BitLocker Full Disk Encryption
Notes and Instructions
Click here for administration notes.

Why you may want to encrypt your data

If a device containing data is lost or stolen, the data on the device is at risk of exposure. If the confidentiality of the data is subject to laws or regulation, this loss may constitute a breach. Encrypting the data on the device is a great way to mitigate this risk. Many regulations and laws encourage or require encryption.

Encryption does ...

Full Disk Encryption (FDE) will encrypt all the data stored on the computer's internal drive. If the computer were stolen, the data on the drive would be unreadable without the password or encryption keys.

Encryption does not ...

A first step in managing risk is to eliminate unnecessary risk. Just because a laptop is encrypted does not mean any data stored on that computer is safe. Even an encrypted computer is vulnerable to viruses, Trojans and other malware. In general, Full Disk Encryption does not protect the data when the computer is on.

Key Management

Dual Boot

Instructions

Throughout this section, you will see icons such as this . Click this icon to see a screen shot for additional information. Click the larger image to close the image.

Before encrypting your drive with TrueCrypt,

Do not continue the encryption process if you have any disk errors! Please contact the Service Desk at 336.758.HELP

Starting BitLocker

  1. Navigate to the Windows control panel

  2. Double click the option for "BitLocker Drive Encryption" from the Control Panel Home screen.

  3. You will see two options on the BitLocker Drive Encryption screen. One option is for the C: drive; the other option is for the D: drive. At this point, you should see that BitLocker is turned off for both C: and D: drive. Select the option "Turn On BitLocker" for the C: drive.

  4. Windows will now check your system's configuration. If your computer is running on battery power, you will receive the following error.

  5. Now you should see the BitLocker Drive Encryption Setup screen. This screen shows that the encryption will be performed in three phases. The first phase is to reconfigure your C: drive to accommodate the BitLocker startup process. The second phase will initialize a physical security component inside the computer. The final phase will encrypt the contents of the C: drive. It is possible that the first and second phase may already be complete.

Phase 1: Reconfigure the C: drive

BitLocker uses an unencrypted section of the disk to begin the boot process. This section may already exists on your system. If it does not, then this process will allocate a portion of the C: drive for this purpose.

Add section for drive partition

Phase 2: Initialize the Trusted Platform Module.

The Trusted Platform Module (TPM) is a physical component inside the computer that will store the encryption keys. This is specially designed to store sensitive data securely. The computer must be shutdown and restarted to initialize this chip. Press the "Shutdown" button when prompted.
  1. Select "Next" to turn on turn on the Trusted Platform Module (TPM) chip.

  2. You should see a message similar to the following. This message appears because we are making changes to the chip that stores sensitive data, and the systems wants to make sure that the user is aware of this action. Press "F10" when you see this screen.
    A configuration change was requested to enable, activate, and allow a user to take ownership of this computer's TPM (Trusted Platform Module).

         NOTE: This action will turn on the TPM

         Press [F10] to confirm, ESC to reset.

         Select "[F10]" on this screen.

  3. The computer should continue to boot up as normal. After you log in, you will see a screen that says "Checking computer configuration". This will ensure that the TPM is configured. When complete, the screen will display "BitLocker Drive Encryption setup", and there will be a check mark beside the option for "Turn on TPM security hardware". This indicates the operation was successful. Select "Next" to continue to the encryption phase.

Phase 3: Encryption

  1. In this example, the setup process will ask "How do you want to store your recovery key?" The recovery key is a backup copy of the encryption key that can be used to access the drive if you were to forget you password. This recovery key is a simple text file that you can save to a USB device, or you can print the file. Select one of these options to save your recovery key. NOTE: The only option at this point should be to store the keys in Active Directory. Update this section with relevant text.

  2. The next screen will verify whether you are ready to encrypt this drive. We recommend to select the check box for one final check of the system configuration. Select "Run BitLocker system check" and press "Continue". The system will also test the recovery key. If the key was saved to a USB device, then insert the USB device before the system boots. If the reboot and tests are successful, the computer will start encrypting upon boot.

  3. When the system restarts, you may see a message in the system tray indicating that the encryption process has begun. You will also see the BitLocker icon in the system tray. You can click on this icon to see the progress of the drive encryption. It will take two or more hours to complete the encryption.

    You will see this screen when the encryption is complete.

Encrypt the D: drive

  1. Encrypting the D: drive is much simpler since we don't need to partition the the drive and since the TPM is already turned on. The Control Panel's BitLocker Drive Encryption page should provide an option to Turn On BitLocker for the D: drive. Select this option for the D: drive.

  2. You will see a few options for for encrypting the D: drive. Select "Automatically unlock this drive on this computer."

  3. You will see a progress screen as the D: drive encryptes.

  4. The encryption will take about one to two hours to complete. You will see a confirmation dialog box when it is complete.
Testing Notes: