TLDR: If you aren’t worried about someone sitting at your computer (or stealing it) and getting access to your data, and you don’t keep private information for other people on your computer (health, financial, etc), then you don’t need Bitlocker. Most people don’t really need it.
What it is:
Bitlocker is a drive encryption built into Windows. It can be enabled by default on some computers, without you knowing it. It normally is transparent, you don’t know if it is on or not.
- Pros of having Bitlocker on
- If your computer is stolen, if the thief doesn’t know and can’t guess your PIN/password, they cannot get access to your data.
- Windows is more protected against a hacker walking up to your computer and either getting into your computer or putting a virus on it.
- Cons of having Bitlocker On
- Slight slowdown (generally not noticeable).
- If a Windows Update changes BIOS or TPM settings/firmware, you may get a recovery screen and can not boot up until you enter a recovery key.
- Certain types of backup and recovery are harder and take longer.
There is also the reverse Pros and Cons list.
- Pros of NOT having Bitlocker
- Slightly better performance
- A Windows Update won’t cause issues and get you locked out without putting in a recovery key
- Cons of NOT having Bitlocker
- Someone with knowledge and a USB drive can get into your computer and get anything out of it, or put in a virus, and you won’t know unless they want you to.
- Having HIPAA information for other people could be a violation.
What does Bitlocker do?
(This is mostly accurate while being simplified for non-geeks):
Data written to your drive (including Windows itself, programs, your Desktop, Documents, browser, etc) are all encrypted so that without the decryption key they are not viewable. Your computer usually has a special Chip called TPM, it is basically a vault for the decryption keys. Bitlocker normally has a backup recovery key which gets saved to the Microsoft account of the first person to set up that laptop.
How does Bitlocker work:
When your computer starts, it asks the TPM to decrypt the drive. The TPM checks everything it can see to make sure nothing is amiss (the drive is in the right computer, no signs of hacks/virus, etc), if no issues are found then it allows the drive to unlock and windows to boot up. This happens so fast you don’t notice it.
You could think of it as your programs save data in English, and Bitlocker translates it to German before saving it. When any programs reads data back, Bitlocker translates it back to English so the program doesn’t know that it didn’t get saved in English. The TPM then is like the translation dictionary, as is the recovery key.
How does Bitlocker usually fail:
If Windows update messes with firmware, or a setting changes that the TPM doesn’t like, then when you next reboot the computer won’t start up because the TPM refuses to allow the drive to unlock. This is a blue recovery screen asking you to enter the recovery key.
How do I get my Bitlocker Recovery Key:
You can open this link and sign into your Microsoft account and see all Bitlocker recovery keys saved to your account. If you don’t see the key you need, log out and log into a different Microsoft account.
If you can’t find your Bitlocker Recovery Key:
If you can’t find your key, note the sentence above “Bitlocker normally has a backup recovery key which gets saved to the Microsoft account of the first person to set up that laptop.” If someone else set up your computer, ask them to check their Microsoft account to find it.
https://go.microsoft.com/fwlink/p/?LinkId=237614
How private do I need to keep my Bitlocker key:
Your key is only useful if someone has your drive or laptop, since the key allows them to unlock your drive. If they don’t have your drive, the key does nothing by itself. Don’t post it to Facebook since if someone stole your laptop and saw the key, then they can get it, but you don’t need to keep it very secret. Printing a few copies and keeping them at home, and take a picture of it with your phone.
How can Tech208 help:
We save a copy of every Bitlocker recovery key on any computer that we work on. If you are a customer and have a Bitlocker recovery screen, we can text you your key so you can get booted back into windows!
If you have it and don’t want Bitlocker:
We can turn Bitlocker off for you if you don’t want to use it. The command to disable it is quick, although actually decryption can take awhile depending on the size and speed of your drive (somewhere from 20 minutes to 24 hours).
If you want it and don’t have it:
We can turn Bitlocker on for you, if your device supports it. If your computer has the Pro version of Windows then it supports it. Certain Home versions support it, but not all. If you have Home and need Bitlocker, then we will need to upgrade it to Pro first (which Microsoft charges $99 to do). Please note that if you don’t have a TPM chip then you will be prompted for a PIN or Password at bootup before Windows starts to load.
Should I Use it?
Probably not. If you have data on your computer that you need to keep private, even against theft or someone in your house, or if it is a laptop that you could leave somewhere, then Bitlocker may be the best solution. Most of my customers don’t need or want it. I use it on all of my computers that may ever have customer data or information on them, just as an extra layer of security. I have been using drive encryption since Windows XP (I used TrueCrypt back then), since in my line of work, I am often assisting customers and need to be extra careful.
More details on working with Bitlocker can be found here:
https://helpfultechnotes.com/guide/24