Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Why I (No Longer) Avoid BitLocker

BitLocker is Microsoft’s full-disk encryption technology available in Windows Pro, Enterprise or Ultimate editions from Vista onwards.

I typically recommend avoiding it, for one simple reason: it’s too easy to encrypt yourself into a corner and lose access to your encrypted data.

I’ll review why I feel that way, and what steps you need to take if you want to use BitLocker safely.

For the record, I actually now use BitLocker for whole-drive encryption. Microsoft has made it harder to encrypt yourself into a corner. That doesn’t mean it can’t be done, so do follow the instructions in this article. See also: How Do I Encrypt a Disk?

Become a Patron of Ask Leo! and go ad-free!

Encrypting your drive with BitLocker

The process of encrypting your drive with BitLocker is fairly straight forward. Run BitLocker from within Control Panel, and turn it on. BitLocker will check to ensure that your system supports BitLocker, and having done so, will proceed to encrypt your drive.

BitLocker is pretty transparent once it’s set up. Log in to your machine using your normal log-in account, and you’ll have access to the contents of your encrypted drive. The decryption key is associated with your login account.

As part of the setup process, you should be given the option of saving a recovery key for your encrypted drive.

BitLocker Recovery Key

It’s losing this recovery key, or not saving it in the first place, that can lead to complete data loss.

Losing access to your encrypted drive

There are several ways you can lose access to all the data on your encrypted drive.

Lose your log-in account. Normally we think about simple things – like forgetting the log-in password – to lose access to an account, and indeed, that’s one way to do it.

However, one of the things we do see in Windows from time to time is the “corrupt profile”. For various reasons, information associated with your account can become damaged such that you can’t log in. The typical solution is to create a new account with a new profile to regain access to the machine.

The problem is, your new account is not the account that set up the encryption – so it doesn’t have access to the encrypted data.

In fact, losing your log-in account for any reason whatsoever could be enough to lose access to your encrypted data.

System failures. On one hand, you’d say, sure, when a system fails, you expect to lose data. However, BitLocker encryption also invalidates one of the techniques to recover data from a hard drive salvaged from a damaged computer: connecting it to another computer.

Decryption is tied to the log-in account that encrypted the data. That log-in account simply doesn’t exist anywhere but on the machine that performed the encryption in the first place. Even if you re-create an account with the same ID and password, it’s a different account, and will not work to access the data on the encrypted drive.

Using BitLocker safely

All that being said, BitLocker is pretty cool encryption technology, and people often want to use it. It’s not uncommon, or even unreasonable, for organizations to insist that it be used to keep data secure.

There are two key elements to using BitLocker safely.

Back up. Backing up seems like a cure for just about anything, and here’s another case. An image backup of the encrypted drive will backup everything.1 But even if you just back up the data on your encrypted drive religiously – to the point where losing that drive completely and without warning would not be a disaster – then you’re safe. You could, indeed, lose access to your encrypted data for any reason, and simply restore from backup. The catch, of course, is that since your original data is sensitive enough to be encrypted, you’ll probably want to take extra steps to make sure your backups are also secure. That may mean encrypting them somehow or keeping them only in a secure location.

Keep that recovery key. The recovery key created when you set up BitLocker is like a magic key that will regain your access to the data from another log-in account or another machine. The catch here is that you need to have it – which means creating it in the first place, and being able to find it when you need it – and that, since it is a magic key to your data, it needs to be kept safe and secure.

Do either of those two things religiously and you can use BitLocker with my blessing.

However…

How data gets lost

There are two things I can tell you from my experience running Ask Leo!

  • Too many people don’t back up appropriately.
  • Too many people misplace important files.

The reason BitLocker scares me is that when you put those two things together, a lot of people lose access to important data on their BitLocker-encrypted drives.

My recommended alternatives

I much prefer technologies like TrueCrypt, BoxCryptor, or several equivalent alternatives.

They’re less complex with no loss in data security.

Consider TrueCrypt: you encrypt it with a passphrase. That’s the only thing you need to remember, using any technique you choose. A TrueCrypt volume is completely portable and can be moved from machine to machine – even machines using different operating systems (including Mac and Linux). All you need is that passphrase.

The same is true for BoxCryptor. In fact, I rely on BoxCryptor to do both: I regularly copy encrypted data between several PCs and Macs, and use them on both platforms.

Podcast audio

Play

Footnotes & references

1: Typically an image backup of an encrypted drive will back up the data in unencrypted form.

19 comments on “Why I (No Longer) Avoid BitLocker”

  1. You can unlock and access data on a BitLocker encrypted drive by attaching it directly to another computer (example: SATA) or via an external USB adapter/enclosure; and providing “either” the correct password or choosing “I Forgot the password” and enter the recovery key. The encryption method is not tied to a particular user account. The loss of both the Password AND Recovery key will cause the data to become inaccessible. Microsoft will usually maintain a copy of the recovery key (but do not depend on it being available) if the encryption of the drive were performed while logged in to a Microsoft account as opposed to a Local account.

    The encrypting file system (EFS) requires the export/import of the security certificate. You WILL lose access to data without the proper certificate. This method is more complex to administer and probably should be avoided outside of a corporate domain environment.

    Reply
  2. QUESTION
    with bitlocker, if you back up the image, can you recover that image to an unencrypted drive, in even t of disaster, so that you can then re-encrypt the recovered image?

    I currently encrypt full drive with truecrypt, and do backups of images of the c: drive (I back up to truecrypted external drives), and if I need to recover, I can copy one of the backed up images to a clean drive, and then run recovery (I use Paragon Hard Disk Manager 2015), and I then have a working image on a new drive.

    I have NOT tried this with bitlocker, but would like to know if it works
    thansk

    Reply
    • What’s important here is that you backup the UNencrypted data. That can be restored wherever you want.

      If you backup the encrypted partition then you may not be able to restore it anywhere other than on the same machine. I’m not 100% on this, but it scares me enough that I would not do it.

      Reply
  3. I have three machines running Windows 7 Ultimate SP1 that are too old to have a TPM (Trusted Platform Module) chip in them so BitLocker doesn’t work on any of them. I use TrueCrypt instead to do whole-drive encryption. Since TrueCrypt uses pre-boot authentication in order to start the computer, a thief would be stealing a really fancy paper weight with no way to start the machine without entering the 25+ character passphrase. Anybody who tries to view the data on the drive by plugging it into another computer would see nothing as everything is encrypted.

    While TrueCrypt is no longer supported by the developers, I feel confident using it, at least until an actual vulnerability is discovered.

    Reply
  4. There a published cases of Governments not being able to break into TrueCrypt. I would like to know if there are any reports of Governments not being able to break into a criminals Bit Locker encrypted computer.
    Paranoia aside, Bit Locker probably makes life easier and more accountable in a properly manged corporate IT environment.

    Reply
  5. The company I work for has an IT policy including that BitLocker is being used on all company laptops. This poses one particular problem: if an employee has to travel for business to China that emplyee needs to copy all his data on a laptop without BitLocker. The Chinese government does not allow bringing in laptops with such encryption. For those trips are some laptops held separately which can then temporarily be used.

    Reply
  6. Not particularly enamoured by this article. Bit Locker is probably the best software-based encryption option out there. It performs considerably better than any other software encryption, is easy to use and administer and of course if you lose the recovery key you can’t get access, that’s the point!

    “BitLocker encryption also invalidates one of the techniques to recover data from a hard drive salvaged from a damaged computer: connecting it to another computer.” – that’s simply not true, you can connect it to any other machine with BitLocker installed and enter the recovery key to gain access.

    “The reason BitLocker scares me is that when you put those two things together, a lot of people lose access to important data on their BitLocker-encrypted drives.” – In the most common use of BitLocker, businesses with an Active Directory Domain, the key is automatically backed-up to AD so you don’t even have to worry about it. Not only that but you can create a single private key which decrypts all machines. On an individual basis, the above may be a concern, yeah but quite frankly that’s your fault for losing it, what’s the point if someone else can easily bypass encryption?

    Reply
  7. Is it safe to bitlocker on computer. what if I lost the key and not able to access my user account either.
    is it possible to open the encrypted file on other device also. whether my onedrive, googledrive and other online cloud folders will also get encrypted with this bitlocker.
    if everything will be encrypted whether I will be able to open those folder on my handheld gadget also. or I need to put bitlocker everywhere on all gadget.

    Reply
  8. There are several items in this list that are untrue…

    “Decryption is tied to the log-in account that encrypted the data. That log-in account simply doesn’t exist anywhere but on the machine that performed the encryption in the first place. Even if you re-create an account with the same ID and password, it’s a different account, and will not work to access the data on the encrypted drive.”

    Absolutely and simply not true. The whole drive is encrypted. It doesn’t matter which user you’re using… the only case where this is true is if you’re silly enough to store your encryption keys online with Microsoft.

    “On one hand you’d say, sure, when a system fails, you expect to lose data. However, BitLocker encryption also invalidates one of the techniques to recover data from a hard drive salvaged from a damaged computer: connecting it to another computer.”

    Again not true. All you need is the recovery key and you can use the drive with any machine.

    Bitlocker does NOT protect your machine if it is powered on. It is intended to protect you from having your machine stolen or your hard drive physically removed.

    Reply
  9. I have a general question about bitlocker. We use to use another encryption software for out laptops, and with that software, you could take the hard drive out of the laptop, and put it into another laptop of the exact same type and boot the machine. I have also noticed that you can do this with bitlocker (although, last time we tried to do this, it did not work).

    Isn’t being able to do this type of thing rendering drive encryption useless? if you can steal someone’s hard drive (not the entire computer, just the hard drive), or grab an image of it and boot it in an identical pc, make drive encryption useless?

    Reply
  10. I bought a new computer when my old and dear XP died. It came with Win 8.1 which was ok after I played around with it. Then the DREADED update to Win 10. Ok. no problem -except there is NO Bitlocker on my computer anywhere, any shape or form. I dunno why. I’ve been up. down, back and forth, all through the nooks and crannies searching the whole damned computer and there is no Bitlocker anywhere. I can’t find anywhere I can download it. Micro$soft doesn’t have a download, it’s supposed to be preinstalled, I guess. If there’s a download for Bitlocker, tell me where.
    Drat and durn . I can exist without it as I have a secure system (I hope) and have my OS and system stuff in a seperate physical drive aside from my apps.

    Reply
  11. Please, does anyone know how to image backup TrueCrypt encrypted disks . Macrium won’t let me do that. I use Windows 7 Ultimate. Also Macrium support say they Macrium Reflect only supports BitLocker.

    Even though my System Drive C: is encrypted, it is imaged fine, but my Data Drives D: and E: are encrypted but are not recognized by Macrium.

    I’ll switch to BitLocker if I have to, in order to make image backups. But TrueCrypt works great still.

    Reply
  12. Over the past week I’ve dealt with “it’s too easy encrypt yourself into a corner and lose access to your encrypted data.” I’ve been researching this and found that other people are having this same problem.

    My laptop was having boot-up problems and every proposed solution lead me to a screen that asked for a Bitlocker recovery key. I’d never heard of Bitlocker before. More than a week later I decided to just go back to the factory settings. NOPE! Can’t even do that without the Bitlocker recovery key.

    Now the laptop is at Best Buy undergoing a clean install for $100.

    Reply
    • I have noted that some new laptops (including my own) are coming with Bitlocker enabled by default. While that’s generally a good thing, it should really REALLY be made obvious, and saving a key should be part of the initial setup process. Sadly it is not.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.