Data privacy is a concerning topic in this technological world. Information is vulnerable to different kinds of attacks and thefts online or offline. Security measures may be effective to a point when online due to server syncing. But what if such attacks are initiated offline?
Windows provides a BitLocker feature to protect data even from a stolen disk drive. In this article, we will first discuss Bitlocker and then round up the article with the steps to enable or disable it.
What is BitLocker?
BitLocker is Microsoft’s protection mechanism to secure information on disk drives against offline forgery attempts. The mechanism generates a recovery key and encrypts selected drives’ data. Such encrypted data can only be intelligibly fetched when its unique key is provided while starting the computer.
The recovery key should either be manually kept or saved in hardware components. In case of unavailability of TPM, the recovery key should be entered each time to use the data on the disk because some systems wouldn’t provide password/pin protection with BitLocker.
Can I Enable Bitlocker on My Computer?
Bitlocker is a somewhat premium feature of Microsoft that is provided to its Pro and Enterprise users. You cannot use Microsoft’s default BitLocker to protect your drives in the Windows Home edition. You can upgrade your Windows package if you have got the Home Edition.
If you are unaware of your edition of Windows, you can check it through the System Information utility. To do so,
- Open the run command, type
msinfo32, and press Ctrl + Shift + Enter.
- If it has a suffix as Home within the OS Name’s Value, Bitlocker cannot be turned on on your PC.
You should also check the value of the item: Device Encryption Support, even on Windows Pro or Enterprise edition. It shows the support status of BitLocker on your Device.
Along with these things, two necessary things needed to enable BitLocker are mentioned below:
Trusted Platform Module
TPM(Trusted Platform Module) is a physical processing component specialized for cryptographic calculations within the motherboard. It also runs inspection tests to detect whether data in the drives were modified or not. TPM 1.2 or above is necessary for computers with Legacy BIOS mode to enable BitLocker. BitLocker works well natively along with TPM.
TPM releases and stores the recovery keys for BitLocker. It must also be enabled from the firmware level, BIOS or UEFI. You can check the presence of TPM and find if it’s enabled or not by running a command in Power Shell(Admin). Follow the steps:
- Press Windows + R keys to open the run command.
powershelland hold Ctrl + Shift, and hit Enter.
- Run the command
Get-Tpmand Check if TpmPresent and TpmEnabled have True values or not.
If you are returned with a false value for
TpmEnabledYou must enable it from the boot settings. The exact method for devices may differ. But F2 or F11 keys are usually held while booting the computer to enter BIOS or UEFI. And Tpm settings lie under the security section. Search online for the exact steps for your brand of system.
Even if you do not have TPM device in your motherboard, you can enable BitLocker. But you must save the recovery key on a USB drive. For this, you need to enable USB readability in BIOS or UEFI mode, in case you haven’t.
Minimum of Two Disk Partitions
Bitlocker requires at least two disk partitions to enable itself. The drives must also be journaled with NTFS(New Technology File System). To check the number of partitions in your drive and file System, open the Disk Management utility by entering
diskmgmt.msc in the run command.
You can read our dedicated article on how to partition a hard drive if required.
How to Enable Bitlocker?
After ensuring to have all the elements for BitLocker to work, you can enable it through the Control Panel. Let’s proceed to the steps to enable Bitlocker on your Windows Pro or Enterprise:
- Open Control Panel.
- Go to System and Security.
- Click on BitLocker Drive Encryption.
- Tap the Turn on BitLocker option.
The computer will start to inspect if everything’s in place to support Bitlocker or not
- Save your recovery key with the given methods. Click Next when done.
- Choose if you want to encrypt the used space or the whole drive and Next.
- Select the encryption mode and hit the Next button.
- Check the box for Run BitLocker system check and click on Start encrypting.
- Tap the Restart now button.
How to Check Bitlocker’s Overall Status?
Windows has an inbuilt command line to check BitLocker’s status extensively. This command also shows the progress of drive-wise BitLocker encryption.
Here’re the steps to check Bitlocker’s status:
- Open Command Prompt in Administrator mode.
manage-bde -statusand hit Enter.
How to Disable BitLocker?
Activating BitLocker validates data security, but if you have a hard disk that needs to be constantly moved and attached to various systems, enabling it may be tedious for you. Furthermore, the fear of losing the recovery key may haunt some people because Microsoft proclaims to have no way of recovering data in such a scenario.
To disable Bitlocker,
- Follow the same steps to enter BitLocker Drive Encryption Menu as above.
- Click on Turn off BitLocker.
- Again, select the Turn off BitLocker button on the appeared dialog box.
Command Line Methods
There are command lines to undo BitLocker encryption and turn it off. You can either run commands in cmd or PowerShell, but the commands vary. Below are the commands you need to enter to disable Bitlocker:
For Command Prompt
manage-bde -offand press Enter.
For instance, to disable Bitlocker on the C drive, you’d use
manage-bde –off C:
Disable-BitLockerand press Enter.
In the case of PowerShell, you’d use the following command to disable Bitlocker on the C drive:
Disable-BitLocker -MountPoint "C:"
What if I Lost the Recovery Key?
Most of the recent devices do meet the requirements to enable BitLocker. And if they come with Windows Pro or Enterprise out of the box, chances are they have BitLocker feature pre-enabled. The recovery key for such devices is stored in Microsoft accounts. It can be taken back from Microsoft account if required.
But if you haven’t saved your recovery key anywhere or lost it physically, there’s no authentic method to recover data from the encrypted drive. You must delete all data and reinstall Windows to make the drive operable.