BitLocker is a drive encryption system integrated with the Microsoft Windows operating system, starting with Windows Vista onwards. It allows you to encrypt hard drives, removable disks or partitions in order to protect them using a specific password, and making them in fact inaccessible to third parties. The protection can also be configured for removable drives or USB sticks.
Actually there are also third-party tools for encrypting disks and partitions, such as TrueCrypt or VeraCrypt (considered the best alternative to the first and its successor), which are also free but do not give that security in terms of standards and reliability over time that instead can give an integrated Windows tool. BitLocker protects the data on the computer even from theft, since access to the files on the disks will not be possible without knowing the password.
To activate BitLocker in Windows 10 there are different operating modes. One of these requires a motherboard with a chip called TPM (Trusted Platform Module) version 1.2. This chip is used to store security passwords. The fact that passwords are saved on a physical medium, different from the disk, guarantees considerable security. However it is possible to activate and use BitLocker even on computers without the TPM chip, as we will see later, although this solution may be less secure than the previous one.
How to enable BitLocker to protect data on a partition:
In our example we show how to activate BitLocker on a single disk partition (which can be useful for protecting specific files or programs). Here we use the free “Macrorit Partition Expert” software, but we can use any other freeware software to create partitions. Select a partition and with the right mouse button click on “Move / Resize”. Remove 100 GB from an existing partition:
Create the new partition by assigning a file system, a label and a Drive Letter:
By clicking on “Apply” in the toolbar, the software will create the new partition. If you create the new partition on the disk where the Operating System is installed, you must restart the machine.
At this point just right-click on the new unit and select “Activate Bitlocker”, a form will appear to choose the mode with which to protect the data. In our example we have chosen the “Password” mode:
After setting the password and clicking on “Next”, BitLocker asks you to choose the password recovery mode.
The recovery options include:
- Microsoft Account;
- USB flash drive;
In the current example we choose to save the Recovery key to file. For obvious security reasons, the file should be moved from the PC and stored on another device.
Then BitLocker lets you choose whether to encrypt the entire unit or just the data in it. We choose to protect the entire unit.
Select “New Encryption mode”, click on “Next” and then on “Start Encryption”. BitLocker will begin the drive encryption process.
By encrypting the entire disk, the process will be slower.
After the process, the disk drive icon will be marked with a yellow padlock, to indicate that the disk must be unlocked before being used.
To unlock it just click on it and enter the password that is requested.
Use BitLocker even on computers without a TPM chip
In order to use BitLocker protection even on computers without a TPM chip, it is necessary to act on system policies. With this mode, the protection is at the software level, therefore less effective than the chip hardware protection.
By activating the protection and checking the “Allow BitLocker without a compatible TPM” option, we will be able to set an access password or choose to save the credentials on a USB support. Access to the data will be guaranteed by entering the password each time or by inserting a USB stick at the PC boot.
Using BitLocker to encrypt a disk drive or partition is a highly recommended practice for protecting sensitive data, both from a GDPR perspective and simply to avoid credential theft.
Use BitLocker to protect Remote Desktop Connection Manager (RDCMan) data
Remote Desktop Connection Manager is a free utility developed by Microsoft, widely used by network administrators, which allows you to manage multiple Remote desktop connections in a single user interface.
RDCMan allows you to save groups and more server objects to connect to. It is also possible to save the login credentials to avoid typing them at every connection. However, the RDCMan archive files, also containing the credentials, are saved on the disk and, considering that Microsoft has not provided the utility of a “Master Password” feature, any attacker who has access to the computer can easily connect to remote machines simply by opening RDCMan. Using BitBlocker with the protection of a disk drive dedicated to saving Remote Desktop Connection Manager (RDCMan) files can be considered an obligatory method to protect connection data from unauthorized access. The following is the error of RDCMan when trying to access its files, protected inside an encrypted drive:
Use Iperius to back up folders and files from a BitLocker-protected disk:
Data protection with BitLocker also prevents access to backup software that intends to copy files from a protected disk. This obviously also applies to Iperius Backup. If you do not remove the protection from the drive, Iperius will show the following error in the backup logs.
Obviously, by unlocking the disk drive, the backup will run successfully, but this poses some problems when we need to perform automatic backups, since unblocking the disk requires explicit user intervention. One solution is to run a script with Iperius before the backup (we can configure it in the backup operation options, “Other processes” panel), where we can insert a command that unlocks the drive before backup, as in the following example:
manage-bde -unlock D: -RecoveryPassword LA-TUA-RECOVERY-KEY
Then, at the end of the backup, Iperius can execute another script that locks the drive again:
manage-bde -lock D:
However, it is pointless to add how unsafe it is to keep a script on a disk with a clear password to decrypt the BitLocker protected disk. A safer way to back up hard drives encrypted with BitLocker is to use the Drive Image backup mode.
Drive Image Backup with Iperius of a disk drive protected with BitLocker:
Different scenario we find in Iperius Drive Image Backup. The backup is performed successfully both in the case of a locked drive and in the case of an unlocked drive. Subsequently, when “.vhdx” image file is eventually restored, if the drive was locked at the origin it will be restored with the active lock, vice versa will be restored unlocked:
Iperius can therefore be considered an excellent software to clone a hard disk or SSD with BitLocker. Furthermore, Iperius allows you to restore a BitLocker encrypted disk, following the procedure shown in the following tutorial: https://www.iperiusbackup.net/bitlocker-recovery-restore-drive-image-backup-protetto-con-bitlocker-con-iperius/
The same thing will happen if you run a Windows Drive Image (the drive image compatible with Windows Backup that Iperius runs via the wbadmin interface). The thing actually attracted some criticism, given that the Windows backup system explicitly warns that the disk backup will not be encrypted in turn. However, security can be guaranteed by saving the backup, ie the VHDX image file, on a path which is itself encrypted or otherwise inaccessible except through authentication.