How to Encrypt Disks on Windows

by Rian

One of the trigger points behind my decision to build a dedicated PC has to do with general cybersecurity. To clarify, Boot Camp Windows running on Intel Mac is not particularly more vulnerable than the other Windows machine; it is simply more dated. And being dated, for the sake of security, means not gaining the support for the new security feature such as TPM.

BitLocker is a FileVault or LUKS equivalent for Windows. The shared principle is simple: encrypt the whole drive and stay fail-secure. Turning on BitLocker does require TPM and an account with administrator privilege. You can save the backup codes for BitLocker on Microsoft account, or if local, download it to an external drive or print it out.

1. From the Control Panel, navigate to System and Security > BitLocker Drive Encryption.
2. Choose encrypt the full disk.
3. Save the backup codes to one of the locations*.
4. The computer will restart and will start encrypting afterward. The computer may run slower than usual until the encryption is finished **.
   

* I would recommend saving it to a password manager of your choice. Simply save the backup code in text file on to an external drive, — Windows does not allow it to be saved on the same drive — then upload the file to the password manager of your choice.

** Although Windows says otherwise, I would recommend simply waiting until the encryption is finished. It roughly takes 10 to 20 minutes for a SSD, and any system critical function may behave unexpectedly.

I believe the best way to describe what is happening is by describing the desired effect of the security measures. We want the data on the drive to be unreadable without the key. Encrypting the whole drive this way ensures the users wouldn’t need to mind the encryption, and if it does fail, so long as the attacker — or anyone who wishes to take a peek — don’t have the matching key, all the “data” on the drive is a complete nonsense. For added measures, I understand drives can still be zeroed out; but I’m not sure if it has the added benefit if the full disk encryption is done properly. Personally, I run single pass of random bits before removing it.

The usual question I get on full disk encryption is on the overhead it must generates. The short answer is it is negligible, and the longer answer is most modern encryptions are already done on hardware level. Although there are some reports of significant performance impacts, as far as I am aware, the added benefit outweighs the cost, and the real world use cases don’t seem to support the flagrant headline.