. The user selects Recovery key settings. Users may choose how much of their disk to encrypt after clicking Next. Two-volume encryption encrypts utilized disk space or the entire drive. Encrypting the entire drive encrypts the entire storage volume, including free space.

Clicking this runs a BitLocker system check to ensure BitLocker can access the recovery and encryption keys before encrypting. Endpoint encryption begins when the BitLocker Drive Encryption Wizard restarts the PC after the system check. Once signed in and registered to an AD domain, protection is enabled.

To decrypt data, search Windows Search for Manage BitLocker, choose the option, and turn BitLocker off.

System requirements for BitLocker
The BitLocker requirements are:

1. Install TPM 1.2 or later.
2. A disposable starting key is needed without a TPM.
3. A TPM requires a Trusted Computing Group-compliant BIOS or UEFI for OS starting chain of trust.
4. USB mass storage must be supported by BIOS or UEFI.
5. Storage disks need several partitions.
6. Format the OS disk with NTFS.
7. Format UEFI-based system disks with File Allocation Table 32.
8. System disks with BIOS firmware must be NTFS.
9. A BitLocker recovery key?
10. A 48-digit numerical password is used to unlock a user’s PC when BitLocker detects an unwanted access attempt. The key adds data security. If hardware, software, or firmware modifications are done, Windows may request the BitLocker recovery key.

How to locate the BitLocker recovery key

Reinstalling Windows is the only option without the recovery key. Backup BitLocker recovery keys to these places to avoid this:

The Microsoft account. Signing into Microsoft on another device lets the user see their key.
USB flash drive. To unlock a locked PC, insert the key from a USB flash drive. Users can read passwords from text files by plugging them into other PCs.
Microsoft Azure AD user account. User devices may have a bigger Azure AD account with the key.
An administrator’s system. System admins may have the recovery key if the user’s device is domain-connected.
User’s property. The user may have printed or handwritten the code.

Thank you for reading this post, don't forget to follow my whatsapp channel