What is BitLocker? Complete Guide for Bitlocker

May 29

4 min read

What is BitLocker?

BitLocker Drive Encryption, or BitLocker, is a Microsoft Windows security and encryption feature that comes with some recent versions of Windows. BitLocker allows users to encrypt everything on the drive where Windows is installed, protecting their data from theft or unwanted access.

Microsoft BitLocker prohibits unwanted data access, hence enhancing file and system security. It uses the Advanced Encryption Standard method with 128 to 256 bit long keys. BitLocker aggregates sophisticated key management techniques with on-disk encryption.

Although BitLocker launched with Windows Vista in 2007, Microsoft enhanced it with Windows 10 version 1511, adding new encryption algorithms, group policy settings, operating system (OS) disks, and detachable data drives. This update is compatible with Windows 11, 10, and Server 2016 and higher. BitLocker works on Windows Pro, Enterprise, and Education editions.

How Does BitLocker Work?

BitLocker makes use of a specialized chip known as a Trusted Platform Module (TPM). The TPM contains Rivest-Shamir-Adleman encryption keys unique to the host system for hardware authentication. The original computer maker installs the TPM, which works with BitLocker to protect user data.

In addition to a TPM, BitLocker can lock the startup process until the user enters a PIN or inserts an external device containing a startup key, such as a flash drive. BitLocker also generates a recovery key for the user's hard disk, in case they forget or lose their password.

Computers without a TPM can still utilize BitLocker to encrypt Windows OS disks. However, in order to switch on the computer or restart hibernation, this approach requires a USB startup key. When BitLocker is used in conjunction with a TPM, Microsoft claims that more pre-startup system integrity testing takes place.

BitLocker Recovery Password Viewer and BitLocker Drive Encryption Tools are two more tools for BitLocker management. BitLocker Recovery Password Viewer allows users to locate BitLocker recovery passwords that have been backed up to Active Directory (AD) Domain Services. This utility is used to recover data from an already encrypted drive. BitLocker Drive Encryption utilities are a collection of command-line utilities, including the BitLocker cmdlets for Windows PowerShell, manage-bde, and repair-bde. Repair-bde, for example, is utilized in disaster recovery scenarios where BitLocker-protected disks cannot be unlocked normally or through the recovery console. The Manage-bde command-line utility toggles BitLocker on and off. When BitLocker is turned off, all files on the drive are decrypted because they no longer require protection.

How to Use BitLocker

BitLocker is activated by default. If it is switched off, a user can use the Windows search bar to find Manage BitLocker. If BitLocker is installed on the device, it will appear in the control panel, with the option to enable BitLocker. Other alternatives include suspending protection, backing up your recovery key, and disabling BitLocker.

After activating BitLocker, Windows begins to examine system settings. The user must generate a password that will be required each time they access their PC or drive. The user then chooses Recovery Key Settings. After hitting Next, the user can specify how much of their drive they want to encrypt. Two-volume encryption encrypts either usable disk space or the entire drive. Encrypting used disk space just encrypts the disk space that contains data, but encrypting the entire drive encrypts the entire storage volume, including unused space.

After clicking on this, the user can perform a BitLocker system check to ensure that BitLocker has access to the recovery and encryption keys before any data is encrypted. Following the system check, the BitLocker Drive Encryption Wizard restarts the PC and begins the endpoint encryption process. Protection is only enabled after the user logs in and the device is added to an AD domain.

To decrypt and switch off BitLocker, the user should type Manage BitLocker into the Windows Search box, select the option that displays, and then turn off BitLocker; the process of decrypting data will begin.

BitLocker system requirements.

BitLocker requires the following:

TPM 1.2 or later must be installed.
If a TPM is not used, a startup key on a detachable device is necessary.
When using a TPM, a Trusted Computing Group-compliant BIOS or unified extensible firmware interface (UEFI) is required to establish a chain of trust during OS launch.
BIOS and UEFI must support the USB mass storage device class.
Storage drives must have at least two partitions.
The OS drive must be formatted with the NT File System (NTFS).
System disks with UEFI-based firmware must be formatted using the File Allocation Table 32 file system.
System disks that employ BIOS firmware must be formatted as NTFS.

What is the BitLocker recovery key?

A BitLocker recovery key is a 48-digit numerical password used to unlock a user's machine when BitLocker detects an attempted illegal access. The key serves as an additional security safeguard to protect a user's data. If you make changes to the system's hardware, software, or firmware, Windows may request the BitLocker recovery key.

How to Find a BitLocker Recovery Key?

If the recovery key is lost, the only option is to reinstall Windows. You can use Bitlocker recovery tool to recover your data. To get around this, you can save BitLocker recovery keys to the following locations:

The user's Microsoft Account. If the user signs into their Microsoft account from another device, they will be able to view their key.

a USB flash disk. The key can be stored on a USB flash drive and used to open the locked PC. If the key is saved as a text file, it can be plugged into another computer to read the password.