With that said, we have created this post to explain everything you need to know about encrypting your data using BitLocker, its inner workings, and how you can quickly enable BitLocker on your Windows 11 computer to protect your sensitive data.
What Is BitLocker and How Does It Work
The BitLocker is a Full Disk Encryption utility built into the Windows 11 Pro, Enterprise, and Education editions. While, the Windows 11 Home edition can use BitLocker, but it only enables device encryption and misses out on other advanced features. You can use BitLocker to encrypt that data on your storage drive to protect and deny unauthorized access to your computer. Akin to other full disk encryption utilities, the BitLocker scrambles the data on your computer’s drive using AES (Advanced Encryption Standard) algorithm. Along with AES, BitLocker also uses a hardware-based Trusted Platform Module (TPM) and Unified Extensible Firmware Interface (UEFI) to ensure that all your data on the drive is unreadable until and unless you enter a password or a recovery key to decrypt it. That said, you might want to encrypt multiple drives on your computer. Windows 11 allows you to encrypt primary or the Operating System Drive (Local Disk C:), the Fixed Drive Data drives (Local Disk D, E, F, and so on), and removable storage devices that you often use with your computer. Read along as we explain how you can easily use BitLocker to encrypt the data on each drive with or without a TPM (Trusted Platform Module) chip.
How to Enable BitLocker on Operating System Drive
The first step toward protecting your PC’s data would be to encrypt its operating system drive – where you’ve installed the Windows 11 OS. The Primary operating system drive on your computer stores all the vital system files and user data required for the proper functioning of Windows. By default it’s the Local Drive C: in majority computer, unless you’ve installed Windows in drive or partition with another volume label. Here’s how you can enable BitLocker on your Operating System Drive to encrypt the data on it: Step 1: Press the Windows + S Keys to open the search panel and type Manage BitLocker. From the result, click on Open.
Step 2: On the BitLocker Drive Encryption page, click on the ‘Turn on BitLocker’ option located below the ‘Operating system drive’ section. Do note that if want to encrypt your C: Operating system drive, you will need to enter the encryption password every time your computer starts.
Step 3: Click on Next to start setting up BitLocker Drive encryption.
Step 4: You should create a backup of the critical files and data on your drive and click on Next.
Step 5: Click on Next again. Do note that once you enable BitLocker on your PC’s primary drive, you can’t access the Windows recovery environment until you enable it manually using the Settings app before you reboot your computer.
Step 6: Click on the ‘Enter a password’ option to create a BitLocker encryption password that you need to enter every time you start your PC. If required, you can also choose the ‘Insert a USB flash drive’ option to use a USB drive as an access key that you will need to connect to your PC every time you start it.
Step 7: Click on the ‘Enter your password’ text box and create a strong password that you will use to unlock your drive and re-enter it in the text box below it. Then, click on Next.
Step 8: Insert a USB drive in the USB slot on your PC and click on the ‘Save to a USB flash drive’ option to create a backup of the recovery key. You can use the recovery key to unlock your drive if you ever forget the BitLocker password. You can choose any of the four or multiple options. However, we recommend saving the recovery key on a USB flash drive in a locker or safe without the risk of losing or revealing it.
Step 9: Click and select the USB drive you want to store the recovery key on. Then click on Save.
Step 10: After you see a message saying ‘Your recovery key has been saved,’ click Next.
Step 11: Choose one of the two options and then click Next:
Choose ‘Encrypt used disk space only (faster and best for new PCs and drives)’ option to encrypt only the current files stored on your hard drive and leave the unused space on the drive unencrypted. Choose ‘Encrypt the entire drive (slower but best for PCs and drives already in use)’ option to encrypt the whole drive to make data on it more secure.
Step 12: Choose an appropriate encryption mode and click Next:
Choose the ‘New encryption mode (best for fixed drives on this device)’ to encrypt the internal hard drive of your PC. Choose ‘Compatible mode (best for drives that can be moved from this device)’ to encrypt an external storage device such as an external hard drive or USB flash drive for improved compatibility with earlier versions of Windows.
Step 13: Click on Start encrypting to start the drive encryption process. Meanwhile, you can also click on the ‘Run a BitLocker system check’ checkbox, then click on Continue to ensure that BitLocker can read the recovery and encryption keys you created correctly before encrypting the drive.
Step 14: Wait for the drive to Encrypt itself, and once the encryption is completed, click on Close. And now, every time you start your PC, you will be asked to enter the BitLocker password you created in step 4 to gain access to Windows. Meanwhile, if you forget the BitLocker password, you can press the Esc key on your keyboard, to enter the recovery key, and gain access to your PC. Furthermore, you should also be able to see that the icon of the disk drive C: that just you encrypted, has been replaced with a golden padlock and key BitLocker icon.
How to Enable BitLocker on Fixed Data Drives
You can easily enable BitLocker on your computer’s primary drive (Disk Drive C:), but what about the data on your Fixed Data/secondary drives? To ensure the highest level of protection, the data on your secondary drives also needs to be handled with equally high importance. Here’s how you can enable BitLocker on secondary or fixed Data drives on your Windows 11 PC:
Step 1: Press the Windows + S Keys to open the search panel and type Manage BitLocker. Then from the result that appears, click on Open.
Step 2: On the BitLocker Drive Encryption page, click the turn on BitLocker option.
Step 3: In the new screen, click the box next to the ‘Use a password to unlock the drive’ option.
You can only use the second option if you have a two-factor authentication smart card that allows you to unencrypt the drive using its RFID (Radio-frequency Identification) chip and its alphanumeric PIN.
Step 4: Click on the ‘Enter your password’ text box and create a strong password that you will use to unlock your drive and reenter it in the text box below it. Then click on Next.
Step 5: Insert a USB drive in the USB slot on your PC and click on the ‘Save to a USB flash drive’ option to create a backup of the recovery key. You can use the recovery key to unlock your drive if you ever forget the BitLocker password. You can choose any of the four or multiple options. However, we recommend saving the recovery key on a USB flash drive as it can be securely stashed away in a locker or safe without the risk of losing or revealing it.
Step 6: Click and select the USB drive you want to store the recovery key on. Then click on Save.
Step 7: Once you get a message saying your recovery key has been saved, click Next.
Step 8: Choose an appropriate option and click on Next.
Choose ‘Encrypt used disk space only (faster and best for new PCs and drives)’ to only encrypt the current files stored on your hard drive and leave the unused space on the drive unencrypted. Choose ‘Encrypt the entire drive (slower but best for PCs and drives already in use)’ to encrypt the whole drive to make data on it more secure.
Step 9: Choose an appropriate encryption mode and click Next.
Choose the ‘New encryption mode (best for fixed drives on this device)’ to encrypt the internal hard drive of your PC that won’t be used between multiple systems, unlike an external one. Choose ‘Compatible mode (best for drives that can be moved from this device)’ to encrypt an external storage device such as an external hard drive or USB flash drive for improved compatibility with earlier versions of Windows.
Step 10: Click on Start encrypting to start the encryption process.
Step 11: Wait for the drive to Encrypt itself and click on Close once the encryption is completed. Then restart your PC. After you restart your PC, you will see the encrypted disk drive’s icon has been replaced with a golden padlock and key icon.
Every time you start your PC and try to open the encrypted drive, you will be asked to enter the BitLocker password that you created in step 4 to gain access.
Meanwhile, if you forget the BitLocker password, you can click on the more options button below the password field and then click on Enter recovery key. Furthermore, you can also use the steps mentioned above to enable BitLocker to Go, which can be used to encrypt USB sticks, external hard drives, SD card, and other removable storage peripherals.
How to Enable BitLocker Without TPM
Windows offers two levels of BitLocker encryption—hardware and software-based. The hardware-based encryption works using the Trusted Platform Module (TPM) chip built into the CPU or installed on your PC’s motherboard. The software-based encryption allows users to use BitLocker on even systems without the TPM chip. However, it is a bit less secure than hardware-level encryption. If you use Windows 11 on your computer, there’s a good chance that your PC already has a TPM chip installed on it. That chip s a part of Windows 11’s minimum system requirements. However, If you are trying to use BitLocker on a Windows 11 virtual machine, you will need to enable software-based encryption using the Group policy editor. Here’s how:
Step 1: Press the Windows + R keys to open the Run dialog and type gpedit.msc in the text field. Then, press Enter.
Step 2: In the Local Group Policy Editor, navigate to the following path:
Step 3: Double-click on the ‘Require additional authentication at startup’ option from the right pane.
Step 4: In the ‘Require additional authentication at startup’ window, click the Enabled button and then the Apply button.
After that the ‘Require additional authentication and startup’ policy, you can use the same method we explained in the first and second sections to Encrypt any drives and their data on your Windows 11 PC.
How to Disable BitLocker On Windows 11
BitLocker certainly helps to protect your data, but it adds the inconvenience of remembering a password and entering it every time you start your computer. So, you might want to turn off BitLocker on your Windows 11 PC if you plan to sell it off or want to access files stored on an external drive using other operating systems. That being said, here’s how you can quickly disable BitLocker on any hard drive on your PC: Step 1: Press the Windows + S Keys to open the search panel and type Manage BitLocker. Then from the result that appears, click on Open.
Step 2: On the BitLocker Drive Encryption page that appears, click the ‘Turn off BitLocker’ option.
Step 3: When a confirmation dialog appears, click on the ‘Turn off BitLocker’ option.
Step 4: Wait for the drive to decrypt itself and click on Close once the decryption is completed. Then restart your PC. Apart from disabling BitLocker, you can also access the same control panel page to change a drive’s BitLocker password, create a backup of the recovery key, etc.
Safely Encrypt Your Data Using BitLocker
That’s pretty much it. After following the steps mentioned above, you can safely encrypt your computer’s hard drive using BitLocker and prevent unauthorized access to your sensitive data.
The above article may contain affiliate links which help support Guiding Tech. However, it does not affect our editorial integrity. The content remains unbiased and authentic.