Microsoft has this feature in its operating systems called BitLocker. It’s an easy way to encrypt your data drives and keep your stuff secure. Activating BitLocker takes about two seconds, especially if your Windows computer has a Trusted Platform Module (TPM).
With a TPM, you flip a switch in your Control Panel, and bam – BitLocker is up and running. Nice and easy! But what if you don’t have one of those fancy TPM things? No worries, you can still use BitLocker. I’ll walk you through the simple steps to encrypt your data drives even without this extra hardware.
Getting BitLocker going might take a few minutes longer, but it’s still pretty straightforward. And then you’ll have that peace of mind that your files and personal information are protected behind serious encryption. No computer science degree is required!
So don’t sweat it if you’re missing a TPM – BitLocker works with or without one. Let me show you how to make it happen.
Using Group Policy – Enable BitLocker without TPM
If your computer doesn’t have a TPM module, or you’re working with virtual machines, you can still use BitLocker by adding extra authentication during startup. This means you’ll need to enter a password or use a file from a USB stick.
To enable BitLocker without TPM
Follow these steps:
1. Open the local group policy editor (gpedit.msc) and navigate to “Computer Configuration -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives.”
2. Activate the “Require additional authentication on startup” policy and check “Allow BitLocker without a compatible TPM.”
If you’re in an Active Directory domain, you can deploy these settings via group policy under “Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> BitLocker Drive Encryption -> Operating System Drives.”
Once the setting is active, go to the Control Panel, open “System and Security,” and click on “Manage BitLocker.” Now, you can set up BitLocker without a TPM.
When you click “Turn on BitLocker,” you’ll be prompted to choose how the drive should be unlocked during OS startup:
- Connect USB stick: Identify yourself by inserting a USB stick. No additional password is needed, but be cautious about potential technical issues or losing the USB device.
- Enter password: This option requires entering a password each time the OS starts. It may be inconvenient, but it’s a secure choice. Note: Be careful with special characters or umlauts, as the keyboard layout can be set to English before the OS starts.
In this guide, I’ll use the password option. After choosing, you’ll be asked to enter a new password.
Next, save the recovery key, a last resort to unlock the drive without the password or USB stick. Keep this key secure, both digitally and on paper. Remember, you can’t save the encrypted recovery key on the drive.
After completing these steps, restart your computer to finalize BitLocker activation. Selecting the “Enter password” option will prompt you for the BitLocker password before Windows starts.
BitLocker will be enabled, and the encryption process will begin running in the background. You can check the status through the “BitLocker drive encryption” taskbar icon (double-click).
The encryption duration depends on the disk size and data volume so it might take some time. During encryption, you can safely use or shut down the system. The process will resume after a reboot.
