Zit Seng's Blog

A Singaporean's technology and lifestyle blog

Full Disk Encryption in Windows 10

Have you thought about the security of the data stored in your PC? Data theft is something that all of us should be concerned about, especially in the light of identity theft, privacy invasion, and other data security threats.

There’s a lot of focus to raise IT security awareness these days. I’m sure you’ve heard about good password practices, awareness on malware, phishing, and numerous other cybersecurity threats. However, physical data theft is something that is often overlooked.

Firewalls and anti-malware software are quite likely to be completely useless if your laptop is stolen. Laptops may also get misplaced and lost. A desktop PC at home or in the office may be less vulnerable to physical theft, but that risk is not insignificant.

A simple, yet effective, protection against physical data theft is to employ full disk encryption. The idea is that if your entire computer storage is encrypted, then stealing the computer, or jeven ust the disk itself, will likely be completely useless. Without the ability to decrypt the disk, no information will be lost.

Several years ago, I wrote a post about built-in full disk encryption in macOS. If you use a Mac, you should check that you have FileVault 2 turned on.

Windows users, too, have full disk encryption via BitLocker which Microsoft introduced since Windows Vista. The availability of BitLocker, unfortunately, was a little complicated back then. In Windows Vista and Windows 7, you needed to have the Enterprise or Ultimate edition. This is still partly true today, with BitLocker being available only in Pro, Enterprise, and Education editions of Windows 10.

Fortunately, on modern hardware today, all Windows 10 users should have some form of full disk encryption feature available. While Windows 10 Home does not come with the original BitLocker, it does have Device Encryption, a scaled down version of the full BitLocker. Also known as BitLocker Device Encryption, this feature requires certain hardware features, namely Modern Standby and TPM 2.0 support, which are likely supported by most new laptops since 2018.

Windows 10 Home users will also have to login to your computers using a Microsoft Account that has administrative privileges before BitLocker Device Encryption will work. To turn on full disk encryption, go to Settings, Update & Security, Device encryption (scroll to bottom on the left pane), then look for the button to turn on device encryption.

Windows 10 Pro, Enterprise, and Education users will have more BitLocker options. On these editions of Windows, BitLocker can run with lesser hardware requirements. However, it makes most sense when used in conjunction with TPM 2.0 support. You can also use BitLocker on removable disks, such as USB flash storage and external drives.

BitLocker, in conjunction with TPM 2.0 and Secure Boot, can prevent unauthorised access to your data on lost of stolen computers. Secure Boot verifies the integrity of the boot environment, i.e. that your UEFI firmware, bootloader, as well as operating system kernel, have not been modified. Subsequently, another technology, Trusted Boot, takes over to make sure that no other critical components in your Windows operating system drive have been modified. These features are important, as they prevent advanced data theft methods that involve rootkits or unauthorised modification to boot firmware. The effectiveness of full disk encryption in protecting your data is lost if these other measures are not present.

In principle, these combination of technologies is not very different from how Android and iOS protects your data on mobile devices.

You need to be know about recovery keys when using BitLocker. This is similar to the recovery keys in macOS’ FileVault. There is a BitLocker recovery key associated with each encrypted volume. This key is needed if you ever need to read the disk from a different computer, or for some reason the integrity of your boot environment cannot be verified on your original computer.

By default, your BitLocker recovery keys are uploaded to your Microsoft Account. You also have the option of saving or printing the recovery keys: Go to Control Panel, search for Manage BitLocker, and look for the option to back up your recovery key. You must remember to properly keep and protect your recovery keys.

Our computers are a treasure trove of personal information. You may also have plenty of confidential, proprietary, or competitive organisational information too. While many of us may be at least familiar with IT security best practices, very often the physical security aspect is overlooked or neglected.

The best defence against accidental loss and physical theft is to use full disk encryption tools like BitLocker, in conjunction with TPM 2.0, Secure Boot, and Trusted Boot. You probably already have BitLocker Device Encryption available if you use a relatively new Windows 10 laptop. It’s free, so remember to check that you have it turned on.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.