Full Disk Encryption (FDE) on Windows: BitLocker and Alternatives
Full disk encryption is great for preventing access if your device is stolen. Let's check out native BitLocker for Windows and its alternatives.
You know what's scary about a stolen West Virginia Coplin Health Systems laptop containing 43,000 patient data?
Or what's wrong with a contractor in Japan losing a USB drive containing the personal information of 460,000 residents?
The data was not encrypted.
Thus, an attacker can easily access personal data and sell it on the dark web.
They learned their lesson the hard way. But that shouldn't be the case, knowing how easy it is to encrypt data.
The following sections discuss disk encryption, how to do it with BitLocker, and several alternatives to BitLocker.
Full disk encryption
Full Disk Encryption (FDE) refers to locking the drives on your system. It prevents data from being accessed on compromised devices and may allow boot-time verification for additional security if applied to system drives.
Professional, Enterprise, and Education editions of Windows come with BitLocker Device Encryption preinstalled.
Using BitLocker, you can password protect drives that work fine when you're inside. There is also a recovery key to reset the password, without which the contents of the disk will be illegible.
Also, it works cross-platform. For example, a drive encrypted on Windows will remain secure on Linux.
Notably, this will not protect you once the system is unlocked. These encryption mechanisms will be useless for, say, spyware that you may have unknowingly installed to steal your personal information. Therefore, they do not replace anti-virus or anti-spyware tools.
To get started, type BitLocker in the taskbar search and open Manage BitLocker.
Now select the desired drive and click "Turn on BitLocker".
The subsequent process is different for the operating system drive and non-system partitions, including portable drives.
BitLocker on system drives
By default, the TPM security chip (version 1.2 or later) is used for authentication. And the machine boots as soon as the TPM returns the key.
The Trusted Platform Module (TPM) is a chip that ships with modern PCs. This is a separate chip that ensures the overall integrity of the device. But you may need to activate this if your system does not detect TPM even after having it.
In such cases, pre-boot authentication is not performed, and anyone with your computer can turn it on by guessing your Windows login password.
However, you can enable the pre-boot PIN in the Local Group Policy Editor for maximum security. The TPM chip will then ask for a recovery key and pin code before allowing the machine to boot.
The difference here is that these chips are equipped with protection against brute force. This way, the attacker will only have a few tries before giving up.
Just remember to set this up before running encryption.
The process is quite simple. First, open Windows Run by pressing ⊞ + R, type gpedit.msc and press Enter.
Then go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Device Encryption > Operating System Drives:
BitLocker encryption will now require a PIN or a pre-configured USB drive as physical pre-boot authentication.
You then move on to encrypting the entire disk or only the disk space in use.
Encrypting everything is generally the best idea for older computers as you may have data that can be retrieved from empty sectors using the Windows data recovery tools.
Subsequently, you decide whether to use the new encryption or compatible mode. You can choose a new encryption mode since this is an operating system drive. Compatible mode is more suitable for portable storage.
Finally, it's a good idea to run a BitLocker System Check on the next window to make sure everything is working properly.
BitLocker on fixed data drives
Encrypting these partitions and drives is easier. This will ask you to set a password beforehand.
Once you get past that, the process is similar to operating system drive encryption, minus the BitLocker system checks.
While BitLocker is convenient, it's not available to people using the Windows Home variants. The second best free option is Windows Device Encryption if your device supports it.
This differs from BitLocker in that it sets the TPM requirements. In addition, there are no means of pre-boot authentication.
You can check availability with system information. Open Windows Run, type msinfo32 and press Enter. Scroll down and check if the Meet prerequisites for device encryption support are mentioned.
If it doesn't, it's most likely that your device doesn't support device encryption. However, you can contact the manufacturer's support team for a possible solution to the problem.
In addition, there are several full disk encryption tools, both free and paid, that you can use.
VeraCrypt
VeraCrypt is free and open source encryption software for Windows, Mac and Linux. Similar to BitLocker, you can encrypt system drives, fixed data drives, and portable drives.
This is more flexible and gives many options for encryption algorithms. In addition, it can also encrypt on the fly. So, create an encrypted container and transfer your files to encrypt them.
In addition, VeraCrypt can create encrypted hidden volumes and supports pre-boot authentication such as BitLocker.
However, the user interface can be overwhelming, but there's nothing a YouTube tutorial can't figure out.
BestCrypt
You can call BestCrypt a convenient and paid version of Veracrypt.
This gives you access to various algorithms and many options for full disk encryption. It supports the creation of encryption containers and system drives.
Alternatively, you can deploy the download with a password.
BestCrypt is a multi-platform encryption tool that comes with a 21-day free trial.
Commercial alternatives to BitLocker
They consist of ready-to-use enterprise solutions based on volume licensing.
ESET
ESET Full Disk Encryption is great for remote management. This provides flexibility in using on-premises and cloud encryption solutions.
This secures hard drives, portable drives, email, and more with standard AES 256-bit encryption.
It also allows you to encrypt individual files using File Level Encryption (FLE).
You can test it out with an interactive demo or a 30-day free trial for a full hands-on experience.
Symantec
Symantec by Broadcom is another leading provider of enterprise-grade encryption. This full disk encryption supports a TPM that provides protection against unauthorized access to institutional devices.
Plus, you get pre-boot checks, email, and removable drive encryption.
Symantec helps set up single sign-on and can also secure cloud applications. This supports smart cards and has various recovery methods if the user forgets the password.
In addition, Symantec comes with file-level encryption, a sensitive file monitor, and various other features, making it an indispensable end-to-end encryption solution.
ZENworks
ZENworks by Microfocus is the easiest way for any organization to work with AES-256 encryption.
This supports optional pre-boot authentication with username and password or smart card with PIN. ZENworks has centralized key management to help users get stuck logging in.
You can create encryption policies for devices and enforce them over a standard HTTP web connection.
Finally, you can take advantage of the free trial without a credit card to see it firsthand.
FDE vs. FLE
Sometimes it's not a good idea to encrypt the entire drive. In such cases, it makes sense to protect a specific file by spawning file-level encryption or file-based encryption (FBE).
FLE is more common and we often use it without noticing its presence.
For example, WhatsApp conversations are fully encrypted. Similarly, emails sent through Proton mail are also automatically encrypted and only the recipient can access the content.
Similarly, it is possible to secure a file with FLE using tools such as AxCrypt or FolderLock.
The distinct advantage of FBE over FDE is that all files can have different encryption keys. Hence, if one is compromised, the rest will remain safe.
However, this creates additional problems with the management of such keys.
Summary
Full disk encryption is critical when you lose a device containing sensitive information.
Even though every user has important data on board, businesses need disk encryption more than anyone else.
Personally, BitLocker is the best encryption tool for Windows users. VeraCrypt is another option for those who can tolerate the outdated interface.
And organizations should not rely on someone else's verdict, but should be tested to choose the best for their use case. The only thing a business owner should avoid is vendor blocking.