You can use BitLocker safely, but it does require taking appropriate precautions.
BitLocker is Microsoft’s full-disk encryption technology. It’s available in Windows Pro, Enterprise, or Ultimate editions from Vista onwards.
I typically recommend avoiding it, for one simple reason: it’s too easy to encrypt yourself into a corner and lose access to your encrypted data.
I’ll review the steps you need to take to use BitLocker safely.
Become a Patron of Ask Leo! and go ad-free!
Using BitLocker safely
To encrypt your drive with BitLocker safely, right-click the drive in Windows File Explorer and click on Turn on BitLocker. Save the recovery key as part of the setup process. Do not skip this step, or you may lose access to your data. Then back up your data as well.
Encrypting your drive with BitLocker
The process of encrypting your drive with BitLocker is fairly straightforward. Right-click the drive in Windows File Explorer and click on Turn on BitLocker.
BitLocker will first check to ensure that your system supports BitLocker, and having done so, will proceed to encrypt your drive.
The next step is the most important.
Save the recovery key
As part of the setup process, you will be given the option of backing up the recovery key for your encrypted drive.
Do not skip this step.
Skipping this step is what I refer to as “encrypting yourself into a corner”. If you lose this recovery key (or you don’t save it in the first place), you can lose everything on the drive.
Losing access to your encrypted drive
There are several ways you can lose access to all the data on your encrypted drive. The two most common are by losing your sign-in account or when system failure strikes.
Losing your sign-in account
Normally we think about simple things — like forgetting the log-in password — that result in losing access to an account.
However, one of the things we see in Windows from time to time is the “corrupt profile”. For various reasons, information associated with your account can become so damaged that you can’t sign in. The typical solution is to create a new account with a new profile to regain access to the machine.
The problem is, your new account is not the account that set up the encryption, and it doesn’t have access to the encrypted data.
Losing your sign-in account for any reason could be enough to lose access to your encrypted data.
On one hand, you might expect to lose data when a system fails. However, BitLocker encryption also invalidates one of the techniques to recover data from a hard drive salvaged from a damaged computer: connecting it to another computer.
Decryption is tied to the sign-in account that encrypted the data. That sign-in account simply doesn’t exist anywhere but on the machine that performed the encryption in the first place. Even if you re-create an account with the same ID and password, it’s a different account, and you still won’t be able to access the data on the encrypted drive — unless you have the recovery key.
Using BitLocker safely
All that being said, BitLocker is pretty cool encryption technology, and people often want to use it. It’s not uncommon or even unreasonable for organizations to insist it be used to keep data secure.
There are two key elements to using BitLocker safely.
Backing up seems like a cure for just about anything, and this is yet another case.
An image backup of the encrypted drive will back up everything.1 But even if you just back up the data on your encrypted drive religiously — to the point where losing that drive completely and without warning would be an inconvenience, not a disaster — then you’re safe.
You could lose access to your encrypted data for any reason and simply restore it from backup. The catch, of course, is since your data is sensitive enough to be encrypted, you’ll want to take steps to ensure your backups are also secure. That may mean encrypting them separately or keeping them in a secure location.
Keep that recovery key
The recovery key created when you set up BitLocker is like a magic key that will recover access to the data from another log-in account or another machine. The catch is you need to have it — which means creating it in the first place and being able to find it when you need it. Since it is a magic key to your data, it needs to be kept safe and secure.
If you didn’t create the key when you enabled BitLocker (or BitLocker was enabled to begin with2), right-click on the drive, click on Manage Bitlocker, and click on Back up your recovery key.
Back up the key, back up the data, and you can use BitLocker safely.
How data gets lost
There are two things I can tell you from my experience running Ask Leo!:
- Too many people don’t back up appropriately.
- Too many people misplace important files.
The reason BitLocker scares me is that when you put those two things together, a lot of people lose access to important data on their BitLocker-encrypted drives.
Consider VeraCrypt: you encrypt it with a passphrase. That’s the only thing you need to remember, and you can choose any technique to do so. A VeraCrypt volume is completely portable and can be moved from machine to machine — even machines using different operating systems (including Mac and Linux). All you need is that passphrase.
The same is true for Cryptomator. In fact, I rely on Cryptomator to do both: I regularly copy encrypted data between several PCs and Macs and use it on both platforms.
Regardless of what technology you use, use it safely. That means saving or remembering the encryption key and backing up the data.
If you use BitLocker, make certain to create the recovery key and save it in a safe place.
Be sure to subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
2: I have been seeing new machines come with BitLocker enabled on the system drive. It’s worth checking. If you see “Manage BitLocker instead of “Turn on BitLocker”, then BitLocker has already been enabled for that drive. Back up the key right away.