![\"\"](\"http:\/\/www.maximumpc.com\/files\/u139222\/howtobitlocker-step01.jpg\")
<\/p>\nWhen it comes to protecting the data on your computer, you can\u2019t do better than strongencryption. Properly encrypted, your files are safe even if a ne\u2019er-do-well gains access to your computer, either physically or through a network. In the past, we\u2019ve discussed how to use various encryption tools to encrypt individual files or create virtual, encrypted drives. Now, we\u2019ll look at how to get maximum security by encrypting your boot disk using the BitLocker full-drive encryption system that\u2019s built into Windows 7 Ultimate and Enterprise.<\/p>\n
Ideally, you have a motherboard with a Trusted Platform Module (TPM) chip. A TPM chip securely stores cryptographic keys, which BitLocker uses to access your boot drive before Windows even loads. The TPM also detects any early boot files that have been modified, protecting you from rootkits and other low-level malware. You can check with your motherboard manufacturer to see if you have a TPM, or you can just attempt to go straight to Step 3. If you don\u2019t see a message that looks like the image below, you\u2019re good to go. Otherwise, you don\u2019t have a TPM and you\u2019ll need to continue to Step 2.<\/p>\n
<\/p>\n
You’ll also need an additional, small partition on any boot drive you wish to encrypt in order to use BitLocker. Windows creates this extra partition by default during installation, but even if you don\u2019t have one, the BitLocker software can create it for you.<\/p>\n
By default, BitLocker requires a TPM chip to work. To change this, open the group policy editor by bringing up the Run menu (press Win + R) and then typing gpedit.msc.<\/p>\n
Navigate through the hierarchy on the left side of the group policy editor, selecting the following folders, in order: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives (image below). Once you\u2019ve found the right folder, double-click \u201cRequire additional authentication at startup\u201d to edit that policy entry.<\/p>\n
![\"\"](\"http:\/\/www.maximumpc.com\/files\/u139222\/howtobitlocker-step02.jpg\")
<\/p>\n
In the policy editor, all you need to do is click the radio button marked Enabled. In the bottom\u2011left, a checkbox labeled \u201cAllow BitLocker without a compatible TPM\u201d should already be checked. If it isn\u2019t, check it. Click OK and exit the group policy editor.<\/p>\n
The actual process of enabling BitLocker is straightforward: You can right-click a drive in Explorer and click Turn On BitLocker, or you can go to the BitLocker section of the control panel and enable it on any drive from there.<\/p>\n
As long as you\u2019ve followed the previous two steps, you should see a screen asking you for your BitLocker startup preferences. If you have a TPM, you have three options. If you select \u201cUse BitLocker without additional keys\u201d your startup process will be basically unchanged. Someone with access to your computer will be able to get at your data, but you\u2019ll be protected from rootkits and from people accessing your data remotely. Alternatively, you can choose to enter a PIN every time you log in.<\/p>\n
If you\u2019re using the USB method, you only have access to the last option, \u201cRequire a Startup key at every startup.\u201d With this method, you\u2019ll only be able to boot your computer while you have a USB drive with a startup key inserted in the machine.<\/p>\n
![\"\"](\"http:\/\/www.maximumpc.com\/files\/u139222\/howtobitlocker-step03.jpg\")
<\/p>\n
Once you select an option, you\u2019ll be asked to insert a\u00a0USB drive\u00a0to use as the key, and you\u2019ll choose where to store your recovery key, which you’ll need if you want to decrypt your data on a different computer, or if the TPM detects a problem. It will take some time for BitLocker to encrypt your drive, but once it\u2019s finished, your data is safe. Anyone attempting to boot from your drive without the proper key won\u2019t even get to the Windows boot screen (image above).<\/p>\n","protected":false},"excerpt":{"rendered":"
When it comes to protecting the data on your computer, you can\u2019t do better than strongencryption. Properly encrypted, your files are safe even if a ne\u2019er-do-well gains access to your computer, either physically or through a network. In the past, we\u2019ve discussed how to use various encryption tools to encrypt individual files or create virtual, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-1439","post","type-post","status-publish","format-standard","hentry","category-win_7"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1439"}],"version-history":[{"count":2,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1439\/revisions"}],"predecessor-version":[{"id":1441,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/1439\/revisions\/1441"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}