This series briefly talked about BitLocker technology, which is a security tool in modern Windows operating systems. In principle, the architecture was described in the article this tool, which when implementing disk encryption itself at home or in an organization will not bring much sense. Also, from the first article, you could learn that in order to take full advantage of this technology, computers for which encryption will be carried out must be equipped with such a module as a trusted platform module (Trusted Platform Module, TPM), which, unfortunately, can be found far from on every computer. Therefore, in the following articles this cycle when describing work with a trusted platform module, only its emulator on virtual machine. Also, I think it is worth noting that neither in this nor in the following articles of this series will blocking data disks when using smart cards will be considered.

As you probably know, BitLocker gives you the ability to encrypt an entire drive, while Encrypting File System (EFS) only encrypts individual files. Naturally, in some cases you only need to encrypt certain files and it would seem that there is no need to encrypt the entire partition, but it is advisable to use EFS only on computers on the intranet that will not move between departments and offices. In other words, if your user has a laptop, he needs to periodically travel on business trips, and such a user has, say, only a few dozen files on the computer that need to be encrypted, for him laptop computer it is better to use not an encrypted file system, but BitLocker technology. This is explained by the fact that with the help of EFS you will not be able to encrypt such vital elements of the operating system as files system registry. And if an attacker gets to the registry of your laptop, then he can find a lot of interesting information for himself, such as cached domain data account your user, password hash, and much more, which in the future can cause significant harm and loss not only to this user, but to the entire company as a whole. And with the help of BitLocker technology, unlike the encrypted file system, as already noted a little higher, all data located on the encrypted disk of your user's laptop will be encrypted on your user's laptop. Many may wonder: how can other users in the organization use files that are encrypted using this technology? In fact, everything is very simple: if on a computer with encrypted files using BitLocker technology, general access, then authorized users will be able to interact with such files as simply as if there was no encryption on the computer of such a user. In addition, if files located on an encrypted disk are copied to another computer or to an unencrypted disk, then these files will be automatically decrypted.

In the following sections, you will learn how to encrypt the system and extended partitions on a laptop that does not support the TPM module using operating system Windows 7.

Enable BitLocker encryption for the system partition

There is nothing complicated in the procedure for enabling BitLocker Drive Encryption for the system partition on a computer that is not a member of a domain. Before encrypting the system disk, I think that you should pay attention to the fact that three partitions have been created on the laptop on which the disks will be encrypted, and the first two should be encrypted:

Rice. one. Windows Explorer on the laptop where the disks will be encrypted

To encrypt the system partition, do the following:

  1. First of all, since the laptop in this example, on which the drives will be encrypted, does not have a TPM, it is advisable to perform some preliminary steps. You need to open snap "Local Group Policy Editor" and navigate to Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives. Here you can find six different policy settings. Since it was mentioned earlier that this laptop is not equipped with a TPM module, you need to make sure that before loading the operating system, a USB drive is used that contains a special key designed to confirm authentication and then boot the system. This operation is performed by the policy setting "Require additional authentication at startup". In the properties dialog for this policy setting, you should check the box next to "Allow the use of BitLocker without a compatible TPM". In this case, since this is the only option that may be of interest to us when encrypting a disk in working group, save your changes. The properties dialog box for this policy setting is shown in the following illustration:

    2. Rice. 2. Properties Dialog Box for the "Require Additional Authentication at Startup" Policy Setting

    There are many different Group Policy settings available for controlling BitLocker technology. These options will be discussed in detail in one of the following articles on BitLocker technology.

  2. open "Control Panel", go to category "System and safety" and then select "BitLocker Drive Encryption";
  3. In the Control Panel window that appears, select the system partition, and then click the link "Turn on BitLocker". You should definitely pay attention to the fact that you can only encrypt a partition if it is located on a basic disk. In the event that you have created partitions on a dynamic disk, you will need to convert the disk from dynamic to basic before encrypting them. The following illustration shows the window "BitLocker Drive Encryption":

    4. Rice. 3. BitLocker Drive Encryption Control Panel window

  4. After running a computer configuration check, on the first page of the BitLocker Drive Encryption Wizard, you can specify various startup options. But since my laptop doesn't have a TPM, and since the Group Policy setting was changed to allow BitLocker encryption on non-TPM hardware, I can only select the option "Request key at startup". The first page of the wizard is shown below:

    5. Rice. 4. BitLocker Startup Option of Drive Encryption Wizard

  5. On the page "Save Startup Key" In the BitLocker Drive Encryption Wizard, you must attach a flash drive to your computer and then select it from the list. After you select the drive, click on the button "Save";
  6. On the third page of the wizard, you have to specify the location for the recovery key. The recovery key is a small text file, containing some instructions, a disk label, a password ID, and a 48-character recovery key. Keep in mind that this key differs from the startup key in that it is used to gain access to data in cases where it cannot be accessed by any other means. You can choose one of three following options: save the recovery key to a USB flash drive, save the recovery key in a file or print recovery key. Please note that when choosing the first option, you need to save the recovery and startup keys on different flash drives. Since it is recommended to save several recovery keys, moreover, on computers other than the encrypted one, in my case the recovery key was saved in network folder on one of my servers and also on HP cloud drive. Now the contents of the recovery key will be known only to me and HP, although, most likely, they convince us of the complete confidentiality of information. If you print a recovery key, Microsoft recommends that you keep the document in a locked safe. I recommend just memorizing these 48 numbers and after reading the document, just burn it :). Page "How to save the recovery key?" masters BitLocker encryption shown in the following illustration:

    7. Rice. 5. Saving the Recovery Key for Data Encrypted with BitLocker

  7. This page of the Drive Encryption Wizard can be considered the last one, because at this stage you can perform a BitLocker system check, which will make sure that if necessary, you will be able to easily use your recovery key. You will be prompted to restart your computer to complete the system check. In principle, this step is not mandatory, but it is still desirable to perform this check. You can see the last page of the wizard below:

    8. Rice. 6. the last page disk encryption wizard

  8. Immediately after the POST test, you will be prompted to insert a flash drive with a startup key to start the operating system. After the computer is restarted and BitLocker knows that no unforeseen circumstances will happen after encryption, the drive encryption process itself will begin. You will find out about this from the icon displayed in the notification area, or if you go to the window "BitLocker Drive Encryption" from the control panel. The encryption process itself runs in the background, that is, you can continue working on the computer while encryption is in progress, however, BitLocker will be processor intensive and free place on the encrypted disk. To see what percentage of your drive is already encrypted, look in the notification area for the icon "%VolumeName% is being encrypted using BitLocker Drive Encryption" and double click on it. BitLocker notification icon and dialog box "BitLocker Drive Encryption" displayed below:

    9. Rice. 7. Perform Encryption

  9. After the BitLocker Drive Encryption process is completed, you will be notified that the drive of your choice has been successfully encrypted. This dialog box can be seen below:

    10. Rice. 8. Complete BitLocker Drive Encryption

For those who perform disk encryption for the first time, I want to note that this procedure is not performed instantly and, for example, it took me 70 minutes to encrypt a 75 gigabyte system disk.

Now, as you can see in the following illustration, in Windows Explorer, the system partition icon shows a padlock, which means that this partition is encrypted using BitLocker technology:

Rice. 9. Windows Explorer Encrypted system partition

Conclusion

In this article, you learned about how you can encrypt a drive using BitLocker technology. The process of preparing for encryption and the encryption of the disk itself using GUI. Since at the beginning of the article I indicated that this laptop two drives are encrypted, in the following article you will learn how to encrypt a drive using BitLocker technology using the utility command line manage-dbe .

Have you thought about the question: how to protect the information located on the HDD? It turns out that for this it is not necessary to install additional software. The special BitLocker service built into Windows 7 and above will help. Let's take a closer look at how it works.

What it is

BitLocker is a technology that protects information by encrypting HDD partitions. it windows service which independently protects directories and files by encryption, creating a TPM text key.
TPM is a cryptoprocessor in which keys are located that protect access to information. Is used for:

  1. Information protection, data copying;
  2. Authentication.

How does it work

It turns out that the computer processes encrypted information that is displayed in a readable form. Access to it is not blocked. Protection will work when you try to access information from the outside.
The technology is based on encryption using the AES 128 and 256 algorithm. The easiest way to store keys is .

Peculiarities

You can encrypt any HDD (except network), information from an SD card, flash drive. The cipher recovery key is stored on the PC, removable media or TPM chip.
The encryption process takes a long time. Depends on the power of the PC and the amount of information on the HDD. With encryption, the system will be able to work with less performance.
In modern operating systems, this technology is supported. Therefore BitLocker download for Windows 7 and more later versions won't be needed. It is available completely free of charge.

Windows 10 Disk Encryption if a TPM is installed on the board

If an error message appears saying that the service is allowed to run without a TPM, then it is not on the board. Let's consider what to do.

BitLocker Windows 10 how to enable without TPM

To encrypt a BitLocker drive, follow these steps:

  1. Press "Win + R", then write "gpedit.msc";
  2. We pass as in the screenshot;
  3. Click "Disks";
  4. Further, as in the screenshot;
  5. Select "Enabled";
  6. Close the editor;
  7. Click "Start" - "Programs" - "System Tools" - "Control Panel";
  8. Click on the "Encryption" link;
  9. Next "Enable";
  10. Wait until the check is over;
  11. If you lose your password, access to information will be closed, so create a backup copy;
  12. The preparation process will start. Do not turn off the PC, otherwise the boot partition may be damaged and Windows will not boot;
  13. Click "Next";
  14. Write down which you will use to unlock. I recommend making it not the same as when you log in;
  15. Determine how the key is stored. It is used to access the drive if you forget your password. Save it to: Microsoft Record Text Document, write down on paper;

    Save it separately from PC.

  16. I recommend that you choose to encrypt the entire disk. It's more reliable. Click "Next";
  17. Select "New Mode";
  18. Check the checkbox next to the "Start scan" item;
  19. A BitLocker icon will appear in the system tray and a notification that you need to restart your PC;
  20. Next, a window for entering a password will appear. Write down the one that was indicated during encryption;
  21. Encryption will start after system boot. Click the system tray icon to see how many percent of the work is done;

How to disable BitLocker Windows 10

BitLocker Windows 7 how to enable

Many users will ask: how to download BitLocker for Windows 7? Turns out you don't need to download anything. As well as for Windows tenth series. The service is activated on the system. Actions similar to those described above.

BitLocker to Go

The technology is used to encrypt information on removable media: SD cards, external HDD, USB devices. Protects information from media theft.
The device is detected automatically by the system. To decrypt, a person remains to register the credentials for unlocking. The technology removes protection if the user knows the username, password or recovery key. Used to protect all files on the media. You can download BitLocker from the official Microsoft website.
Use the steps above to encrypt. In local group policies, mark the options as in the screenshot.

Bitlocker windows 10 how to unlock

To unlock the data, a password or recovery key is used. When encrypting, a password is required. We find the recovery key, then follow the sequence of these steps:

If BitLocker has locked the drive and the key is lost, roll back the system to the one you created earlier. If not, roll back the system to its original state. To do this, go to: "Settings" (Win + I) - "Update" - "Recovery" - "Start".

Conclusion

We've covered how to enable BitLocker in Windows 10. Use the methods above to keep your data safe. The main thing is to remember the password. It is used even if you remove the HDD from one PC and connect it to another.

Hello, friends! In this article, we will continue to explore the systems built into Windows designed to increase the security of our data. Today it bitlocker disk encryption system. Data encryption is necessary to ensure that your information is not used by strangers. How she gets there is another matter.

Encryption is the process of transforming data so that only the right people can access it. Keys or passwords are usually used to gain access.

Whole-disk encryption prevents access to data when you connect your hard drive to another computer. The attacker's system may have a different operating system installed to bypass protection, but this will not help if you are using BitLocker.

BitLocker technology appeared with the release of the operating Windows systems Vista and has been improved in Windows 7. Bitlocker is available in Windows 7 Ultimate and Enterprise editions as well as Windows 8 Pro. Owners of other versions will have to look for an alternative.

Without going into details, it looks like this. The system encrypts the entire drive and gives you the keys to it. If you encrypt the system disk, then the computer will not boot without your key. The same as the keys to the apartment. You have them, you will fall into it. Lost, you need to use the spare (recovery code (issued during encryption)) and change the lock (do encryption again with other keys)

For reliable protection, it is desirable to have a Trusted Platform Module (TPM) installed on the computer. If it is and its version is 1.2 or higher, then it will manage the process and you will have stronger protection methods. If it is not there, then it will be possible to use only the key on the USB drive.

BitLocker works as follows. Each sector of the disk is encrypted separately using a key (full-volume encryption key, FVEK). The AES algorithm with 128 bit key and diffuser is used. The key can be changed to 256 bit in group security policies.

When the encryption is completed, you will see the following picture

Close the window and check if the startup key and recovery key are in safe places.

Flash Drive Encryption - BitLocker To Go

Why should encryption be paused? So that BitLocker does not block your drive and do not resort to the recovery procedure. System settings (BIOS and content boot partition) during encryption are fixed for additional protection. Changing them may result in a computer lock.

If you select Manage BitLocker, you will be able to Save or Print the Recovery Key and Duplicate the Startup Key

If one of the keys (startup key or recovery key) is lost, you can restore them here.

Managing Encryption for External Drives

The following functions are available to manage the encryption settings of a flash drive

You can change the unlock password. You can only remove the password if a smart card is used to unlock the lock. You can also save or print a recovery key and enable Disk Lock Release for this computer automatically.

Restoring disk access

Restoring access to the system drive

If the flash drive with the key is out of the access zone, then the recovery key comes into play. When you boot your computer, you will see something like the following picture

To restore access and boot Windows, press Enter

We will see a screen asking you to enter the recovery key

With the last digit entered, provided that the recovery key is correct, the operating system will automatically boot.

Restoring access to removable drives

To restore access to information on a flash drive or external HDD, click Forgot your password?

Select Enter recovery key

and enter this terrible 48-digit code. Click Next

If the recovery key matches, then the drive will be unlocked

A link appears to Manage BitLocker, where you can change the password to unlock the drive.

Conclusion

In this article, we learned how we can protect our information by encrypting it using the built-in BitLocker tool. It's frustrating that this technology is only available in older or advanced versions of Windows. It also became clear why this 100 MB hidden and boot partition is created when setting up a disk using Windows tools.

Perhaps I will use the encryption of flash drives or external hard drives. But, this is unlikely since there are good substitutes in the form cloud services data storage such as DropBox, Google Drive, Yandex Disk and the like.

BitLocker - New Drive Encryption Features

The loss of sensitive data often occurs after an attacker has gained access to information on a hard drive. For example, if the fraudster somehow got the opportunity to read system files, he can try to find user passwords with their help, extract personal information etc.

Windows 7 includes the BitLocker tool, which allows you to encrypt the entire drive, so that the data on it remains protected from prying eyes. BitLocker encryption technology was introduced Windows Vista, and in the new operating system it has been finalized. We list the most interesting innovations:

  • enabling BitLocker from the Explorer context menu;
  • automatic creation of a hidden boot disk partition;
  • data recovery agent (DRA) support for all protected volumes.

Recall that this instrument implemented not in all editions of Windows, but only in the versions of "Advanced", "Corporate" and "Professional".

Drive protection using BitLocker technology will preserve user confidential data in almost any force majeure circumstances - in case of loss of removable media, theft, unauthorized access to the drive, etc. BitLocker data encryption technology can be applied to any files system disk, as well as to any additionally connected media. If the data contained on an encrypted disk is copied to another medium, the information will be transferred without encryption.

To provide greater security, BitLocker can use multi-level encryption - the simultaneous activation of several types of protection, including hardware and software methods. Combinations of data protection methods allow you to get several different modes operation of the BitLocker encryption system. Each of them has its own advantages, and also provides its own level of security:

  • mode using a trusted platform module;
  • mode using a trusted platform module and a USB device;
  • mode using a trusted platform module and a personal identification number(PIN code);
  • mode using a USB device containing a dongle.

Before we take a closer look at how BitLocker is used, some clarification needs to be made. First of all, it is important to understand the terminology. The TPM is a special cryptographic chip that allows identification. Such a chip can be integrated, for example, in some models of laptops, desktop PCs, various mobile devices etc.

This chip stores a unique "root access key". Such a "stitched" microcircuit is another additional reliable protection against cracking encryption keys. If this data were stored on any other medium, be it HDD or a memory card, the risk of losing information would be disproportionately higher, since access to these devices is easier to obtain. With the "root access key", the chip can generate its own encryption keys, which can only be decrypted by the TPM. The owner password is generated the first time the TPM is initialized. Windows 7 supports TPM 1.2 and also requires a compatible BIOS.

When protection is performed solely with the help of a TPM, during the process of turning on the computer, data is collected at the hardware level, including information about the BIOS, as well as other data, the totality of which indicates the authenticity hardware. This mode of operation is called "transparent" and does not require any action from the user - a check is made and, if successful, the download is performed in the normal mode.

It is curious that computers containing a trusted platform module are still only a theory for our users, since the import and sale of such devices in Russia and Ukraine is prohibited by law due to problems with certification. Thus, for us, only the option of protecting the system disk using a USB drive with an access key is stored remains relevant.

BitLocker technology makes it possible to apply an encryption algorithm to data drives that use file systems exFAT, FAT16, FAT32 or NTFS. If encryption is applied to the operating system drive, the data on that drive must be written in NTFS format to use BitLocker technology. The encryption method that BitLocker technology uses is based on the strong AES algorithm with a 128-bit key.

One of the differences between the Bitlocker feature in Windows 7 and the similar tool in Windows Vista is that the new operating system does not require special disk partitioning. Previously, the user had to use Microsoft utility BitLocker Disk Preparation Tool, now you just need to specify which drive should be protected, and the system will automatically create a hidden boot partition on the drive used by Bitlocker. This boot partition will be used to start the computer, it is stored unencrypted (otherwise it would not be possible to boot), while the partition with the operating system will be encrypted. Compared to Windows Vista, boot partition size is about ten times smaller disk space. The extended section is not assigned a separate letter and does not appear in the list of sections file manager.

To manage encryption, it is convenient to use a tool in the control panel called BitLocker Drive Encryption. This tool is a disk manager with which you can quickly encrypt and unlock disks, as well as work with the TPM. You can cancel or suspend BitLocker encryption from this window at any time.

⇡ BitLocker To Go - external device encryption

In Windows 7 appeared new tool- BitLocker To Go, designed to encrypt any removable drives- USB drives, memory cards, etc. In order to enable removable disk encryption, you need to open "Explorer", click right click mice on the desired media and in context menu select the "Turn on BitLocker" command.

This will launch the Encryption Wizard for the selected drive.

The user can choose one of two methods to unlock the encrypted disk: using a password - in this case, the user will need to enter a combination of a set of characters, and using a smart card - in this case, a special smart card PIN code will be required. The entire disk encryption procedure takes quite a long time - from several minutes to half an hour, depending on the size of the drive being encrypted, as well as on the speed of its operation.

If you connect an encrypted removable media, access to storage in the usual way will be impossible, and when trying to access the disk, the user will see the following message:

In Explorer, the icon of the drive to which the encryption system is applied will also change.

To unlock the media, you need to right-click on the media letter again in the context menu of the file manager and select the appropriate command in the context menu. After the correct password is entered in the new window, access to the contents of the disk will open, and then it will be possible to work with it, as well as with unencrypted media.