Setting up Encryption in Windows
Encryption is used to secure data that others shouldn't be able to read; for example, social security numbers (SSN) or financial data. These are suggested methods for using encryption in Windows, but they should always be used with discretion and caution. (You don't want to lock yourself out from the information either.) It is also highly advisable to make a backup of your information before implementing.
As a best practice, whenever using encryption, create the necessary backups, recovery keys, certificate exports, etc. necessary to ensure you have a way to restore or recover your data.
BitLocker - Full Disk Encryption
Windows 10 Professional provides disk encryption through BitLocker Drive Encryption. Microsoft describes BitLocker as, "A data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline."
Contact site licensing at https://www.hawaii.edu/sitelic/ to ensure you purchase the correct version of Windows 10 to use BitLocker Drive Encryption.
If you enable BitLocker Drive Encryption, it is imperative you backup the recovery key during setup. If you do not backup your recovery key, your data will not be recoverable.
Internal Drive - Full Disk Encryption
- Turn on BitLocker
- Type BitLocker in the Windows search box, then press Enter.
- Select Turn on BitLocker
- BitLocker Recovery Key Backup Options
- IMPORTANT: Be sure to record and keep this BitLocker recovery key in a safe place. You cannot access the data without this recovery key.
- BitLocker gives you three options: Save to your Microsoft Account, Save to a file, or Print the recovery key. Choose the option that works best for you.
- Select how much of the disk to encrypt
- Encrypt entire drive (slower but better for PCs and drives already in use)
- Select Encryption Mode
- The ability to choose your encryption mode is a new feature in Windows 10. Select the encryption option that matches your situation. We recommend New encryption mode
- BitLocker System Check
- It is recommended to run a BitLocker system check first before encrypting your drive. This ensures BitLocker can read your recovery key before starting the drive encryption.
- When ready, select "Start encrypting" to begin the BitLocker process of encrypting your hard drive.
External Drive (Portable HardDrive, FlashDrive) - Full Disk Encryption
- Plug in your external drive to an avaialbe USB slot
- Type BitLocker in the Windows search box, then press Enter.
- Under the Removeable data drives - BitLocker To Go heading, Click Turn on BitLocker
- On the Choose how you want to unlock this drive window, Check Use a password to unlock the drive
- Create a strong password that will be used to unlock the drive
- Backup your recovery key using one or more of the available options
- Select Encrypt Entire Drive
- Select Compatible mode if you will be using the exteranl drive on older Windows versions, otherwise select New encryption mode
- Read the prompt, and then click Start encrypting
- Do not move or make changes to files or unplug it while it is being encrypted
File and Folder Encryption
Microsoft also offers the ability to encrypt files and folders in Windows 10. File and folder encryption can be done in addition with BitLocker Drive Encryption.
Below are steps on encrypting files and folders, backing up your personal certificate, and decrypting files and folders.
Encrypting Files and Folders
- Click Start, point to All Programs, point to Accessories, then click on Windows Explorer
- Locate and right-click on the file or folder* that you want to encrypt and click Properties.
- On the General tab, click Advanced.
- Under Compress or Encrypt attributes, select the Encrypt contents to secure data check box, and then click OK.
- Click on OK to close the folders Properties window.
- In the Confirm Attribute Changes dialog box, choose one.
- If you want to encrypt only the folder, click Apply changes to this folder only, and then click OK.
- If you want to encrypt the contents in the folder along with the folder click Apply changes to this folder, subfolders and files, and then click OK.
- If you want to encrypt only the file, click “Encrypt the file only” and click OK.
- Windows will now proceed to encrypt your data. How long it takes depends on the amount and size of the files you choose to encrypt. When it is complete the folder will be encrypted. However, this does not mean that others cannot view the contents of the folder. Encrypting the files prevents them from opening items in the encrypted folder.
Note: While it is possible to encrypt both files and folders, Microsoft's Best Practices suggest encrypting folders not individual files. This prevents applications from unintentionally removing the encryption from a file.
Things to do after you encrypt your data
Once you have encrypted your files or folders, it is important to backup your certificate to not lose access should you forget your password. If you do not backup your certificate and subsequently forget your password, there will be no way to recover your data. Back up your certificate and store it in a secure location.
Backup your Certificate
- Start Microsoft Internet Explorer
- On the Tools menu, click Internet Options
- On the Content tab, in the Certificates section, click Certificates.
- Click the Personal tab.
- Note: You may have multiple certificates listed. Click on each one until you find the certificate with the intended purposes field showing "Encrypting File System"
- Click Export to start the Certificate Export Wizard, and then click Next.
- Click "Yes, export the private key" to export the private key, and then click Next.
- Ensure the checkboxes next to “Include all certificates in the certification path if possible” and "Enable certificate privacy" are checked and click Next.
- Click the Password checkbox, set the Encryption to AES256-SHA256, enter and confirm a password, then click Next. This password is to protect the exported certificate.
- Specify the location of where you want to save the certificate. You can back up to another location on your hard-drive or a USB drive. You can also back up the certificate to multiple locations.
- Specify the destination, click Save, and then Next.
- Click Finish. You should be told the export was successful. Click OK.
- Click Close to close the certificates window, then click OK to close the Internet Options window.
Decrypting Files of Folders
Decrypting a folder uses basically the same process of encrypting the file, but in reverse order.
- Right-click on the folder or file you want to decrypt, then click Properties.
- Click Advanced
- Click to clear the Encrypt contents to secure data check box to decrypt
- Click OK to close the Advanced Attributes dialog box.
- Click on ok to close the folders Properties window
- If it is a folder, and it has files in it, the Confirm Attribute Changes dialog box appears. You can choose to decrypt only the folder, but this won’t decrypt any of the files in the folder.
- If you want to decrypt all the contents of the folder, click Apply changes to this folder, subfolders, and files, and then click OK.