How to Use BitLocker in Windows 10

Drive encryption for the security of your data

Encryption Lock

Andriy Onufriyenko / Getty Images 

With the world moving deeper into the digital age, your data is becoming increasingly valuable and increasingly in need of protection. The last thing you want to happen is your data falling into the wrong hands, especially in the event that you lose one or more of your treasured smart devices.

One of the most powerful ways you can protect your data is to encrypt it using a program like BitLocker for Windows 10, which is a proprietary encryption software that operates on the Windows platform.

While the instructions in this article are specific to Windows 10, BitLocker is available on Windows Vista Ultimate or Enterprise, Windows 7 Ultimate or Enterprise, Windows 8.1 Pro or Enterprise, and Windows 10 Pro or Enterprise.

What is BitLocker?

BitLocker for Windows 10 is an encryption software available on Windows 10 Pro or Enterprise versions that lets you encrypt your whole hard drive and keep your data safe from prying eyes and unauthorized tampering with your system, such as the kind intrusion that could be committed by malware.

If you, like most people, have the standard, or Home, version of Windows on our PC you won't have the BitLocker software. However, there was a time when Microsoft initially rolled out their dual interface OS and if you upgraded at that time then you are likely to have either Windows 8 or 8.1 Pro. During the initial roll-out, the Windows 8 Pro upgrade licenses were sold on the cheap and anyone eligible could get them. If you got the Pro and then moved on from Windows 8.1 to Windows 10, then the upgrade held and BitLocker is probably on your system.

If you're not sure what version of Windows 10 you're using, go to Start > Settings > Update and Security (or System and Security) > and look for BitLocker. If you don't see BitLocker, then i'ts not available on your PC.

What are the System Requirements for BitLocker?

To start with, you’ll need a Windows PC and it has to be running any of the eligible versions of Windows. It also needs to have a storage drive with a minimum of 2 partitions and a Trusted Platform Module (TPM).

A TPM is a special kind of computer chip that authenticates your software, firmware, and hardware. It is especially important because if any unauthorized changes to your system are detected by the TPM, then the computer will boot in Restricted mode in order to thwart attackers.

Below are the instructions for both how to check if your computer has the TPM, and also how to run BitLocker without it.

Things to Know Before Setting up BitLocker

Before you start setting up BitLocker on your computer, these are some requirements for using BitLocker.

  • BitLocker is, for the most part, only available on the Pro and Enterprise versions of Windows, including Windows 10 Pro and Enterprise.
  • For the best results, you need to have a TPM chip on your computer.
  • You may be able to use BitLocker without TPM but it will require extra steps.
  • Your hard drive needs at least 2 partitions to run BitLocker. There needs to be a system partition with the operating system, and another partition with all the required files to start Windows. If you don’t have these partitions, don’t worry, BitLocker will create them for you. The partitions should also follow the NTFS file system.
  • Depending on the amount of data in your system, encryption could take a pretty long time, so brace yourself.
  • Your computer should always be connected to a power supply throughout the encryption process.
  • Make sure you fully back up your system before encrypting it with BitLocker. While BitLocker is stable, there will always be risks, especially if you do not have an uninterruptible power supply and run out of power during the encryption process. You can never be too safe; back up your system.

How to Check for the TPM Chip

Because BitLocker requires the TPM chip for authentication, you'll need to check that you have one before before getting started. To do that, start by going to the Power User menu. You can access this by pressing the Windows key and X on your keyboard. Once on the Power User menu, click Device Manager.

In the Device Manager, look for the Security Devices item. If you have the TMP chip, you should see an item for Trusted Platform Module along with the version number. For your computer to support BitLocker, the TPM version number should be 1.2 or higher.

Screenshot of BitLocker Device Manager
Screenshot showing BitLocker's device manager.

How to Turn on BitLocker Without the TPM

If you don’t have a TPM, you will be unable to switch BitLocker on. You’ll still be able to use encryption, but you’ll need to enable additional startup authentication via the Local Group Policy Editor.

  1. Open the Run command. You can do this by pressing the Windows key + R on your keyboard. Once the Run command is on, type gpedit.msc in the field and click OK or press Enter.

  2. In the command result, look for an item labeled Computer Configuration. Expand it and look for the Administrative Templates item. Expand that one as well.

  3. Under the expanded Administrative Templates, expand the Windows Components item.

  4. Under the expanded Windows Components template you will find the BitLocker Drive Encryption item. Expand it and then expand the Operating System Drives item that appears beneath it. Its items will be displayed on the right side.

  5. On the right side of the window, click the item that reads Require additional authentication at startup, and choose Edit from the menu that appears.

    Screenshot of BitLocker's Drive Encryption
    Screenshot showing BitLocker's drive encryption highlighting require additional authentication at startup.
  6. In the window that appears, select the Enabled option.

  7. Check the checkbox that reads Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).

  8. Once you’re done, complete the process by clicking OK.

    Screenshot of BitLocker's Authentication Process
    Screenshot showing BitLocker's authentication process.

How to Run BitLocker

After you've enabled the TPM chip, running BitLocker requires just a few steps.

  1. Go to the Power User menu by pressing the Windows key + X on your keyboard. Once there select the Control Panel item.

  2. Select System and Security.

  3. Click BitLocker Drive Encryption.

  4. In the dialog box that opens click Turn on BitLocker.

    Screenshot of Windows 10 System and Security
    Screenshot showing Windows 10 system and security.
  5. Next, choose Enter a password, and choose a password you would like to use whenever you boot your Windows 10 system to unlock the system drive. Make sure it is a strong password. Once you’re done, click on Next.

    Screenshot of BitLocker Drive Encryption Password or USB
    Screenshot showing BitLocker encryption options.
  6. You will be given options to save a recovery key which you will use to salvage your files in the event that you forget your password. The available options should be to Save to your Microsoft account, a USB flash drive, a file, or print the recovery key. Select whichever is convenient for you. Once you’re done, click Next.

  7. Now you need to select an encryption option that suits you. If you have a new PC or drive or want the faster option, encrypt the used disk space. If your PC or drive has already been in use for some time and you don’t mind a slower process, then encrypt the entire disk space.

  8. Choose an encryption mode. You can either go for the new encryption mode, which is best for drives that are fixed to this device, or the compatible mode, which is best for removable drives. Once you’re done, click Next.

  9. Check the checkbox labeled Run BitLocker system check and then click Continue.

    Screenshot of BitLocker Drive Encryption
    Screenshot showing BitLocker Drive Encryption with run BitLocker system check highlighted.
  10. You will be required to restart your computer to begin encryption. Upon rebooting, you will be prompted by BitLocker to enter an encryption password to unlock your main drive. Enter the password you chose earlier and press the Enter key.

  11. Your computer will boot the Windows desktop. Nothing will seem different, however, encryption should quietly be happening in the background. If you want to verify that this is, in fact, happening, simply go to Control Panel > System and Security > BitLocker > Drive Encryption. There you will see that BitLocker is working to encrypt your files. Depending on how large your drive is and which options you selected, the process can take quite a while. You will still be able to use your computer normally, though.

    BitLocker Encrypting
    Screenshot showing BitLocker encrypting on Windows 10.
  12. Once everything is finished, the Drive Encryption should show that BitLocker is on.

    BitLocker lock on drive
    Screenshot showing BitLocker drive icon with lock.

If you check use File Explorer to look at This PC, once BitLocker is enabled and encryption has completed, you should see a lock icon on your drive, showing it has been encrypted.

Additional Tips for Using BitLocker

Once you’ve enabled BitLocker, there are a few more things you can do.

  • You could suspend protection so your data is not protected. This is best when upgrading hardware, firmware, or operating system. BitLocker will then resume when you reboot.
  • You can also back up your recovery key. This is especially important when you lose your recovery key but are still signed in to your account. BitLocker will create a new backup key for you.
  • You can also change your password. You will, however, need the current password to do this. You can also remove your password. However, you will need to configure a new method of authentication since you can’t run BitLocker without any authentication (that would defeat the purpose of the whole thing).
  • You can also turn off BitLocker if you don’t need BitLocker anymore. BitLocker will decrypt all of your files. The decryption process may take a long time (you’ll still be able to work normally on your computer) and your data won’t be protected anymore.