If your computer is lost or stolen, a password will not protect your data. The thief doesn't even need to log into the system - he will simply remove the hard drive and connect it to another computer.
However, if the data is encrypted, it is almost impossible to retrieve it.
So what can you protect:
- clients from identity theft;
- business from claims related to confidentiality violations;
- reputation.
Bitlocker Windows 10, how to unlock?
Microsoft BitLocker provides easy encryption of drive data on your computer. This way you can remain protected if your device or drive is lost or stolen.
To get started, do the following:
- Before performing any of the following methods, back up your system;
- Check if Windows supports device encryption.
Most PCs with system version 8.1 or higher (but not all) are capable of encrypting devices. Mostly new computers running Windows 10 have this feature.
When you sign in as an administrator, BitLocker only encrypts your drive.
The recovery key is uploaded to Microsoft servers. It will help you recover important files if you forget your password or are unable to log into the system.
To find out if your computer supports device encryption, follow these steps:
Step 1: Open the Settings app using the Win+I keys.
Step 2: Select System and then go to the About tab.
Open the “System” parameter
Go to the “About” tab
Step 3: Find the Device Encryption section at the bottom of the window. If you don't find anything, it means your computer doesn't support this feature. Otherwise, you will see a section like in the screenshot below.
On the right side of the window we find the “Device encryption” section
Requirements
The first requirement is the availability of the required OS version. Typically, BitLocker supports Windows Pro or Ultimate, for example:
- Windows Vista and Windows 7: Enterprise and Ultimate;
- Windows 8 and 8.1 editions: Pro and Enterprise;
- Windows 10 editions: Pro, Enterprise and Education.
If you're using Home Windows, it's worth considering upgrading to the Pro version.
Note! It is better to combine the operating system update with the purchase of a new computer, since almost all models include TPM.
Your PC must support Trusted Platform Module (TPM). Many PCs designed for business have it (for example, Dell Precision and Optiplex, Lenovo ThinkCenter series, HP Pro and Elite). By the way, you can use BitLocker even without a TPM.
To use BitLocker, your computer must have a Trusted Platform Module
Also check the following requirements:
- The BIOS must support TPM or USB devices. Otherwise, to get the latest firmware update you need to visit the manufacturer's website;
- The hard drive must contain two partitions: a system partition with the necessary files to run Windows and a partition with the operating system. Both of them must be formatted with the NTFS file system;
- the process of encrypting an entire hard drive is not complicated, but it takes a lot of time;
- Make sure that the computer is connected to an uninterruptible power supply throughout the entire work process.
From vista to windows 10
There are a lot of different people working at Microsoft, and not all of them code with their back left foot. Alas, the final decisions in software companies have long been made not by programmers, but by marketers and managers. The only thing they really consider when developing a new product is sales volume. The easier it is for a housewife to understand the software, the more copies of this software she will be able to sell.
“Just think, half a percent of clients are concerned about their safety! The operating system is already a complex product, and here you are scaring the target audience with encryption. We can do without him! We managed before!” — Microsoft’s top management could have reasoned approximately this way until the moment when XP became popular in the corporate segment.
Among administrators, too many specialists have already thought about security to discount their opinion. Therefore, the long-awaited volume encryption appeared in the next version of Windows, but only in the Enterprise and Ultimate editions, which are aimed at the corporate market.
The new technology is called BitLocker. This was probably the only good thing about Vista. BitLocker encrypted the entire volume, making user and system files unreadable, bypassing the installed OS. Important documents, cat photos, registry, SAM and SECURITY - everything turned out to be unreadable when performing an offline attack of any kind.
In Microsoft terminology, a “volume” is not necessarily a disk as a physical device. A volume can be a virtual disk, a logical partition, or vice versa - a combination of several disks (a spanned or striped volume). Even a simple flash drive can be considered a connectable volume, for end-to-end encryption of which, starting with Windows 7, there is a separate implementation - BitLocker To Go (for more details, see the sidebar at the end of the article).
With the advent of BitLocker, it became more difficult to boot a third-party OS, since all bootloaders received digital signatures. However, a workaround is still possible thanks to Compatibility Mode. It’s worth changing the boot mode in the BIOS from UEFI to Legacy and disabling the Secure Boot function, and the good old bootable flash drive will come in handy again.
How to check for TPM
You already know that a computer must have a TPM. A TPM is a special microchip that allows a device to support advanced security features and provides a tamper-proof way to store encryption keys.
You can check if your computer has TPM by following these steps:
Step 1. Select the “Windows+R” keys.
Press the “Windows + R” key to open the “Run” window
Step 2: Type "tpm.msc".
In the “Open” field enter “tpm.msc”
Step 3: Press Enter.
Another way:
Step 1. To open the “Power User” menu, use the “Windows + X” key combination. Then select Device Manager.
By calling the “Power User” menu, pressing the “Windows + X” keys, open the “Device Manager”
Step 2: Expand security devices. The TPM is represented as a Trusted Platform Module with a version number.
Double-click the mouse to open the “Security devices” parameter, we see the TPM trusted platform module with the version number
Note! To support BitLocker, your computer must have a TPM chip version 1.2 or later.
However, if you see a "Compatible TPM not found" message, then this means that your computer does not have a TPM.
Solution 1: Disable bitlocker from windows 8 control panel
Similar to how you solved this problem in Windows 7, it can disable BitLocker from Control Panel if you know your password and it is still working.
To disable BitLocker, you need to do the following:
- Open the search bar and type Manage BitLocker. Select Manage BitLocker from the menu.
- The BitLocker window will open where you will see all your partitions and you can either choose to suspend BitLocker or disable it completely. Select the desired option and follow the wizard's instructions.
After this, BitLocker should be permanently disabled for the selected drive.
How to enable BitLocker
After verifying that your computer has a TPM chip, follow these steps to activate BitLocker:
Step 1: Click the Start button. In the Utilities folder, look for “Control Panel.”
In the “Start” menu, open the “Windows System” folder, find and open “Control Panel”
Step 2: Click System and Security.
In the “View” category, select “Category”, click on the “System and Security” section
Step 3: Click BitLocker Drive Encryption.
Click on “BitLocker Drive Encryption”
Step 4: Then click on the text link “Enable BitLocker.”
Click on the text link “Enable BitLocker”
Step 5. Choose how to unlock the drive during startup: you can insert a USB flash drive or enter a password (we chose the second method because it is easier).
We select one of the methods to unlock the disk at startup; for example, the “Enter password” method is selected
Step 6. Next, enter the password that will be used when loading Windows 10 to unlock the drive (however, you must remember it well). After that, click "Next".
Enter the password twice and click “Next”
Note! Make sure the password you create is strong, using upper and lower case, numbers, and symbols.
Step 7: Don't worry about forgetting everything. You will be given several options for storing the key, which will help restore access to your files:
- in your Microsoft account;
- on a USB stick;
- as a file;
- on paper.
Make sure to choose the option that is most convenient for you and keep the recovery key in a safe place.
Select the recovery key storage option that suits you and click “Next”
Step 8: Click Next.
Step 9: Now select the encryption option that best suits your needs.
Select the required encryption option and click “Next”
Step 10. Then decide on these two parameters.
Select “New encryption mode” or “Compatibility mode”, click “Next”
Step 11 : Click Next.
Step 12: Now check the box next to Run BitLocker System Check and click Continue.
Check the box next to running the BitLocker system scan and click “Continue”
Step 13. You're done! Before starting the encryption process, simply restart your computer.
Reboot the computer
Step 14. To unlock the drive, BitLocker will prompt you to enter a password. Enter it and press "Enter".
Enter the password specified when you enabled BitLocker, press “Enter”
Offline attacks
BitLocker technology was Microsoft's response to the increasing number of offline attacks that were especially easy to carry out against Windows computers. Anyone with a bootable USB flash drive can feel like a hacker. He will simply turn off the nearest computer, and then boot it up again - with its OS and a portable set of utilities for finding passwords, confidential data and dissecting the system.
At the end of the working day, you can even organize a small crusade with a Phillips screwdriver - open the computers of departed employees and remove the drives from them. That same evening, in a quiet home environment, the contents of the extracted disks can be analyzed (and even modified) in a thousand and one ways. The next day, just come early and return everything to its place.
However, it is not necessary to open other people’s computers right at the workplace. A lot of confidential data leaks after recycling old computers and replacing drives. In practice, secure erasure and low-level formatting of decommissioned disks are done by very few people. What can stop young hackers and collectors of digital carrion?
As Bulat Okudzhava sang: “The whole world is made of restrictions, so as not to go crazy with happiness.” The main restrictions in Windows are set at the level of access rights to NTFS objects, which do not protect against offline attacks. Windows simply checks read and write permissions before processing any commands that access files or directories.
This method is quite effective as long as all users work in a system configured by the administrator with limited accounts. However, as soon as you raise your rights or boot into another operating system, not a trace will remain of such protection.
There are many complementary methods to counter offline attacks, including physical security and video surveillance, but the most effective ones require the use of strong cryptography. Bootloader digital signatures prevent third-party code from running, and the only way to truly protect the data on your hard drive itself is to encrypt it. Why has full disk encryption been missing from Windows for so long?
What you need to know
After restarting, the computer will quickly open the desktop. This is not the end!
After going to Control Panel>System and Security>BitLocker Drive Encryption, you will see that the drive is not yet encrypted.
What to do in this case?
Absolutely nothing. Just wait for the process to complete. It takes some time, depending on the option you choose and the size of the drive. Use your computer in peace and let the finishing touches happen in the background.
Disk encryption process in the background
Once you find that the encryption process is complete, a corresponding BitLocker icon should appear above the drive in Explorer.
There is a BitLocker icon on the encrypted drive
This way you can check whether it is enabled or not.
Potential vulnerabilities
You've probably noticed that you have to wait a long time when you activate BitLocker for the first time. This is not surprising - the process of sector-by-sector encryption can take several hours, because even reading all the blocks of a terabyte HDD is not possible faster. However, disabling BitLocker is almost instantaneous - how can that be?
The fact is that when disabled, BitLocker does not decrypt data. All sectors will remain encrypted with the FVEK key. Simply, access to this key will no longer be limited in any way. All checks will be disabled, and the VMK will remain recorded among the metadata in clear text.
Every time you turn on the computer, the OS bootloader will read the VMK (without checking the TPM, asking for a key on a flash drive or a password), automatically decrypt FVEK with it, and then all files as they are accessed. For the user, everything will look like a complete lack of encryption, but the most attentive may notice a slight decrease in the performance of the disk subsystem. More precisely, there is no increase in speed after disabling encryption.
There is something else interesting about this scheme. Despite the name (full-disk encryption technology), some data still remains unencrypted when using BitLocker. The MBR and BS remain open (unless the disk was initialized in GPT), damaged sectors and metadata.
An open bootloader gives room for imagination. Pseudo-bad sectors are convenient for hiding rootkits and other malware, and the metadata contains a lot of interesting things, including copies of keys. If BitLocker is active, then they will be encrypted (but weaker than FVEK encrypts the contents of sectors), and if deactivated, they will simply lie in the clear. These are all potential attack vectors. They are potential because, in addition to them, there are much simpler and more universal ones.
Emergency login to BitLocker
If you forgot (or never knew) the password you set in BitLocker, then simply look for the file with the recovery key. Surely it will be saved among the current user’s documents or on his flash drive. Maybe it's even printed on a piece of paper, as Microsoft recommends. Just wait until your colleague goes on a break (forgetting to lock his computer, as always) and start searching.
Login with recovery key
How to enable BitLocker if your computer does not have a TPM
To do this, follow these steps:
Step 1. To open the “Local Group Policy Editor” (not all versions of the system have it), use the key combination “Windows + R”. Type "gpedit.msc" and press Enter.
After pressing the “Windows + R” keys, enter “gpedit.msc” in the “Open” field and press “Enter”
Step 2: Under Computer Configuration, expand Administrative Templates.
In the “Computer Configuration” section, open “Administrative Templates”
Step 3: After that, expand “Windows Components”.
Double-click with the left mouse button on “Windows Components”
Step 4: Now open BitLocker Drive Encryption and select Operating System Drives.
Open “BitLocker Drive Encryption”, select “Operating System Drives”
Step 5 . On the right side, double-click on the option highlighted in the screenshot.
Double-click with the left mouse button on the parameter “This parameter allows you to configure the additional requirement”
Step 6: Select Enabled.
Step 7. Now check the box next to the appropriate option as in the screenshot below. Click OK.
Click on “Enabled”, check the “Allow BitLocker” option, click “Apply”, then “OK”
Step 8: Close the editor.
Video - Encrypting system drive C with BitLocker in Windows 10, activating TRM
Features of Bitlocker in Windows 7
Despite the end of support for this version of the system, many continue to use it. This raises many questions about the process of enabling the encryption function in Windows 7.
In fact, this process is almost no different from that described above - it is the same for all versions of Windows - “seven”, “eight”, “tens”. But in the “seven” this function is implemented only in the “Advanced”, “Corporate”, and “Professional” versions. In “Home”, for example, it simply isn’t there and there’s no point in looking for it there.
So, if you want to encrypt or decrypt files on your computer, you just need to read our recommendations, then without haste carry out each step of the indicated algorithm, and upon completion, rejoice at the result achieved.
Encrypt all drives
You must enable BitLocker on all storage drives, both internal and external. Simply repeat the steps above for each drive you have on your computer.
External storage devices include any USB drives, flash drives, SD cards, etc. We do not recommend using them because even after encryption, these devices run the risk of being stolen and unlocked. There is no guarantee that any such disk will not be accidentally decrypted or that you will remember the password or recovery key.
Disk encryption
On a note! Instead, consider using free and reliable cloud storage.
If you need an external drive to back up your files, then enable BitLocker. For convenience, you can set automatic unlocking when connecting to a specific computer. This way, you won't have to constantly enter your password to unlock the drive. However, always have either your password or recovery key with you. Therefore, save them in a safe place (for example, in your Microsoft account).
Disabling the feature
If for some reason the files on your computer are no longer of high importance, and you don’t really like entering a password every time to access them, then we suggest that you simply disable the encryption function.
To perform such actions, go to the notification panel, find the BitLocker icon there, and click on it. At the bottom of the open window you will find the line “Manage BitLocker”, click on it.
Now the system will prompt you to choose which action is preferable for you:
- archive the recovery key;
- change the password for accessing encrypted files;
- remove a previously set password;
- disable BitLocker.
Of course, if you decide to disable BitLocker, you should choose the last option offered. A new window will immediately appear on the screen, in which the system will want to make sure that you really want to disable the encryption function.
Of course, if you need to use a computer at this moment, you can afford it; there is no categorical prohibition on this. However, you should prepare yourself for the fact that PC performance at this moment may be extremely low. It’s not difficult to understand the reason for this slowness, because the operating system has to unlock a huge amount of information.
How to find a lost recovery key
A recovery key is created the first time you use BitLocker for each selected drive. It provides access to hidden data. The key can also be used to unlock files and folders encrypted on a removable device (such as an external hard drive or USB drive) with BitLocker To Go if for some reason you forget the password or your computer can't access the drive.
The .BEK file can be stored on a flash drive or on a computer, in the place where we saved it when encrypting the disk
The Bitlocker recovery key looks like this (it is stored in a .BEK file named Bitlocker+Recovery+Key+4C2392DC-60A8-4B98-95AA-6A91D2191EB4.BEK).
Bitlocker recovery key
To ensure that the recovery key is correct, compare the beginning of the above identifier with the value of a similar one in the encrypted Bitlocker volume.
How/Where to find lost Bitlocker recovery key?
How you recover your lost key depends on your configured login settings:
1. If you are using a local account, then log in as an administrator.
2. Microsoft account users should check the following places:
- Microsoft account online. To get the recovery key, go to your account and get it from there;
- a saved copy of the recovery key. Perhaps you store it as a file, on a flash drive, or in paper form.
Los Alamos principle
The task of decrypting BitLocker drives is also simplified by the fact that Microsoft is actively promoting an alternative method of restoring access to data through the Data Recovery Agent. The point of the “Agent” is that it encrypts the encryption keys of all drives within the enterprise network with a single access key.
The idea of using one key for all locks has already been compromised many times, but it continues to be returned in one form or another for the sake of convenience. Here's how Ralph Layton wrote Richard Feynman's memories of one characteristic episode of his work on the Manhattan Project at the Los Alamos Laboratory: “... I opened three safes - and all three with the same combination. <…>
I dealt with them all: I opened the safes with all the secrets of the atomic bomb - the technology for producing plutonium, a description of the purification process, information about how much material is needed, how the bomb works, how neutrons are produced, how the bomb works, what its dimensions are - in a word, everything, which they knew about in Los Alamos, the whole kitchen!
BitLocker is somewhat reminiscent of the safe design described in another fragment of the book You're Surely Joking, Mr. Feynman! The most impressive safe in a top-secret laboratory had the same vulnerability as a simple filing cabinet. “...This was a colonel, and he had a much more sophisticated, two-door safe with large handles that pulled four three-quarter-inch thick steel rods out of the frame. <…>
I examined the back of one of the imposing bronze doors and discovered that the dial was connected to a small lock that looked exactly like the lock on my Los Alamos closet. <…> It was obvious that the lever system depended on the same small rod that locked the filing cabinets. <…>.
Pretending some kind of activity, I began to turn the dial at random. <…> Two minutes later - click! — the safe opened. <…> When the safe door or the top drawer of the filing cabinet is open, it is very easy to find the combination. This is exactly what I did when you read my report, just to demonstrate to you the danger.”
BitLocker crypto containers themselves are quite secure. If they bring you a flash drive that came from nowhere, encrypted with BitLocker To Go, then you are unlikely to decrypt it in an acceptable time. However, the real-life scenario of using encrypted drives and removable media is full of vulnerabilities that can be easily exploited to bypass BitLocker.
What is BitLocker and why is it needed?
BitLocker Recovery is designed to protect your information contained in your vaults. With its help, even if the disk is installed on another device, the protection will remain. However, in some cases it is necessary to remove the protection.
If you have previously used this tool to save data, carefully review the different options for removing protection.
Please note that for a successful unlocking process, in some cases you need the password that you set when activating this function. Find or remember it in advance.
Volga or Pobeda? Are you familiar with the Soviet automobile industry? Test yourself in a fun test!
