Learn more about BitLocker Drive Encryption

BitLocker Drive Encryption provides protection for operating system drives, fixed data drives, and removable data drives that are lost or stolen. BitLocker does this by encrypting the contents of drives and requiring users to authenticate their credentials to access the information. On the drive Windows is installed on, BitLocker uses the Trusted Platform Module (TPM) to detect if the computer's critical startup process has been tampered with. Additionally, a PIN or startup key can be required for users to have access to the drive's data. On fixed and removable data drives, users can access a BitLocker-protected drive by using a password, using a smart card, or by unlocking the drive automatically.

BitLocker for operating system drives is designed to work with systems that have compatible TPM security hardware and BIOS. To be compatible with BitLocker, computer manufacturers must follow standards defined by the Trusted Computing Group (TCG). For more information about the TCG, visit the Trusted Computing Group Web site (http://go.microsoft.com/fwlink/?LinkId=67440).

Enabling BitLocker

The BitLocker setup wizard, which can be started from either the Control Panel or Windows Explorer, is used to enable BitLocker on a fixed or removable data drive that is installed on the computer or on the operating system drive of computers with a compatible TPM. If you want to enable BitLocker on an operating system drive of a computer without a TPM or use other BitLocker features and options, you can modify the BitLocker Group Policy settings that control which features are accessible through the BitLocker setup wizard.

On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:

  • TPM-only. Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed, or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and you need a recovery password to regain access to the data.

  • TPM with startup key. In addition to the protection provided by the TPM, a part of the encryption key is stored on a USB flash drive. This is referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.

  • TPM with PIN. In addition to the protection provided by the TPM, BitLocker requires a personal identification number (PIN) to be entered by the user. Data on the encrypted volume cannot be accessed without entering the PIN.

  • TPM with startup key and PIN. This option can only be configured by using the Manage-bde command-line tool. In addition to the core component protection provided by the TPM, a part of the encryption key is stored on a USB flash drive and a PIN is required to authenticate the user to the TPM. This provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive because the correct PIN is also required.

    Note

    • We recommend always using the default Windows TPM driver with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. In this case, BitLocker will not be able to use the TPM. If Group Policy settings are configured to require BitLocker be used with a TPM, BitLocker will not be able to be turned on until the non-Microsoft driver is removed.

To use BitLocker to protect an operating system drive on a computer without a TPM, the following option is available:

  • Startup key only. All of the required encryption key information is stored on a USB flash drive. The user must insert the USB flash drive into the computer during startup. The key stored on the USB flash drive unlocks the computer. When the computer does not have a TPM, all of the information required to read the encrypted drive is included in the startup key. Using a TPM is recommended because it helps protect against attacks made against the computer's critical startup process.

When enabling BitLocker on fixed or removable data drives, BitLocker can use the following unlock methods:

  • Password. You can use a password to unlock fixed data drives (such as internal hard drives) and removable data drives (such as external hard drives and USB flash drives). Group Policy settings can be used to set minimum password length.

  • Smart card. To use a smart card with BitLocker, you must have a compatible certificate on your smart card. BitLocker will automatically choose the certificate unless you have multiple compatible certificates, in which case you must choose the certificate to use.

    Security Note

    • When encrypting a drive by using a smart card, a certificate-based protector is created on the drive. This protector contains some unencrypted information that is required to unlock the drive. The public key and thumbprint of the certificate that was used to encrypt the drive is stored unencrypted in the protector's metadata on the drive. This information could be used to identify the certification authority (CA) that issued the certificate.

  • Automatically unlock. Fixed data drives encrypted with BitLocker can be configured to automatically unlock when you log on to Windows. Automatic unlocking for removable data drives can be selected after the drive is encrypted. To be able to automatically unlock fixed data drives, the drive that Windows is installed on must also be encrypted by BitLocker.

Accessing content on BitLocker-protected data drives

Once a data drive has been protected with BitLocker, access to the drive is authenticated before the contents are displayed. Fixed data drives can be automatically unlocked after the operating system drive has been unlocked. If the drive does not automatically unlock, you can either click Computer to display the drives on the computer, right-click the drive and click Unlock, or use the BitLocker Drive Encryption item in Control Panel. Depending on the authentication method configured for your computer, the drive will either automatically be unlocked or prompt you for a smart card or password. When removable data drives are inserted into the computer, after it is detected that the drive is BitLocker protected, you will be prompted to provide a password or smart card.

Recovery options

To prevent losing access to BitLocker-protected drives in the event of TPM failure, forgotten passwords, or loss of smart cards or USB keys, it is important that you have a means for administrators to get access to BitLocker drives. BitLocker supports the following methods to recover access to protected drives:

  • Recovery key or recovery password. You can use a recovery key or a recovery password with BitLocker. If a BitLocker key is unavailable, such as in the case of a missing smart card or forgotten user password, a 48-digit recovery password can be used to unlock the protected drive. In place of a password, a recovery key that has been stored to a file on removable media, such as a USB flash drive, can also be used to unlock the protected drive.

  • Backup of keys to Active Directory Domain Services. BitLocker recovery passwords can be stored in Active Directory Domain Services. This allows administrators, such as help desk staff, to assist users in recovering BitLocker-protected drives when they have forgotten or misplaced their recovery password.

  • Data recovery agent. A data recovery agent is a designated person, such as a system administrator, who can use his or her administrative credentials to unlock BitLocker-protected drives. BitLocker is not configured with default data recovery agents, nor are data recovery agents enabled by default. They must be enabled and configured by using Group Policy.

Additional references