How To Use BitLocker To Encrypt Win7 Drives

The nice thing about BitLocker, bundled with Microsoft’s Windows 7 Enterprise and Ultimate editions, is it allows for the full encryption of the system drive of a PC.

BitLocker's default requires it to be installed in a system with a trusted Platform Module (TPM). If you're not dealing with a computer that has such hardware installed, you'll need to make a couple of changes to BitLocker behaviors via Group Policy.

Click Start and type gpedit.msc in the Search box. Press Enter. Navigate to Local Computer Policy >> Computer Configuration >> Administrative Templates >> Windows Components >> BitLocker Drive Encryption >> Operating System Drives.

Here is what you'll see.

Double click on Require additional authentication at startup and select Enabled. Then, check the box next to Allow BitLocker without a compatible TPM. (The other options should each be set to Allow.) Click OK.

To start the encryption process, right click on your system drive and select Turn on BitLocker.

BitLocker will scan your system to make sure the setup process can proceed. It might inform you that a new system drive will be created from free space on drive C:, which is where BitLocker’s boot-time components will be stored. After this is done, the system must reboot before you can continue.

The next phase of BitLocker's setup is configuring the startup, or decryption, key. If TPM is not present, you need to plug in a USB drive with the decryption key on it at boot time. (You can also require a PIN to be supplied at startup for additional security. To make this a requirement, scroll back up this page to the Require additional authentication at startup screen. Change Allow startup PIN with TPM to Require.)

When you select Require a Startup Key at every startup, the system will prompt you to insert a USB flash drive. This will store the decryption key. It will also prompt you to save a separate copy, called a recovery key, so you can still decrypt the drive in case your Startup key is ever lost or damaged.

NOTE: Don't save the recovery key to the same place as your Startup key. It's like putting your spare house key on the same keyring as the master key!

Before starting the encryption process, BitLocker will offer to run a system check. This ensures the Startup key is readable at boot time and that decryption works. The whole process shouldn't take more than a couple of minutes, and I strongly recommend you do this. You will then need to restart your computer.

When your system boots with the Startup key plugged in, you might see a message that says Remove disks or other media. Press any key to restart.

CAUTION: Do not remove the startup key when you see this message. If you take the key out at this time, the startup check will fail and you'll have to begin again from a much earlier step. So just press a key and continue the boot process.

Once the startup check succeeds, BitLocker will begin encrypting the system drive in the background. The encryption process might take several hours. During this time the computer will still be usable; in fact, you can even suspend, shut down or restart the PC while encryption is taking place. That said, the system will be slower to respond than usual. Don't expect to get a great deal done at this time. If you double-click on the tray icon for BitLocker, you will see a progress window for the encryption process.

Drives encrypted by BitLocker will have a lock icon. Drives you did not encrypt, such as drives for auxiliary user data (downloads, etc.), will not have the lock icon. If you decide to protect them, you can encrypt them with BitLocker as well, separately.

Based in Long Island, NY Serdar Yegululp is managing editor of reviews at BYTE. Follow him @syegulalp, or email him at Serdar.Yegulalp@BYTE.com.