How to Protect Your Boot Drive with BitLocker

When it comes to protecting the data on your computer, you can’t do better than strongencryption. Properly encrypted, your files are safe even if a ne’er-do-well gains access to your computer, either physically or through a network. In the past, we’ve discussed how to use various encryption tools to encrypt individual files or create virtual, encrypted drives. Now, we’ll look at how to get maximum security by encrypting your boot disk using the BitLocker full-drive encryption system that’s built into Windows 7 Ultimate and Enterprise.

Step 1: Assess Your System

Ideally, you have a motherboard with a Trusted Platform Module (TPM) chip. A TPM chip securely stores cryptographic keys, which BitLocker uses to access your boot drive before Windows even loads. The TPM also detects any early boot files that have been modified, protecting you from rootkits and other low-level malware. You can check with your motherboard manufacturer to see if you have a TPM, or you can just attempt to go straight to Step 3. If you don’t see a message that looks like the image below, you’re good to go. Otherwise, you don’t have a TPM and you’ll need to continue to Step 2.

You’ll also need an additional, small partition on any boot drive you wish to encrypt in order to use BitLocker. Windows creates this extra partition by default during installation, but even if you don’t have one, the BitLocker software can create it for you.

Step 2: Enable USB Key Storage

By default, BitLocker requires a TPM chip to work. To change this, open the group policy editor by bringing up the Run menu (press Win + R) and then typing gpedit.msc.

Navigate through the hierarchy on the left side of the group policy editor, selecting the following folders, in order: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives (image below). Once you’ve found the right folder, double-click “Require additional authentication at startup” to edit that policy entry.

In the policy editor, all you need to do is click the radio button marked Enabled. In the bottom‑left, a checkbox labeled “Allow BitLocker without a compatible TPM” should already be checked. If it isn’t, check it. Click OK and exit the group policy editor.

Step 3: Enable BitLocker

The actual process of enabling BitLocker is straightforward: You can right-click a drive in Explorer and click Turn On BitLocker, or you can go to the BitLocker section of the control panel and enable it on any drive from there.

As long as you’ve followed the previous two steps, you should see a screen asking you for your BitLocker startup preferences. If you have a TPM, you have three options. If you select “Use BitLocker without additional keys” your startup process will be basically unchanged. Someone with access to your computer will be able to get at your data, but you’ll be protected from rootkits and from people accessing your data remotely. Alternatively, you can choose to enter a PIN every time you log in.

If you’re using the USB method, you only have access to the last option, “Require a Startup key at every startup.” With this method, you’ll only be able to boot your computer while you have a USB drive with a startup key inserted in the machine.

Once you select an option, you’ll be asked to insert a USB drive to use as the key, and you’ll choose where to store your recovery key, which you’ll need if you want to decrypt your data on a different computer, or if the TPM detects a problem. It will take some time for BitLocker to encrypt your drive, but once it’s finished, your data is safe. Anyone attempting to boot from your drive without the proper key won’t even get to the Windows boot screen (image above).