BitLocker and BitLocker To Go

EFS is good for what it is, but it has a few limitations. First, it’s ponderous to encrypt an entire hard disk with this technology since it only works with individual folders and files; a set‑it‑and‑forget‑it whole‑disk encryption makes more sense. And second, EFS only provides software‑based encryption services. A technology that integrates with on‑PC security chipsets would be far more difficult, impossible really, to crack. And finally, EFS encryption sticks with files as they travel around. It would be nice if the encryption was automatically removed if a file was copied or moved from an EFS‑protected folder.

Enter BitLocker and its baby brother, BitLocker To Go. They’re both managed from the same control panel, but use slightly different technologies under the hood. From a usability perspective, BitLocker is used with fixed disks–those disks mounted inside your computer–while BitLocker To Go serves the needs of external, removable disks.

Like EFS, BitLocker enables you to encrypt data on your hard drive to protect it in the event of physical theft. But BitLocker offers a few unique twists:

• BitLocker is full‑disk encryption, not per‑file or folder encryption. If you enable BitLocker on a disk, it encrypts the entire hard disk, and all future files that are added to that drive are silently encrypted as well.

• BitLocker can also provide full‑disk encryption services to both system and non‑system partitions, so in addition to encrypting the entire hard disk on which Windows 8 is installed, you can encrypt any other partitions, too.

• BitLocker protects vital Windows system files during boot‑up: If BitLocker discovers a security risk, such as a change to any startup files (which might indicate that the hard drive was stolen and placed in a different machine), it will lock the system until you enter your BitLocker recovery key or password (discussed shortly).

• BitLocker works in conjunction with Trusted Platform Module (TPM) security hardware in some PCs to provide a more secure solution than is possible with a software‑only encryption routine. No hacker will defeat a BitLocker‑protected hard disk.

• Files copied or moved from a BitLocker‑protected disk are automatically decrypted as part of the copy or move procedure.

There isn’t a heck of a lot to configure for BitLocker. It’s either on or it’s not, and you either have TPM hardware or you don’t: If your system does have TPM hardware, BitLocker will use it.

To unlock a BitLocker‑protected disk, you must use a recovery key. This key can take different forms, including a password or smartcard PIN. BitLocker‑protected disks can be configured to auto‑unlock when you sign in to Windows, which is the recommended approach for day‑to‑day use.

BitLocker is generally a seamless experience, with one exception: Some software installs are blocked when BitLocker is enabled on your disk. For this reason, you can temporarily suspend BitLocker, install the software, and then re‑enable BitLocker.