In the next very second, someone out of nowhere comes and steals your laptop away from you whilst you are standing there holding onto that cappuccino you’ve just bought over the counter.
You fall down onto your knees and cry like you never cried before as you have all your naked bath photos playing with your rubber duck stored on that stolen laptop.
So what should you have done?
You should have enabled full-disk encryption on your laptop.
In this guide, I’ll show you how to enable Windows 10 encryption (full-disk encryption) so that you can protect all of your important files from being hacked or stolen.
Why You Should Enable Full-Disk Encryption.
Encryption is not entirely based on fending off the NSA or the FBI from spying on us, it is also about protecting your sensitive data, which in case if something were to happen to your PC, encrypting helps keep your data safe.
Here’s an in-depth video on how a full-disk encryption works.
Do these before you proceed
1. Make sure you backup your computer before doing any of these methods
2. Check if your computer supports Windows Device Encryption
Most of the PCs after Windows 8.1 (but not all) will already have Device Encryption enabled and mostly all of the new PCs that came with Windows 10 will have it but you should just to make sure before going through with the full disk encryption.
To an extent, this kind of device encryption only encrypts your drive if you sign in to Windows with a Microsoft account. After you do so, your recovery key is then uploaded to Microsoft’s servers which will then help recover your files if you ever forget or can’t log into your PC.
If you’re in this to stop the NSA, then it is certainly not going to be very effective as the NSA can easily take advantage of your information through Microsoft’s servers. However, you can stop laptop thieves from stealing your information.
To find out whether your computer has Device Encryption enabled, follow these steps
- Open the Settings app
- Navigate to System and then About
- Look for a Device encryption setting at the bottom of the About.
If you don’t see anything about Device Encryption here, your PC doesn’t support Device Encryption and it’s not enabled. However, if you do see Device Encryption is enabled or if you can enable it by signing in with your Microsoft account then you’ll see a message here. (like the picture below)
Let’s dive right into enabling Windows 10 encryption on your machine.
How to Enable Windows 10 Encryption : 3 Simple Ways
1. Use BitLock.
You’ve got to be on Windows 10 Professional to do this (as BitLocker is only available on Windows 10 Professional) and Sign in with your Microsoft account.
These are the six simple things you need to check before you go through with BitLocker encryption.
- your computers should be equipped with a Trusted Platform Module (TPM) chip.
- you can use BitLocker without a TPM chip by using software-based encryption, but it requires some extra steps for additional authentication
- your computer’s BIOS must support TPM or USB devices during the startup. Otherwise you would have to check your PC manufacturer’s support website to get the latest firmware update for your BIOS before trying to set up BitLocker.
- your PC’s hard drive must contain two partitions: a system partition, which contains the necessary files to start Windows, and the partition with the operating system; where both of which must be formatted under the NTFS file system.
- you need time, loads of time, as the process to encrypt an entire hard drive isn’t difficult, but it’s time-consuming.
- you need power so make sure to keep your computer connected to an uninterrupted power supply throughout the entire process.
How to Check If Your Computer has TPM Hardware?
Before you go through with the BitLocker encryption check first if your computer contains TPM hardware. TPM is a special microchip that enables your device to support advanced security features and provides a tamper-resistant way to store encryption keys on a computer.
You can check if you have TPM hardware in your computer by following these steps
- Press Windows+R to open a run dialog window
- Type tpm.msc into it
- Press Enter to launch the tool
- Use the Windows + X keys to open the Power User menu. Then select Device Manager.
- Expand Security devices. If you have a TPM chip, you should be able to see there as Trusted Platform Module together with the version number.
Note: Your computer must have a TPM chip version 1.2 or later to support BitLocker.
Oh and another thing (I know its kind of a pain in the ass since there’s a lot of prerequisites needed for this method), if you see information about the TPM in your computer with a message at the bottom right corner of the window saying which TPM version your chip supports then that means your PC does have a TPM.
However, that is not the case, if you see a Compatible TPM cannot be found message instead, as this means your computer does not have a TPM.
How to Enable BitLocker
- Use the Windows key + X keyboard shortcut to open the Power User menu and select Control Panel (Or you can just go to the Start button and then search and select the Control Panel)
- Click System and Security.
- Click BitLocker Drive Encryption.
- Under BitLocker Drive Encryption, click Turn on BitLocker
- Here you can choose how you want to unlock your drive during startup: You can Insert a USB flash drive or Enter a password. For now I’ll choose the easier method, select Enter a password to continue.
- Now you’ll have to enter a password that you’ll use every time you boot Windows 10 to unlock the drive (and something you can remember). After that, click Next to continue. (Make sure to create a strong password mixing uppercase, lowercase, numbers, and symbols.)
- Don’t worry if you might ever forget your password, as you will be given several options to save a recovery key to regain access to your files in case if you ever forget your password in the future. Make sure you do select the option that is most convenient for you and save the recovery key in a safe place. Here are the options you can choose:
- Save to your Microsoft account
- Save to a USB flash drive
- Save to a file
- Print the recovery
- Click Next to continue.
- Now you have to select the encryption option that best suits your needs. Here are the encryption options that you can choose from:
- Encrypt used disk space only (faster and best for new PCs and drives)
- Encrypt entire drive (slower but best for PCs and drives that are already in use)
- After that, choose between these two encryption options:
- New encryption mode (best for fixed drives on this device)
- Compatible mode (best for drives that can be moved from this device)
- Click Next to continue.
- Now make sure that you check the Run BitLocker system check option. Then, click Continue.
- You’re done! Now all you got to do now is just restart your computer to begin the encryption process (so that you can test this all-out).
- Once your computer reboots, BitLocker will prompt you to enter your encryption password to unlock the drive. Type the password and press Enter.
Things you need to know
After you reboot, you’ll notice that your computer will quickly boot to the Windows 10 desktop.
However, if you go to Control Panel > System and Security > BitLocker Drive Encryption, you’ll see that BitLocker is still encrypting your drive.
What should you do now? Absolutely nothing since it can take some time for it to finish. Depending on the option you chose earlier and the size of your drive and Yes, you can continue to use your computer and the finishing touches will be done whilst in the background.
Once you find that the encryption process is complete, the drive level should read BitLocker on.
You can verify that BitLocker is turned on by the lock icon on the drive when you open This PC on File Explorer.
How to Turn On BitLocker (If you Don’t Have TPM)
- Use the Windows key + R keyboard shortcut to open the Run command, type gpedit.msc, and click OK.
- Under Computer Configuration, expand Administrative Templates.
- After that, expand Windows Components.
- Now expand BitLocker Drive Encryption and then select Operating System Drives.
- On the right side, double-click on Require additional authentication at startup.
- Select Enabled.
- Now you got to make sure that you do check the ‘Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)’ option.
- That’s it. Now Click OK to complete this process.
2. Use Veracrypt.
If you do not want to spend another $99 dollars just to get Windows 10 Professional just for BitLocker, then you might as well go for a free option like Veracrypt (a successor to the once acclaimed Truecrypt).
BitLocker is the most complete and well-supported option but that doesn’t mean you should write off Veracrypt, as it is just as good as BitLocker.
Here’s a video on how you can use Veracrypt.
How to Install VeraCrypt
- Download and install VeraCrypt.
- Just double-click on the .exe file and follow the instructions in the wizard. Then select the Install option.
How to Create an Encrypted Volume
- Once you find that the installation has finished, navigate to the Start menu and then launch VeraCrypt. You’ll be greeted with the screen below.
- The very first thing that you’ll need to do now is creating a volume. So to do that, click on the Create Volume button. This will launch the Volume Creation Wizard and then you will be asked to choose one of the following volume types. Choose the appropriate one. Volumes can be as simple as a file container you place on a drive or disk or as complex as whole-disk encryption for your operating system. I have made this guide simple for you to munch into, so we will be focusing on getting you set up with an easy-to-use local container.
- Select Create an encrypted file container.
- Next, the Volume Creation Wizard will ask you if you want the create a Standard or a Hidden volume. Again, for the sake of simplicity, I am going to skip messing around with Hidden Volumes at this point.
- After that, you’ll need to pick a name and location for your volume. The only important parameter here that you need to know is whether the host drive has enough space for the volume which you want to create.
- Done? Now it’s time to pick your encryption scheme. You really can’t go wrong much here.
- The next step needs you to select the volume size. You can set it in KB, MB, or GB increments. I created a 5GB test volume for this example.
- Now you have to generate your own password. However, there is one important thing that you should keep in mind here and that’s: Short passwords are a bad idea. You should create a password at least 20 characters long.
- You’re nearly there! Before you create the actual volume, the Volume Creation Wizard will ask if you ever intend to store large files. If you do intend to store files larger than 4GB within the volume, tell it so
- Now you have reached the fun part! On the Volume Format screen, you’ll need to move your mouse around to generate some random data. Once you’ve generated enough random goodness, hit the Format button.
- Finally, once the format process is complete, you’ll be returned to the original VeraCrypt interface. You will find that the volume you created is now a single file wherever you parked it and ready to be mounted by VeraCrypt.
How to Mount an Encrypted Volume
- Start off by clicking on Select File in VeraCrypt’s main window and then navigate to the place where you stored your VeraCrypt container. (referring the previous step)
- Once you have selected the file you have created, pick from one of the available drives in the box above.
- Click Mount.
- Now enter the password that you’ve created before and then click OK.
- Voila! That was quite a few steps you went through; give yourself a pat on the back. 😀 Now you can go take a look at My Computer and see if your encrypted volume was successfully mounted as a drive.
Now whenever you need to pack all your secret files, you can now do that by opening the volume you’ve just created.
Things you need to know
Now even if you have followed the above methods to get Windows 10 encryption, you don’t want to leave a trail of breadcrumbs to your protected information do you? Since you are just going to bring your potential threat right to you.
So make sure you don’t forget to securely wipe all the files once you’ve copied them into your new encrypted volume.
The regular file system storage that you normally use is insecure and traces of the files you just encrypted will remain behind on the unencrypted disk unless you properly wipe the space.
Another thing that you shouldn’t forget to do is to pull up the VeraCrypt interface and Dismount the encrypted volume you created when you aren’t actively using it.
3. Other Alternative Ways for Windows 10 Encryption.
If you do not want to use Veracrypt, these are the other alternative Windows 10 encryption options you can opt to get for instead 🙂
- Symantec Drive Encryption
We hope that this guide has helped highlight and provide some security tips and tricks to enable Windows 10 encryption on your machine. If you have questions, please feel free to leave a comment below, and we will love to help you out. ❤
If this guide helped you, please share it. 🙂