Information Security

Bitlocker encryption instructions

Step-by-step instructions for encrypting hard drives on self-managed Windows computers.

Bitlocker on self-managed PCs

Notes

  • Step-by-step instructions for encrypting your hard drives are shown below.
  • Store your decryption key carefully in at least two places. You may need to use it to unlock your disk one day
    • store it as a printout,
    • also store a copy in a file, or onto a USB key.
  • If it is a university-owned computer, give your computer officer a copy of the decyption key
    • your CO will help you recover your hard drive one day, if necessary.
  • It is much better if  your computer has  a Trusted Platform Module (TPM) chip.
    • Set the BIOS to configure the TPM as  "activated", and NOT "owned".
  • You can manually "clear" and "activate" the TPM chip using the BIOS.
    • If the laptop is new, all that may be required is to check that the TPM is enabled as the TPM it not have been previously “owned.”
  • TPM settings are usually found within the Security section of the computer's BIOS.

Using a USB key instead of a TPM

USB protection is not a strong as TPM protection because USB protection cannot detect whether your hardware had been un-screwed, or the BIOS had been tampered with.

  • If you do not have a TPM, you can use a USB key instead, but you need to make sure you have the USB key every time you re-boot your computer.
  • Not all computers are able to be configured to use a USB key. It depends on whether it's BIOS and Operatings systems are compatible. "Home" editions of Windows are usually NOT able to be encrytped.
  • To boot an encrypted computer, you need to configure the BIOS to use the [Startup key only] authentication method.
    • To use this method, your computer must support the reading of USB devices in the early stages of booting up.
    • You enable this method by selecting the check box [Allow BitLocker without a compatible TPM] in the Group Policy setting [Require additional authentication at startup] in the Local Group Policy Editor: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives
  • Home editions of Windows do not have this "Group Policy" setting. They are not compatible wiht bitlocker.

Configure the TPM Settings in the BIOS (Basic Input Output System)

Before BitLocker can be enabled, the Computer BIOS will need to be configured to support the service. 

1. To access the BIOS press F2, F10 or the Del key as soon as the PC turns on (before Windows loads). The key you press depends on the BIOS manufacturer.

The TPM (Trusted Platform Module) setting is usually  in the Security section of the BIOS under [TPM Security]. Find it, and tick [enable].

Note: If this setting is already enabled please contact the IS Helpline as the Bitlocker may already be set up on the laptop.

2. To leave the BIOS press Esc. Save settings when prompted, then reboot your computer as normal.

Activate BitLocker 

Now that your BIOS is configured, and your computer has booted into Windows:

Bitlocker before encryption

3. Select the [start] button (bottom left of the screen) and type “BitLocker” into the “search programs and files” box. Select the option [BitLocker Drive Encryption].

4. Select [Turn on BitLocker] in the dialog box that appears.. 

5. Click [Next]  when prompted (at this point the system will enable the TPM Security Hardware).

6. Click [Next]  leaving everything at the default setting, you will be prompted to restart.

If you are prompted to accept configuration changes, click [accept the changes].

7. The machine should boot into Windows and the BitLocker dialog box should resume automatically. If it does not, reopen it by repeating step 3 and then go straight to step 8.

8. Once the initialisation of the hardware has taken place click [Next] to continue, if you are prompted to use BitLocker with additional keys select [Without additional keys].

9. Insert a USB key into the machine and click [save the recovery key to a USB drive] . Click save when prompted.

    Note: if you are using a USB key instead of a TPM, ensure you use a diferemnt USB key for this step.

Bitlocker key storage

10. Print the recovery key as well, if you have a printer installed. 

11. Tick the [Run BitLocker system check] button (you will be prompted to insert the USB stick) and allow the machine to restart. Log back into Windows as normal.  Open the dialog box as decribed at step 3. You should see the BitLocker encryption process has started. If not, you should ask your Computing support to check this for you.

The encryption process can take a number of hours to complete, you can use the machine throughout this period but performance will be reduced. There may not be any indication that the encryption process is running, you can check the status by repeating step 3 again at which point the text next to the drive should say “Encrypting”. At some point the text in this dialogue will confirm the drive has been encrypted.

Bitlocker Status
 

Make sure you keep the USB stick and or printouts safe as they will be needed if anything was to happen to the drive.