Windows 10, 8.1, 8, and 7 all include BitLocker drive encryption, but that’s not the only encryption solution they offer. Windows also includes an encryption method named the “encrypting file system”, or EFS. Here’s how it differs from BitLocker.
- Download Bitlocker For Windows 10
- Windows 10 Device Encryption Vs Bitlocker Usb
- Bitlocker Not Showing Up In Windows 10
- Windows 10 Device Encryption Vs Bitlocker Key
- Windows 10 Device Encryption Vs Bitlocker Key
This is only available on Professional and Enterprise editions of Windows. Home editions can only use the more restricted “device encryption” feature, and only if it’s a modern PC that shipped with device encryption enabled.
Download Bitlocker For Windows 10
BitLocker is Full Disk Encryption
RELATED:How to Set Up BitLocker Encryption on Windows
Windows 10: Device Encryption and BitLocker. Discus and support Device Encryption and BitLocker in AntiVirus, Firewalls and System Security to solve the problem; Hello MS Community! Posting a subject name as Device Encryption and BitLocker, would it be correct to have it as: BitLocker Device Encryption. Mar 06, 2019 Windows 7 Windows 10; When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks. BitLocker actually takes longer on Windows 10 when compared to Windows 7 due to some of the improvements Microsoft has introduced with the update. This is caused by the new conversion which is being used by BitLocker in Windows 10, known as the Encrypt-On-Write mechanism. In a blog post, Microsoft explained. We may earn a commission for purchases using our links. Keeping data secure How to use BitLocker Drive Encryption on Windows 10 If you keep sensitive data on your PC, use this guide. Overview of BitLocker Device Encryption in Windows 10: This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. BitLocker frequently asked questions (FAQ).
BitLocker is a full-disk encryption solution that encrypts an entire volume. When you set up BitLocker, you’ll be encrypting an entire partition — such as your Windows system partition, another partition on an internal drive, or even a partition on a USB flash drive or other external media.
It is possible to encrypt only a few files with BitLocker by creating an encrypted container file. However, this container file is essentially a virtual disk image, and BitLocker works by treating it as a drive and encrypting the entire thing.
If you’re going to encrypt your hard drive to protect sensitive data from falling into the wrong hands, especially if your laptop is stolen, BitLocker is the way to go. It’ll encrypt the entire drive and you won’t have to think about which files are encrypted and which aren’t. The entire system will be encrypted.
This doesn’t depend on user accounts. When an administrator enables BitLocker, every single user account on the PC will have its files encrypted. BitLocker uses the computer’s trusted platform module — or TPM — hardware.
While “drive encryption” is more limited on Windows 10 and 8.1, it works similarly on PCs where it’s available. It encrypts the entire drive rather than individual files on it.
EFS Encrypts Individual Files
RELATED:How to Encrypt Files and Folders in Windows 8.1 Pro Using EFS
EFS — the “encrypting file system” — works differently. Rather than encrypting your entire drive, you use EFS to encrypt individual files and directories, one by one. Where BitLocker is a “set it and forget it” system, EFS requires you manually select the files you want to encrypt and change this setting.
You do this from the File Explorer window. Select a folder or individual files, open the Properties window, click the “Advanced” button under Attributes, and activate the “Encrypt contents to secure data” option.
This encryption is on a per-user basis. Encrypted files can only be accessed by the particular user account that encrypted them. The encryption is transparent. If the user account that encrypted the files is logged in, they’ll be able to access the files without any additional authentication. If another user account is logged in, the files won’t be accessible.
The encryption key is stored in the operating system itself rather than using a computer’s TPM hardware, and it’s possible an attacker could extract it. There’s no full-drive encryption protecting those particular system files unless you also enable BitLocker.
It’s also possible that the encrypted files could “leak” out into unencrypted areas. For example, if a program creates a temporary cache file after opening an EFS-encrypted document with sensitive financial information, that cache file and its sensitive data will be stored unencrypted in a different folder.
Where BitLocker is essentially a Windows feature that can encrypt an entire drive, EFS takes advantage of features in the NTFS file system itself.
Why You Should Use BitLocker, and Not EFS
It’s actually possible to use both BitLocker and EFS at once, as they’re different layers of encryption. You could encrypt your entire drive, and, even after doing so, Windows users will be able to activate the “Encrypt” attribute for files and folders. However, there’s not actually much reason to do so.
If you want encryption, it’s best to go for full-disk encryption in the form of BitLocker. Not only is this a “set it and forget it” solution you can enable once and forget about, it’s also more secure.
We’ve tended to gloss over EFS when writing about encryption on Windows and often only mention BitLocker as Microsoft’s solution for encryption on Windows. There’s a reason for this. BitLocker’s full-disk encryption is just superior to EFS, and you should be using BitLocker if you need encryption.
So why does EFS even exist? One reason is that it’s an older feature of Windows. BitLocker was introduced along with Windows Vista. EFS was introduced back in Windows 2000.
At one point, BitLocker might have slowed down overall operating system performance, while EFS would have been a bit more lightweight. But, with reasonably modern hardware, this shouldn’t be the case at all.
Just use BitLocker and forget Windows even offers EFS. It’s less of a hassle to actually use and is more secure.
READ NEXT
- › How to Quickly Create Your Own Chrome Browser Theme
- › How to Create Aliases and Shell Functions on Linux
- › What Is Apple Arcade? Here’s Everything You Need to Know
- › What Is Ultra Wideband, and Why Is It In the iPhone 11?
- › How to Use a Mouse With Your iPad or iPhone
Applies to
- Windows 10
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
BitLocker overview
Windows 10 Device Encryption Vs Bitlocker Usb
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
On computers that do not have a TPM version 1.2 or later, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation. Starting with Windows 8, you can use an operating system volume password to protect the operating system volume on a computer without TPM. Both options do not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
Practical applications
Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected computers are decommissioned or recycled.
There are two additional tools in the Remote Server Administration Tools, which you can use to manage BitLocker.
BitLocker Recovery Password Viewer. The BitLocker Recovery Password Viewer enables you to locate and view BitLocker Drive Encryption recovery passwords that have been backed up to Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.By using this tool, you can examine a computer object's Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. To view recovery passwords, you must be a domain administrator, or you must have been delegated permissions by a domain administrator.
BitLocker Drive Encryption Tools. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through theBitLocker control panel, and they are appropriate to use for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or by using the recovery console.
New and changed functionality
To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the BitLocker section in 'What's new in Windows 10.'
System requirements
BitLocker has the following hardware requirements:
For BitLocker to use the system integrity check provided by a Trusted Platform Module (TPM), the computer must have TPM 1.2 or later. If your computer does not have a TPM, enabling BitLocker requires that you save a startup key on a removable device, such as a USB flash drive.
A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM does not require TCG-compliant firmware.
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
Important
From Windows 7, you can encrypt an OS drive without a TPM and USB flash drive. For this procedure, see Tip of the Day: Bitlocker without TPM or USB.
Note
TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool MBR2GPT before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
Bitlocker Not Showing Up In Windows 10
When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
Windows 10 Device Encryption Vs Bitlocker Key
When installing the BitLocker optional component on a server you will also need to install the Enhanced Storage feature, which is used to support hardware encrypted drives.
In this section
Windows 10 Device Encryption Vs Bitlocker Key
| Topic | Description |
|---|---|
| Overview of BitLocker Device Encryption in Windows 10 | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. |
| BitLocker frequently asked questions (FAQ) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. |
| Prepare your organization for BitLocker: Planning and policies | This topic for the IT professional explains how can you plan your BitLocker deployment. |
| BitLocker basic deployment | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. |
| BitLocker: How to deploy on Windows Server | This topic for the IT professional explains how to deploy BitLocker on Windows Server. |
| BitLocker: How to enable Network Unlock | This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. |
| BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker | This topic for the IT professional describes how to use tools to manage BitLocker. |
| BitLocker: Use BitLocker Recovery Password Viewer | This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. |
| BitLocker Group Policy settings | This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker. |
| BCD settings and BitLocker | This topic for IT professionals describes the BCD settings that are used by BitLocker. |
| BitLocker Recovery Guide | This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
| Protect BitLocker from pre-boot attacks | This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
| Protecting cluster shared volumes and storage area networks with BitLocker | This topic for IT pros describes how to protect CSVs and SANs with BitLocker. |
| Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core | This topic covers how to use BitLocker with Windows 10 IoT Core |