Windows Full Disk Encryption - University of Glasgow · Windows Full Disk Encryption This guide...
Transcript of Windows Full Disk Encryption - University of Glasgow · Windows Full Disk Encryption This guide...
WindowsFullDiskEncryptionThisguidetakesyouthroughtheprocessofconfiguringMicrosoftBitLockerfulldiskencryptiononasystemrunningWindows7orlater.BitLockercanbeenabledonanexistingsystem–thatis,existingdataiskeptandthereshouldbenoneedtoreinstallthings.However,itishighlyrecommendedthatallimportantdatabebackedupfirst.
TPMFirst,wemustensuretheTrustedPlatformModule(TPM)chipisenabledandactive.YoushouldcheckthisinthesystemBIOS/UEFI.Ifyoufindthatyoucan’tenableBitLocker,it’sprobablyduetotheTPMnotbeingenabledoractivated.
EnableTPM
ActivateTPM
BitLockerToenableBitLocker,inWindowsExplorerright-clickonthesystemdrive(oranyotherdriveyouwanttoencrypt)andselectTurnBitLockeron.
Thiswillstarttheprocessbyfirstcheckingthesystem’sconfiguration.Afterthat,thesystemwillneedtoberestarted.BitLockerwillthenbeginitssetup.
NOTE:Youmaybeaskedhowmuchofyourdriveyouwishtoencrypt.Theoptionsareusedspaceonlyorentiredrive.Ifthisisabrandnewcomputer,youcanselecttheusedspaceoption.Otherwise,it’ssafesttochooseentiredisc.
NOTE:ForWindows10youmaybeaskedanadditionalquestionduringtheprocessaboutwhetheryouwanttousethenewerXTS-AESencryption.Werecommendyouselectthisoptionforsystemdriveencryption.
RecoveryKeyYouwillthenbeaskedhowyouwouldliketostoreyourrecoverykey.Thisisanimportantstep,asthekeymayberequiredatalaterdate.Forexample,whenevercertainchangesorupgradesaremadetothehardware,BitLockermayrequiretherecoverykeytobeentered.
Werecommendthatyoustoretherecoverykeyinasecurenetworkdrive,onamemorystick,orprintacopyandkeepitinasafeplace.(Considerdoingmorethanoneofthese).Forobviousreasons,thesystemwillnotallowstoringthekeyinthedriveyouareencrypting!
Oncetherecoverykeyissaved,thedriveisreadytobeencrypted.WerecommendthatyouruntheBitLockersystemcheck,toensurethatthesystemcansuccessfullyusetherecoverykey.
Thesystemwillthenneedtoberestartedagain,afterwhichtheencryptionprocessbegins.
Oncethesystemhasrestarted,youwillnownoticeinWindowsExplorerthatthereisapadlockonthedrive,whichdenotesthatBitLockeristunedonforthisdrive.
IntheBitLockerDriveEncryptioncontrolpanel,you’llseethatthedriveisEncrypting.Oncecompleted,theBitLockercontrolpanelwillconfirmthatBitLockerison.
You’llbeabletousethesystemwhilstthedriveisbeingencrypted,howeverwhilstthisisinprogress,itmaybesluggish,andthenreturntonormaloncetheencryptionprocessiscomplete(whichcouldbeafewhours,orlonger,soconsiderlettingitrunovernight).Thereafter,BitLockershouldhavenonoticeableeffectonsystemperformance.
AdvancedmanagementThecommandlinetoolprovidesfurtherinformationaboutthesystem’sdisksandtheirBitLockerstatus,aswellasallowingyoutocontrolotheraspectsofdiskencryption.Wecanuseittoalsomonitorthediscencryptionprogress,shownbelowviathecommand,manage-bde-status.Formorefunctionalityseetheoutputfromthecommandmanage-bde-?.
NOTE:Yourequirelocaladminrightstorunmanage-bdecommands.