BitLocker is Microsoft’s full-disk encryption technology available in Windows Pro, Enterprise or Ultimate editions from Vista onwards.
I typically recommend avoiding it, for one simple reason: it’s too easy encrypt yourself into a corner and lose access to your encrypted data.
I’ll review why I feel that way, and what steps you need to take if you want to use BitLocker safely.
Encrypting your drive with BitLocker
The process of encrypting your drive with BitLocker is fairly straight forward. Run BitLocker from within Control Panel, and turn it on. BitLocker will check to ensure that your system supports BitLocker, and having done so, will proceed to encrypt your drive.
BitLocker is pretty transparent once it’s set up. Log in to your machine using your normal log-in account, and you’ll have access to the contents of your encrypted drive. The decryption key is associated with your login account.
As part of the setup process, you should be given the option of saving a recovery key for your encrypted drive.
It’s losing this recovery key, or not saving it in the first place, that can lead to complete data loss.
Losing access to your encrypted drive
There are several ways you can lose access to all the data on your encrypted drive.
Lose your log-in account. Normally we think about simple things – like forgetting the log-in password – to lose access to an account, and indeed, that’s one way to do it.
However, one of the things we do see in Windows from time to time is the “corrupt profile”. For various reasons, information associated with your account can become damaged such that you can’t log in. The typical solution is to create a new account with a new profile to regain access to the machine.
The problem is, your new account is not the account that set up the encryption – so it doesn’t have access to the encrypted data.
In fact, losing your log-in account for any reason whatsoever could be enough to lose access to your encrypted data.
System failures. On one hand you’d say, sure, when a system fails, you expect to lose data. However, BitLocker encryption also invalidates one of the techniques to recover data from a hard drive salvaged from a damaged computer: connecting it to another computer.
Decryption is tied to the log-in account that encrypted the data. That log-in account simply doesn’t exist anywhere but on the machine that performed the encryption in the first place. Even if you re-create an account with the same ID and password, it’s a different account, and will not work to access the data on the encrypted drive.
Using BitLocker safely
All that being said, BitLocker is pretty cool encryption technology, and people often want to use it. It’s not uncommon, or even unreasonable, for organizations to insist that it be used to keep data secure.
There are two key elements to using BitLocker safely.
Back up. Backing up seems like a cure for just about anything, and here’s another case. An image backup of the encrypted drive will backup everything.1 But even if you just back up the data on your encrypted drive religiously – to the point where losing that drive completely and without warning would not be a disaster – then you’re safe. You could, indeed, lose access to your encrypted data for any reason, and simply restore from backup. The catch, of course, is that since your original data is sensitive enough to be encrypted, you’ll probably want to take extra steps to make sure your backups are also secure. That may mean encrypting them somehow, or keeping them only in a secure location.
Keep that recovery key. The recovery key created when you set up BitLocker is like a magic key that will regain your access to the data from another log-in account or another machine. The catch here is that you need to have it – which means creating it in the first place, and being able to find it when you need it – and that, since it is a magic key to your data, it needs to be kept safe and secure.
Do either of those two things religiously and you can use BitLocker with my blessing.
How data gets lost
There are two things I can tell you from my experience running Ask Leo!
- Too many people don’t back up appropriately.
- Too many people misplace important files.
The reason BitLocker scares me is that when you put those two things together, a lot of people lose access to important data on their BitLocker-encrypted drives.
My recommended alternatives
I much prefer technologies like TrueCrypt, BoxCryptor, or several equivalent alternatives.
They’re less complex with no loss in data security.
Consider TrueCrypt: you encrypt it with a passphrase. That’s the only thing you need to remember, using any technique you choose. A TrueCrypt volume is completely portable and can be moved from machine to machine – even machines using different operating systems (including Mac and Linux). All you need is that passphrase.
The same is true for BoxCryptor. In fact, I rely on BoxCryptor to do both: I regularly copy encrypted data between several PCs and Macs, and use them on both platforms.