24 February 2016
4 min read
Our laptops contain almost every detail of our lives, much of it information we’d prefer to keep confidential. Not just personal details, but business-critical documents that would be deeply embarrassing to lose. If your laptop gets stolen, you really don’t want the awkward conversation with your boss about what may leak out.
Don’t think the Windows password is enough to protect you either; determined thieves will find a way to bypass that lock screen. Even if you’ve added extra biometric protection via Windows Hello, they can use the brute-force method of removing the hard disk. If you haven’t encrypted it, it’s child’s play to read the data.
Ways to encrypt your hard disk
There are many ways to encrypt key documents, including open-source projects like VeraCrypt (a successor to TrueCrypt). This lets you select individual files and folders to encrypt, or the entire hard disk, and is a good choice if you’re running Windows 10 Home.
If your laptop runs Windows 10 Pro, Enterprise or Education, however, then we recommend you choose Microsoft’s BitLocker – and that’s what this guide focuses on.
If you’re not which version of Windows you’re running, press the Windows key and type “System”. The top option you’re shown in the search results should be “System”, so select that and look at the Windows edition near the top.
BitLocker works best if you have a chip called a trusted platform module (TPM) built into your laptop. This contains the cryptographic keys the encryption relies on, and sits separately to the hard disk – if someone rips out your hard disk, they won’t be able to decrypt its contents without the TPM.
Most business laptops will include a TPM, so for this guide we’ll assume yours does. If this isn’t the case – and you’ll find out during the process below – then follow the instructions on this Microsoft page for how to enable BitLocker without a compatible TPM (roughly two-thirds down the page). This page also explains how to create a partition if your laptop doesn’t already have one set aside for encryption purposes.
Step-by-step guide to BitLocker
You’ll need to be logged in as an administrator for the steps below to work. Also note that you might want to print off the password (you can save it to an external drive as well), so connecting a printer beforehand is a good idea.
Press the Windows key and type “BitLocker”. Select “Manage BitLocker”. If this option doesn’t appear, bad news: either you’ve mis-spelt BitLocker or you aren’t running a version of Windows that supports it.
If your TPM isn’t “initialized” – that is, activated and set up with the root encryption keys – then you’ll see a prompt to do this. Most business machines with a TPM will already be initialized, however, so your next step should be simple: click on “Turn on BitLocker”. If the User Account Control message appears, press Continue.
The BitLocker wizard will then kick in, with the first prompt asking where you want to back up your recovery key. We recommend having at least two copies – one printed out and filed safely away, the other saved to a file on an external drive. Indeed, the wizard won’t allow you to save the key to the drive you’re encrypting. Once you’ve saved your recovery key, and printed it, press Next.
You can choose to encrypt the full disk or “used disk space only”. The latter option is quicker, and recommended for new PCs, but if you’re encrypting a machine that’s been used for a while then you should choose the full disk option. That means that all your existing data will be encrypted, including any deleted files. Whichever option you choose, any new data will be automatically encrypted. Take your pick and click Next.
Before the process starts, you’re given one last safety prompt to make sure you want to encrypt and that this is a good time to do so. We recommend ticking the check box to run a “BitLocker system check”, which makes sure the recovery and encryption files are ready, and then click “Start encrypting”.
Even now you have one last chance to save any work, because encryption won’t begin until you restart the system. Save any open docs then click on the message that appears in the bottom-right of the screen (or reboot manually).
On reboot, everything will appear to be as normal – except there’s an icon sitting in your System Tray showing a lock over a drive. Double-click on this and you can see how quickly your drive is encrypting. Whilst every system and drive is different, the process took around an hour for our system with a 256GB SSD and 1.1GHz Intel Core m5 processor.
A word on self-encrypting hard drives
BitLocker is great, but if you’re on the point of buying a new laptop – whether for yourself or, if you’re in charge of IT procurement, a fleet – then you should seriously consider a self-encrypting drive (as used in many of HP’s EliteBook ranges).
With a self-encrypting drive, the key is built into the electronics of the drive itself, so there’s no possible way for anyone to hack into it. The only way to access the data on that laptop is to enter the correct password.
That may be overkill for some, but if your company deals with highly secure data then self-encrypting drives are an option well worth exploring.