How to encrypt a system partition with BitLocker in Windows
BitLocker Drive Encryption is one of the most used encryption solutions for Windows. It's a security tool that helps protect your data by encrypting entire partitions or hard drives. If you're using a Professional, Ultimate or Enterprise version of Windows, you can use BitLocker. In this guide, we'd like to show you the basics of encrypting your system partition with BitLocker, with and without a TPM chip in your computer:
A few introductory words
For starters, you should know that you can use BitLocker Drive Encryption only if you use one of the following Windows operating systems and editions:
- Ultimate and Enterprise editions of Windows Vista and Windows 7
- Pro, Enterprise, and Education editions of Windows 10
- Pro and Enterprise editions of Windows 8.1
Additionally, you should also be aware of the fact that, to encrypt your system drive, you will have to have a TPM chip installed on your Windows PC. If you don't, BitLocker will still be available, but you will have to change a few settings in Windows, to let you do that. If you don't know what a TPM chip is or if you need to use BitLocker on a PC without a TPM chip installed, this guide will provide you with more information: How to enable BitLocker encryption without a TPM chip in Windows.
How to open the BitLocker Drive Encryption panel
BitLocker is found in the Control Panel in all modern versions of Windows that support it: Windows 10, Windows 8.1 and Windows 7. So, the first thing you'll have to do is launch the Control Panel.
There are many ways to open it in Windows 10, and we've shared them all here: 8 ways to start the Control Panel in Windows 10. If you don't have the time to read that guide too, know that a quick way to launch Control Panel in Windows 10 is to use the search. Type the word control in the search field found on your taskbar and then click or tap on the Control Panel result.
In Windows 8.1, probably the fastest way to open Control Panel is to use the WinX menu. Right-click or tap and hold the Windows button from the bottom left corner of your desktop, and then click or tap on the Control Panel shortcut. Of course, there are other ways to do open it, and you'll find them all here: Introducing Windows 8.1: 9 ways to access the Control Panel.
In Windows 7, open the Start Menu and then click on the Control Panel shortcut.
Regardless of the operating system that you use, once you've opened Control Panel, head to System and Security and then open BitLocker Drive Encryption.
Here's what the BitLocker panel looks like in Windows 10. In Windows 8.1 and Windows 7, you'll get a similar view. For each drive you see its drive letter, label and the status of BitLocker: On or Off.
The BitLocker panels and the encryption steps that you'll have to take from now on are very similar in Windows 10, Windows 8.1 and Windows 7. That's why, from now on, we'll use screenshots taken only in Windows 10.
How to encrypt your system partition
Click or tap on the "Turn on BitLocker" button next to the drive you want to encrypt. The BitLocker Drive Encryption wizard opens, which needs a few seconds to check whether your PC meets the system requirements for using BitLocker.
Then, you are asked to choose how you want to unlock your drive at startup. You can opt to enter a password or insert a USB flash drive each time you boot.
Plug a USB flash drive or enter a password, but choose wisely: without that USB flash drive or password, you won't be able to access the encrypted partition or boot to Windows. Therefore, make sure you keep the USB flash drive safe or remember the password you set. Once done, press Next.
Now you are asked where you want to backup the recovery key. This key is used only when you have problems accessing the encrypted drive. Choose the option you prefer and then press Next.
You are asked how much of your drive you want to encrypt. If you have a newer computer with a fresh installation of Windows, it is best to choose the first option: "Encrypt used disk space only." If your computer has been used for a while, it is best to encrypt the whole drive. The second option will make the encryption process take longer, though. Pick the option that works best for you and press Next.
Windows 10 introduces a new encryption mode - XTS-AES - which provides additional integrity support for your data, but which is not compatible with older versions of Windows, like Windows 8.1 and Windows 7. If you don't intend to move the drive that you're encrypting, then use this newer encryption mode. However, if the drive you're encrypting now is removable or if you need to access it from other operating systems as well, choose the Compatible mode encryption. In Windows 8.1 and Windows 7, you won't get this option.
On the next step, leave the "Run BitLocker system check" box checked, and press Continue.
You are informed that the encryption will be completed after a restart. Reboot your computer, enter the password you have set earlier and then log in to Windows.
You'll see a quick notification about the progress of the encryption process and, if you open it, you'll be able to watch the progress of the encryption.
You can continue to use the computer while the encryption is performed in the background. When the process is over you will be informed.
There's a quirk about BitLocker in Windows 7
One enhancement in Windows 10 and Windows 8.1 versus Windows 7 is that the encryption process is the same, whether you use a TPM chip or not. That's not true in Windows 7 which, if you don't have a TPM chip, forces you to use a USB flash drive with your BitLocker startup key, at all times. You can't choose to use just a password. Without the flash drive plugged in, you won't be able to access the encrypted partition. If you followed this tutorial on a computer without a TPM chip, to enable BitLocker encryption, then you will go through some additional steps.
When you start the BitLocker Drive Encryption wizard, you are first required to store a Startup key and have it used at every startup.
You can save it on a USB flash drive, like a memory stick. Select the device and press Save.
Then you are asked to save the recovery key. Unlike Windows 10 or Windows 8.1, Windows 7 doesn't allow you to save it in your Microsoft account, in OneDrive. The other options available are the same.
Once your computer is restarted, and the encryption process has started, you won't be asked for the BitLocker password/startup key like in Windows 10 or Windows 8.1. You will have to plug in the USB drive where it stored. Without it, you won't be able to access the partition that was encrypted.
If you have a TPM chip on your computer, it is easy to encrypt any partition on your system. If you don't, then the process is slightly more complex and accessing the encrypted partition is more of a hassle in Windows 7. Luckily, Microsoft has improved the experience considerably in Windows 8.1 and Windows 10 and made it easier for everyone to use this feature. Do you use BitLocker to protect your data?