Encrypting Windows computers

Encrypting a computer running Microsoft Windows.

Microsoft windows comes in various versions. The most professional of these "enterprise",  supports whole disk encryption.

Earlier versions for Windows (Windows 7, and and Windows 8) support encryption for the professional versions but not for "home" editions.

Contact IS.Helpline to find out if your version is encryptable, or if you need help to encrypt it.

Some windows editions, and some hardware simply makes it impossible, or far to difficult to support encryption.

Note that:  using sensitive information on a laptop without encryption is a contravention of Section 4 of the University Information Security Policy. 

Bitlocker prevents

Offline Attack
Bitlocker prevents the type of attack where a malicious user will take the hard drive from your computer and connect it to another computer so they can harvest your data.
LiveCD Attack
If a malicious user boots from an alternate Operating System, either from hard drive or from a removable device such as a LiveCD the disk contents cannot be read.
End of Life Leakage
When you re-cycle your computer or dispose of it, your data remains encrypted as long as you delete the encryption codes.

Bitlocker does not protect ...

It is a misconception that your password  unlocks Bitlocker. Any valid user logging in to the computer decrypts the disk. To protect your computer, you have to make sure that all the users who may log in to it require passwords. Disable all guest login accounts from a bitlockered computer, otherwise hard disk encryption is of no use.

Bitlocker on Supported Desktops

It is University policy that all fully compatible university owned supported laptops are configured with Bitlocker.

Modern desktops and laptops are also compatible with Bitlocker.

If you have a Supported Desktop computer, and it is modern enough to be compatible with Bitlocker, you can encrypt it by following these steps:

  • Close any open documents as your computer will be restarted
  • select [Start Menu]
  • type "software center" into the search box
  • select [Operating Systems] from the menu
  • select [Encrypt Computer Hard Disk]
  • click on [Install]

Not all computers are compatible with Bitlocker. If you need help, ask your Computing Support Team. The link below will help guide them though the process.

Computer Officer's Reference pages for Supported Desktop Encryption

Manually configuring windows Bitlocker encryption

If you are using a self-managed PC, you can follow this guide to encrypt your hard disk yourself.

Bitlocker only works well enough on the "Professional" and "Enterprise" editions of windows 7 and the most professional of the Windows 8 operating systems. Bitlocker also works best if your computer is equipped with the right kind of TPM hardware module inside. Most computers bought through the University will have a suitable TPM built-in, but not all. If encryption is a definite requirement for you, ensure you choose a computer that is fully compatible with bitlocker.

The bitlocker support pages are currently on the University wiki intranet. This link will take you there but will only work if you have access to that site. If you are computing officer without access, contact IS.Helpline to gain access.

Manual bitlocker encryption instructions

If you mange your own Windows computer (works on Windows 7 Professional editions and higher, and some versions of Windfows 8) you can encrypt your hard disk following the instructions shown.

Checking if your PC is already encrypted.

You can check the BitLocker status of a machine using the BitLocker Drive Encryption application, which is in Control Panel under System and Security. Details follow.

Checking bitlocker status

Recycling or disposing of your computer

When you need to dispose of, or recycle your computer, it is important to remove all information from it. If your hard disk was encrypted with bitlocker, it is much quicker to delete the decryption key, than it is to rewrite the whole hard disk. However, as you need some technical knowledge to do this, always involve your computer support people to ensure this is done for you.