Self Encrypt Your Windows PC
Encrypt Your PC Using BitLocker
If you do not wish to have your PCs encryption keys managed by UBC, you can turn on the built-in Bitlocker encryption software. BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 8, or 8.1 or 10, or the Ultimate version of Windows 7. If you have a different version of Windows, the PHAS-IT staff can upgrade your Windows version to one that supports Bitlocker. Students are eligible to upgrade their Windows via the Microsoft DreamSpark Premium Subsciption program.
IMPORTANT NOTICES
- Prior to encrypting, please backup all important data files.
- There is a small chance that data loss or corruption can occur if a disk error happens during the encryption procedure.
- Those with Windows 7 Home/Pro can upgrade to Windows 7 Enterprise. Please visit one of the PHS-IT staff for more information.
- Steps for Windows 8.1 Pro/Enterprise, Windows 10
- Steps for Windows 7 Enterprise
Preliminary Hardware Test - Recommended
Prior to enabling BitLocker encryption it is advised to run a full disk scan to confirm there are no bad sectors or general hard drive issues. To do a whole drive scan, follow these steps:
- Open Windows Explorer.
- Right click your system drive (in most cases c:\).
- Click Properties.
- Switch to the Tools tab and click the Check now… button.
- Confirm that both boxes have a check mark.
- Click Start. The system will now prompt to schedule a disk check.
- Click Schedule disk check.
- Reboot your computer.
- Upon reboot the system will start the disk check. The time the scan takes can vary depending on disk size and drive integrity. As soon as the drive scan is completed, your machine will boot and you can login.
Steps for Windows 8.1 Pro/Enterprise, Windows 10
- Open my computer and right click the drive you want to encrypt (eg. C: drive) and select Turn on BitLocker.
- If you receive the following error, proceed to step 3. If this error does not come up, skip to step 4.
- Press windows key + S to search. Search for “gpedit.msc” (without quotations). Navigate to Computer Configuration -> Administrative Templates ->Windows Components -> BitLocker Drive Encryption -> Operating System Drives. Select “Require additional authentication at startup”. Enable, and press ok. Go back to step 1.
- When prompted to choose how to unlock drive at startup, select Enter a Password. The password is sometimes referred to as a BitLocker Pin.
- Select a method to back up your recovery. We recommend printing out the key or saving it to a USB.
- Select Encrypt entire drive and press next
- Run the BitLocker system check.
- Restart your computer when prompted.
- Enter your BitLocker Password that you chose in step 4 in the BitLocker login screen. Log in to your windows account as usual. An icon of a hard drive with keys should appear in the task tray. Double click it to check on the encryption process. The encryption process can run in the background while you use your computer.
Steps for Windows 7 Enterprise
If your computer does not have a TPM chip, a USB key will be required.
- Open my computer and right click the drive to encrypt. Select “Turn On BitLocker…”
- If you receive this error, proceed to step 3. If this error does not come up, skip to step 4.
- Click the start menu and type “gpedit.msc” (without quotations). Navigate to Computer Configuration -> Administrative Templates ->Windows Components -> BitLocker Drive Encryption -> Operating System Drives. Select “Require additional authentication at startup”. Enable, and press ok. Go back to step 1.
- Select Require a Startup key at every startup.
- Insert USB memory device. Please note that to decrypt your laptop at startup this USB memory device must be plugged in. Without the USB key plugged in you will NOT have access to your laptop.
- Select a method to back up your recovery. We recommend printing out the key or saving it to a USB. If you do choose to save it to a USB, do not save it to your USB key. The recovery key is a backup method to gain access to your laptop if you lose your USB key. Saving the recovery key to your USB key defeats this purpose.
- Run BitLocker system check
- Restart BitLocker when prompted
- Log in to your windows account as usual. An icon of a hard drive with keys should appear in the task tray. Double click it to check on the encryption process. The encryption process can run in the background while you use your computer
Decryption
If at some future date you would like to decrypt your PC, do the following:
- Click the start menu and search "BitLocker Drive Encryption"
- Select Turn Off BitLocker. Press Decrypt Drive.
- Your PC should begin its decryption process.