Updated 13 June 2021
Copyright: European Union Public License, version 1.2 (EUPL-1.2).
Contents of this article
- What is BitLocker
- Pros and Cons to Bitlocker
- BitLocker requirements
- Graphical user setup
- Overview to Encrypting OS / Volume
- Basic manage-bde commands
- OneDrive key storing
1 – What is BitLocker
BitLocker is a data encryption feature that integrates with the Windows operating system and addresses the threats of data theft or exposure from lost, stolen, or unsecure hard drive wipes. Currently the software is available for Windows 10, Windows 8.1, Windows 8, and Windows 7. Data on lost or stolen computers can eventually end up in the hands of threat actors. This is why there is a need to protect the data on decommissioned computers. Users can use BitLocker to encrypt their hard drive. Once the drive is encrypted, they are given a set of keys to decrypt or recover the hard drive. These keys can be stored on a USB drive, afterwards users will then need the USB key to access the operating system and the hard drive. Even when you take the hard drive out and put it into another computer, you still need the decryption keys to access the hard drive. This feature is great for corporate and individual usage. Users can also use BitLocker to encrypt removable drives with a drive letter in Windows. To do this user can use the BitLocker Drive Encryption Wizard.
2 – Pros and Cons to BitLocker
- For the most part BitLocker is easy to use, this applies to technicians who are setting up the tool for users and individuals who enable it on their home computers. For most distributions of Windows 10, Pro BitLocker comes pre-installed on the operating system. Due to BitLocker being per-installed all users have to do is enable it.
- The system resources that are needed when the encryption is enabled on a computer is relatively low. Users shouldn’t experience any type of lagging in the speed of their computer except for the first time when you encrypt the drive.
- BitLockers primary role is to protect computers from intrusions/data breaches through the use of encryption. When an unauthorized individual tries to access the BitLocker enabled hard drive, the sensitive data is protected because they do not have the decryption key.
- Some users will not be able to enable BitLocker because their computer does not support it. This is mostly due to users not having a Trusted Platform Module(TPM) chip installed on their motherboard. The TPM chip is a special type of chip on the motherboard that is needed to encrypt the hard drive.
- Computers will experience some slowness when encrypting/decrypting parts of the operating system. Depending on the size of the drive, encrypting can take a long time to complete.
- If users lose their recovery key, there is a possibility that they will never be able to unlock their drive. Users can save their recovery key in OneDrive giving some protection against this.
3 – BitLocker requirements.
Hard Drive Configuration.
Only formatted volumes with an assigned letter can be encrypted with BitLocker.
BitLocker is available on Windows 10, Windows 8.1, Windows 8, and Windows 7. To use BitLocker on Windows Server 2012 and later you will have to install it after installation (https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server).
TPM is not a requirement for BitLocker but only a computer that has a TPM can supply the added security for startup, system integrity verification and multifactor authentication.
UEFI firmware or a Trusted Computing Group (TCG)-compliant Bios.
Boot order has to be set to hard disk and not USB or CD/DVD.
The installed firmware must be able to read from a USB flash drive during startup.
Computers that boot natively using UEFI firmware, need at least one FAT32 partition to be on the system drive and another one needs to be a NTFS partition. The firmware for the system drive partition needs to be at least 350 megabytes (MB) with it being the active partition.
Hardware Encrypted Drive Prerequisites.
In order to use a Hardware encrypted drive as a boot drive, the selected drive has to be in an uninitialized state and have security inactive enabled. Additionally, A system must boot with native UEFI version 2.3.1 or higher with CSM disabled.
4 – Graphical User Setup.
To enable the BitLocker graphical user interface provided by Windows10, users first want to type BitLocker in the search bar at the bottom left of the screen and click the Manage BitLocker control panel. Next, to turn on BitLocker you want to locate the drive that your windows operating system is on or any external drives that are connected to your computer and click turn on BitLocker. Once BitLocker is turned on, a window will pop up asking for a location to store your recovery key. This key is important and can be saved to a removable device or OneDrive. Following saving your recovery key, BitLocker will ask if you want to encrypt the used disk space on the hard drive or the entire drive. To note encrypting everything on drive will take much longer than just encrypting the already used disk space. When you are ready to encrypt the drive, check the run BitLocker system check and click continue. At this point BitLocker is encrypting your drive, to see this, users can navigate back to the BitLocker control panel and see BitLocker Encrypting their drive.
After your Windows 10 machine is done encrypting, users will want to enable the TPM function mentioned above. To enable this function users will want to type gpedit.msc (Group Policy) in the search bar and click that option. Follow this path in the Group Policy file system to enable TPM, (Administrative templates > Windows Components > Operating System Drives > Require additional authentication at startup). Once you are in the Require additional authentication at startup click enable in the left corner then apply. Lastly, you will be asked to enter a PIN for your drive at startup. After setting a PIN, each time you turn on your Windows 10 machine you will be prompted to enter this PIN to gain access to your hard drive.
5 – Overview to Encrypting OS / Volumes.
After a user has passed the initial configuration, they will be required to enter a password for the volume. In the case that a volume does not pass the initial configuration, BitLocker will prompt the user with an error dialog box describing the actions that need to be taken to resolve the error. Once the user has created a strong password for the volume, BitLocker will generate a recovery key. The recovery key is a special key that is created when you turn on BitLocker Drive Encryption for the first time. The recovery key is used to gain access to your computer if the drive encrypted has Windows installed on it. When the computer is starting up, BitLocker will detect the condition that prevents users from accessing the operating system. Afterwards, a prompt will then ask the user to enter the recovery password. The recovery key can also be used to access the files and folders on removable data drives (this includes external hard drives or USB flash drives).
To encrypt the data volumes, you will be using the BitLocker control panel interface in the same way you encrypt the operating system. To begin data encryption, you will first select the data volume then turn on BitLocker with the control panel. Unlike your operating system, data volumes do not require the volume to pass the configuration tests for the BitLocker wizard to proceed. Lastly, once the BitLocker is done encrypting the volume you will be given a recovery key in the same way as when you encrypted the operating system. You can also encrypt both the operating system and data volumes through the command line, by using the Manage-bde utility. An example of this code is manage-bde -on but depending on the situation the code will change to satisfy your needs.
6 – Basic manage-bde commands.
The command line tools shown below can be used to replace the BitLocker Drive Encryption Control Panel. The Manage-bde command suite is designed to enable BitLocker on computers individually to help with administration after BitLocker is enabled. Before a user runs Manage-bde.exe on their Windows 10 machine, they are going to have to prepare the disk drives to run BitLocker. This can be done by running the BitLocker Drive Preparation tool. When Administrators are deploying this tool it is recommended that utilize Manage-bde on 25 or fewer computers and complete the following steps in the order below.
- Creating a list of parameters to be run
- Configuring the Hard drive for BitLocker
- Running Manage-bde.exe
- Verifying that BitLocker is enabled
Creating / Finding Parameters.
The Manage-bde.exe tool comes with a large range of parameters and before running the Manage-bde.exe tool you should refer to your Manage-bde parameter reference guide. By using the information in the parameters reference guide you can target specific computers to run specific tasks. For example the manage-bde WipeFreeSpace parameter can be used to wipe the free space on a drive.
Configure Hard drive.
To ensure that BitLocker performs correctly on an operating system, BitLocker needs to have a separate active system partition which contains the files needed to boot up the operating system. This system partition should be a minimum of 300 MB; this is needed in order to support the Windows recovery environment for the OS. The partition on the disk has to meet Windows 10 system requirements. The process described above can be done by using the BitLocker Drive Preparation Command-line tool.
- Log onto the computer as an administrator in the location where you want to enable BitLocker.
- Open the command Prompt as an administrator, this can be done by clicking start in the bottom left hand corner and typing cmd in the search bar. Then right click cmd.exe followed by right clicking “Run as administrator”.
- Depending on the users situation, a User Access Control box may or may not come up. If the UAC dialog box does come up, please confirm the action by clicking “Yes”.
- Within the command-prompt, type manage-bde.exe-? in order to display the available parameters that can be used by Manage-bde.exe.
Confirming that BitLocker is enabled.
- Open the command Prompt as an administrator in the same way when you launched the Manage-bde.exe, then confirm this action by clicking yes on the UAC dialog box.
- Once inside the command prompt, type fvenotify.exe to display the status of BitLocker drive encryption.
- If the user does nor receive a confirmation of this in his or her notification area, you can reopen a command-prompt as an administrator and type “%systemdrive%\Windows\System32\ manage-bde.exe –status Volume”. This is a secondary option to confirm that BitLocker is enabled.
|manage-bde status||Provides information about all drives on the computer, whether or not they are BitLocker-protected.|
|manage-bde on||Encrypts the drive and turns on BitLocker.|
|manage-bde off||Decrypts the drive and turns off BitLocker. All key protectors are removed when decryption is complete.|
|manage-bde pause||Pauses encryption or decryption.|
|manage-bde resume||Resumes encryption or decryption.|
|manage-bde lock||Prevents access to BitLocker-protected data.|
|manage-bde unlock||Allows access to BitLocker-protected data with a recovery password or a recovery key.|
|manage-bde autounlock||Manages automatic unlocking of data drives.|
|manage-bde protectors||Manages protection methods for the encryption key.|
|manage-bde tpm||Configures the computer’s Trusted Platform Module (TPM). This command isn’t supported on computers running Windows 8 or win8_server_2. To manage the TPM on these computers, use either the TPM Management MMC snap-in or the TPM Management cmdlets for Windows PowerShell.|
|manage-bde setidentifier||Sets the drive identifier field on the drive to the value specified in the Provide the unique identifiers for your organization Group Policy setting.|
|manage-bde ForceRecovery||Forces a BitLocker-protected drive into recovery mode on restart. This command deletes all TPM-related key protectors from the drive. When the computer restarts, only a recovery password or recovery key can be used to unlock the drive.|
|manage-bde changepassword||Modifies the password for a data drive.|
|manage-bde changepin||Modifies the PIN for an operating system drive.|
|manage-bde changekey||Modifies the startup key for an operating system drive.|
|manage-bde KeyPackage||Generates a key package for a drive.|
|manage-bde upgrade||Upgrades the BitLocker version.|
|manage-bde WipeFreeSpace||Wipes the free space on a drive.|
|-? or /?||Displays brief Help at the command prompt.|
|-help or -h||Displays complete Help at the command prompt. (Source1)|
7 – OneDrive Key Storing.
The newest way to store your BitLocker recovery key is by using OneDrive but there are some requirements for users to use this as an option. The first being that a user can not be part of a domain and secondly the account must be a Microsoft Account. If a user is not connected to a domain, then OneDrive is the recommended option for storing recovery keys. A user can confirm that their recovery key has been stored properly by locating the BitLocker folder in their One Drive account. Inside the folder there are two files, one is a readme.txt and the other is the recovery key. When a user is storing multiple passwords within OneDrive, they can differentiate the keys from one another by just looking at the appended recovery ID at he the end of the file name.
To get access to your recovery keys in OneDrive, there are two methods of doing this. The first is by navigating to file explorer and selecting the One drive folder and opening your BitLocker folder. The Second manner is by going to the link https://account.microsoft.com /devices/recoverykey and logging in to your Microsoft account and accessing the BitLocker folder as shown above. The recovery key is one of the most import things a user should concern themselves with when setting up BitLocker. They want to make sure that the key does not get into the wrong hands and then they want to make sure that they can access it when they need to.
8 – Sources
https://www.youtube.com/watch?v=K4aU-P0qu9Y (Source 4)
https://logodix.com/logos/1755219 (Source 6)