Encrypting Your Hard Drive with FIPS Compliant BitLocker on Windows
Andy Lyons
February 2023
IGIS Tech Notes describe workflows and techniques for using geospatial science and technologies in research and extension. They are works in progress, and we welcome feedback and comments below.
Background
Fortunately, it's not hard to implement FIPS 140-2 encryption these days. Both Windows and MacOS have built-in tools that will encrypt your entire hard drive. This does not mean you need to enter a password every time you access a file. The encryption is done invisibly in the background, and the 'password' is saved on a chip deep in the bowels of your laptop. You don't even know it's there.
What's the point then if I don't have to enter a password? - you might ask. Good question. Disk encryption protects you in the unfortunate event that someone steals your laptop, pulls the hard drive out, sticks it in another computer, and tries to access the contents. With an unencrypted hard drive, this is not terribly difficult. With an encrypted drive someone can still get into your drive, but all they'll see is gibberish.
It's important to note that that's all disk encryption protects you against. It doesn't protect you against the more common forms of data theft including phishing, social engineering, viruses, and breaking into your online accounts. Take your Cybersecurity training and don't let your guard down!
Windows BitLocker Encryption Step-by-Step
Notes:
- BitLocker is only available with the 'Pro', 'Enterprise', and 'Education' versions of Windows 10 and 11. Windows Home does not include BitLocker, but it does include a more limited form of device encryption (more info).
- Some of the steps may require administrative privileges. If your Windows user account doesn't have admin rights, contact your administrator for assistance.
- MacOS has something similar called FileVault. See this guide, or just search for "How to enable FileVault".
Below is a step-by-step guide for setting up FIPS compliant BitLocker encryption on Windows 10 & 11. For additional details, see this BitLocker Overview from Microsoft, or this article on BitLocker FIPS 140-2 validation.
1. Verify if BitLocker is already enabled
First we're going to check if you already have BitLocker enabled (because if it, is you might have to decrypt your HD first). If you log into Windows with a Microsoft account, it's probably turned on. To check:
Open the Windows Settings app (Start menu → Settings), go to 'Device Encryption'. Take note if encryption is turned on:
Take note of the setting - that's all for now. Don't turn on encryption just yet!!
2. See if BitLocker is using FIPS encryption
"FIPS Encryption' is a BitLocker option that is turned off by default. If you've never encrypted your drive, it's probably turned off. Here's how you check;
- Open the 'Local Security Policy' app (Start Menu → Local Security Policy)
- Open Local Policies >> Security Options
- Double-click "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"
If it says 'Disabled' and your drive isn't already encrypted, you're in good shape. Enable "FIPS Encryption", click OK, then go to the next step.
If it says 'Disabled' but your device was already encrypted with BitLocker, then you have to de-encrypt it before you can turn it on (sorry!). Cancel out. Go back to the Windows Settings app, and Turn Off device encryption. You may have to wait an hour or so for it to finish decrypting, but you can keep using your laptop. When it's done decrypting, repeat the steps above and enable the 'Use FIPS' setting. More info.
3. Turn on device encryption
Now that you've 1) verified your drive isn't already encrypted, and 2) turned on the 'Use FIPS' option, you're ready to encrypt!
Go back to the Windows Settings App (step 1), search for 'Device Encryption' and turn it on.
Your existing files will be encrypted in the background, and any new files will be automatically encrypted with a super strong FIPS-140-2 compliant algorithm. You can keep working on your laptop, and when it's done nothing will appear different.
4. Save your recovery key (most important step!)
The super strong encryption that prevents a bad guy from getting data off your hard drive can also lock you out if you ever need to remove your hard drive from your computer in order to access it (Pro tip: don't spill coffee on your laptop). Other reasons you might need the recovery key are if you upgrade the operating system, update the BIOS, or change the boot configuration.
If you ever need to access your drive on another machine, you're going to need a recovery key. To get your recovery key, click on the 'BitLocker settings' link on the 'Device Encryption' page, then click on the 'Back up your recovery key' link. This will let you print your recovery key, save it to a text file, or save to an Azure AD account (i.e., cloud storage connected to your Microsoft account).
If you save your key to a file, BitLocker will insist that you save it to a non-encrypted location (e.g, a thumb drive). This of course makes sense, because a key on an encrypted drive won't be very helpful if you're locked out of the same drive.
Save it in multiple locations where you can find it when needed, or print it and save it someplace safe. You can also save it in your password manager (be sure to store both the Identifier and the Recovery Key). More info on saving your Recovery Key can be found here.
Congrats - your hard drive is now encrypted and you have a way to get back into it if needed! You can relax a little bit (but leaving your laptop in the back of an Uber or spilling coffee on it is still a bad idea!)
This work was supported by the USDA - National Institute of Food and Agriculture (Hatch Project 7003843; Meyer).