Self Encrypt Your Windows PC

Encrypt Your PC Using BitLocker

If you do not wish to have your PCs encryption keys managed by UBC, you can turn on the built-in Bitlocker encryption software. BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 8, or 8.1 or 10, or the Ultimate version of Windows 7.  If you have a different version of Windows, the PHAS-IT staff can upgrade your Windows version to one that supports Bitlocker. Students are eligible to upgrade their Windows via the Microsoft DreamSpark Premium Subsciption program.

IMPORTANT NOTICES

Preliminary Hardware Test - Recommended

Prior to enabling BitLocker encryption it is advised to run a full disk scan to confirm there are no bad sectors or general hard drive issues. To do a whole drive scan, follow these steps:
  1. Open Windows Explorer.
  2. Right click your system drive (in most cases c:\).
  3. Click Properties.
  4. Switch to the Tools tab and click the Check now… button.
  5. Confirm that both boxes have a check mark.
  6. Click Start. The system will now prompt to schedule a disk check.
  7. Click Schedule disk check.
  8. Reboot your computer.
  9. Upon reboot the system will start the disk check. The time the scan takes can vary depending on disk size and drive integrity. As soon as the drive scan is completed, your machine will boot and you can login.

Steps for Windows 8.1 Pro/Enterprise, Windows 10

  1. Open my computer and right click the drive you want to encrypt (eg. C: drive) and select Turn on BitLocker.
  2. If you receive the following error, proceed to step 3. If this error does not come up, skip to step 4.bitlocker_warning
  3. Press windows key + S to search. Search for “gpedit.msc” (without quotations). Navigate to Computer Configuration -> Administrative Templates ->Windows Components -> BitLocker Drive Encryption -> Operating System Drives. Select “Require additional authentication at startup”. Enable, and press ok. Go back to step 1.
  4. When prompted to choose how to unlock drive at startup, select Enter a Password. The password is sometimes referred to as a BitLocker Pin.
  5. Select a method to back up your recovery. We recommend printing out the key or saving it to a USB.
  6. Select Encrypt entire drive and press next
  7. Run the BitLocker system check.
  8. Restart your computer when prompted.
  9. Enter your BitLocker Password that you chose in step 4 in the BitLocker login screen. Log in to your windows account as usual. An icon of a hard drive with keys should appear in the task tray. Double click it to check on the encryption process. The encryption process can run in the background while you use your computer.

Steps for Windows 7 Enterprise

If your computer does not have a TPM chip, a USB key will be required.
  1. Open my computer and right click the drive to encrypt. Select “Turn On BitLocker…”
  2. If you receive this error, proceed to step 3. If this error does not come up, skip to step 4.
  3. Click the start menu and type “gpedit.msc” (without quotations). Navigate to Computer Configuration -> Administrative Templates ->Windows Components -> BitLocker Drive Encryption -> Operating System Drives. Select “Require additional authentication at startup”. Enable, and press ok. Go back to step 1.
  4. Select Require a Startup key at every startup.
  5. Insert USB memory device. Please note that to decrypt your laptop at startup this USB memory device must be plugged in. Without the USB key plugged in you will NOT have access to your laptop.
  6. Select a method to back up your recovery. We recommend printing out the key or saving it to a USB. If you do choose to save it to a USB, do not save it to your USB key. The recovery key is a backup method to gain access to your laptop if you lose your USB key. Saving the recovery key to your USB key defeats this purpose.
  7. Run BitLocker system check
  8. Restart BitLocker when prompted
  9. Log in to your windows account as usual. An icon of a hard drive with keys should appear in the task tray. Double click it to check on the encryption process. The encryption process can run in the background while you use your computer

Decryption

If at some future date you would like to decrypt your PC, do the following:
  1. Click the start menu and search "BitLocker Drive Encryption"
  2. Select Turn Off BitLocker. Press Decrypt Drive.
  3. Your PC should begin its decryption process.

More information and instructions on setting up Bitlocker: