With the BitLocker integrated in Windows, Microsoft encrypts hard drives and thus protects personal data from unwanted access. But protecting against data theft and loss raises a few questions: When exactly does encryption take effect, what is the purpose of the recovery key and where can I find it? How do I recognize whether my disk has been encrypted using BitLocker and how can I switch this off again? Can BitLocker also be used on external data carriers and what alternatives are there? We provide answers to the most common questions about Microsoft’s device encryption.
BitLocker active without any action
After a BIOS update, my computer with Windows 11 Home could no longer boot, I was only prompted to enter the recovery key for BitLocker encryption. But I don’t have one because I have never activated BitLocker. What now?
You probably have one, you just don’t know. Because BitLocker is technically also in the Home Edition of Windows, it just can’t be called that there. Instead, Microsoft calls the function there “device encryption”. In order to use them, the computer must meet a few hardware standards. Again and again we experience systems where the encryption for the system drive is immediately active after a clean reinstallation.
This is one of the reasons why Microsoft wants to force you to use a Microsoft account during the initial setup: As soon as you log in to Windows 10 or 11 with one, the recovery key automatically ends up in your account – at account.microsoft.com /devices/recoverykey you can read it out.
Microsoft account recovery key?
Storing a recovery key in the Microsoft account seems completely grotesque to me from a privacy and security point of view. Who does that when fully conscious?
In fact, this procedure is rationally comprehensible. Device encryption in Windows Home is a function for the masses, i.e. for people who do not want to or cannot deal with encryption. It always makes more sense for them to have encryption that Microsoft knows a back entrance for than to walk around without encryption at all. Remember, in order to do anything with a recovery key, an attacker must have your machine.
A security risk exists in extreme cases, namely when someone is specifically targeting your data – and is willing to go to great lengths to obtain it. The attacker would first have to get hold of the key, which they can do either by breaking into your Microsoft account (a good reason for two-factor authentication), or if the attacker is an investigative agency that Microsoft can coerce to give out the key. And secondly, the attacker must get their hands on your computer, i.e. steal it.
The recovery key in the Microsoft account is only a problem in special cases – and in case of doubt it can be a saving grace.
If you are such a high-priced target that such an attack is realistic, the recovery key in the Microsoft account is indeed a risk – but then it would be grossly negligent to do so anyway. For the vast majority of Windows users, however, this scenario is not relevant, but rather the risk of losing a notebook with all kinds of documents and photos on the train. And then it is good to know that a finder cannot read anything.
Show BitLocker state
Is there any way I can see if a drive is encrypted and if so, with more details? Especially on Windows Home, where BitLocker management isn’t found in either Control Panel or Settings?
The command line tool manage-bde.exe is available for this – also in home editions. To see the encryption status of all drives, open a terminal with administrator rights, for example via Windows key + X. The command manage-bde -status shows details about the encryption of each attached drive. You can use this to check in no time at all whether your system drive is encrypted: In the “BitLocker version” line, the tool reports “None” for unencrypted drives, otherwise a version number (usually 2.0).
“Device encryption” – useful or not?
Do you recommend using device encryption in Windows 10 or 11 Home?
We recommend using encryption, especially when it comes to mobile devices that can be lost quickly or stolen in a burglary. It doesn’t necessarily have to be device encryption, because this savings variant of BitLocker cannot be configured at all, only switched on or off, and it also doesn’t work for external data carriers. If you split your system SSD into multiple partitions, all of them will be protected by device encryption, but all will also be unlocked automatically at system startup.
So if you want to protect USB media, for example, or unlock an internal D: drive with a password, you should turn off device encryption and use a more flexible tool like VeraCrypt instead. The only thing Microsoft allows on the Home Edition with USB media is using already encrypted data carriers.
Turn off BitLocker in Home
According to the previous tip, my Windows 10 Home system drive is already encrypted, but I prefer to encrypt it with VeraCrypt. How do I get rid of Microsoft encryption?
Since the BitLocker administration module of the Control Panel is missing in your Home edition, first look in the “Device Encryption” section in the Settings app to see if you can switch off the function there directly. On Windows 10 the menu is under “Update & Security”, on Windows 11 under “Privacy and Security”.
If the button is missing, or Windows claims that encryption is not activated because you do not have a Microsoft account, you can also force decryption – in a terminal with administrator rights via manage-bde -off c:. Depending on the drive size and speed, this can take a few minutes or an hour or two. You can read how far the decryption has progressed with the status command mentioned above: It is complete as soon as the value in the “Encrypted (percent)” line is 0.0.
You can use the prompt to read in no time at all whether encryption is active, which algorithm is being used and the like.
BitLocker in Home via command line?
If the manage-bde.exe tool is also included in Windows Home and only a few configuration menus are missing, why not simply set up BitLocker under Home via the command line?
Unfortunately, more is missing than just the menus: the command line switch for manage-bde.exe, which you need to create and manage BitLocker, is denied by the tool under Home with a note that your edition does not support it.
The fact that Microsoft doesn’t at least allow the BitLocker setup for USB media in Home editions seems somewhat absurd in 2023 – the ability to protect a portable drive from prying eyes should be one of the basic functions of a PC operating system. The desk -off is next to -status Incidentally, one of the few that also work with the Home Edition.
Safe on the go?
In terms of anti-theft protection and the like, is it enough to simply turn on BitLocker, or do I have to pay more attention?
You have to log in to Windows with a password, PIN or something similar. If you have a local user account that boots directly into the desktop without a password, encryption will do you no good – at least not as long as the system drive is automatically unlocked via Trusted Platform Module (TPM) at boot time. You would then also have to set up a boot password or a key stick (see also the following tip).
Configure BitLocker
Are there things I should set before letting Windows encrypt my drives?
Once again, the universal answer applies here: it depends! Lots of options can be found in the Group Policy Editor in the Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption folder. For example, if you want to set up BitLocker on a PC without a Trusted Platform Module (TPM), you must enable the “Require additional authentication at startup” policy in the “OS Drives” subfolder (no further configuration is required). To start the system you need a password or a USB stick with a key file.
The very cautious will also find a way to use 256-bit keys instead of the default 128-bit keys with the guidelines for “Selecting the encryption method and encryption strength for the drive”. This multiplies the time that a successful brute force attack on the encryption would need, but the gain in security is very marginal as of today: Even with 128 bits, millions or even billions of years would be required with the currently available computing power. Otherwise, many of the BitLocker options are primarily intended for encryption management in corporate environments.
c’t 4/2023 )
Photovoltaics are booming and you can’t reach an installer? In the c’t 4/2024 issue, we lend a hand and screw a PV system onto the roof in a self-experiment. c’t explains which steps you can and may carry out yourself and when the specialist company has to do it. You will get to know the legal and financial framework and learn how the PV components work. We’ve also written a practical guide to encrypting data, tried cracking USB storage with built-in encryption, and tested efficient Ryzen 7000 CPUs. You can read all this and much more in c’t 4/2023!
(jss)
