Encrypting Windows computers
Encrypting a computer running Microsoft Windows.
Microsoft windows comes in various versions. The most professional of these "enterprise", supports whole disk encryption.
Earlier versions for Windows (Windows 7, and and Windows 8) support encryption for the professional versions but not for "home" editions.
Contact IS.Helpline to find out if your version is encryptable, or if you need help to encrypt it.
Some windows editions, and some hardware simply makes it impossible, or far to difficult to support encryption.
Note that: using sensitive information on a laptop without encryption is a contravention of Section 4 of the University Information Security Policy.
- Offline Attack
- Bitlocker prevents the type of attack where a malicious user will take the hard drive from your computer and connect it to another computer so they can harvest your data.
- LiveCD Attack
- If a malicious user boots from an alternate Operating System, either from hard drive or from a removable device such as a LiveCD the disk contents cannot be read.
- End of Life Leakage
- When you re-cycle your computer or dispose of it, your data remains encrypted as long as you delete the encryption codes.
Bitlocker does not protect ...
It is a mis-conception that your password unlocks Bitlocker. Any valid user logging in to the computer decrypts the disk. To protect your computer, you have to make sure that all the users who may log in to it, require passwords. Disable all guest login accounts from a bitlockered computer, otherwise hard disk encryption is of no use.
Bitlocker on Supported Desktops
It is University policy that all fully compatible university owned supported laptops are configured with bitlocker.
Modern desktops and laptops are also compatible with bitlocker.
If you have a Supported Desktop computer, and it is modern enough to be compatible with bitlocker, you can encrypt it by floowing these steps:
- select [Start Menu]
- type "bitlocker" into the search box
- select [Bitlocker Drive Encrytion]
- click on [Turn on Bitlocker]
Not all computers are compatible with Bitlocker. If you need help, ask your Computing Support Team. The link below will help guide them though the process.
Manually configuring windows bitlocker encryption
If you are using a self-managed PC, you can follow this guide to encrypt your hard disk yourself.
Bitlocker only works well enough on the "Professional" and "Enterprise" editions of windows 7 and the most professional of the Windows 8 operating systems. Bitlocker also works best if your computer is equipped with the right kind of TPM hardware module inside. Most computers bought through the University will have a suitable TPM built-in, but not all. If encryption is a definite requirement for you, ensure you choose a computer that is fully compatible with bitlocker.
The bitlocker support pages are currently on the University wiki intranet. This link will take you there but will only work if you have access to that site. If you are computing officer without access, contact IS.Helpline to gain access.
If you mange your own Windows computer (works on Windows 7 Professional editions and higher, and some versions of Windfows 8) you can encrypt your hard disk following the instructions shown.
Checking if your PC is already encrypted.
You can check the BitLocker status of a machine using the BitLocker Drive Encryption application, which is in Control Panel under System and Security. Details follow.
Recycling or disposing of your computer
When you need to dispose of, or recycle your computer, it is important to remove all information from it. If your hard disk was encrypted with bitlocker, it is much quicker to delete the decryption key, than it is to rewrite the whole hard disk. However, as you need some technical knowledge to do this, always involve your computer support people to ensure this is done for you.