How to encrypt a disk in Windows using BitLocker

Disk encryption is an essential security measure for safeguarding data on Windows systems. BitLocker is a built-in feature that provides robust full-disk encryption, making the contents unreadable without the correct decryption key. By relying on advanced cryptographic methods, it helps maintain data confidentiality in situations where the physical device might be lost, stolen, or accessed by unauthorized users.

Systems equipped with a Trusted Platform Module (TPM) can use it to securely store cryptographic keys, enabling seamless drive unlocking during startup. However, BitLocker also supports password-based or USB-based methods for devices without a TPM chip, ensuring broad compatibility. In both cases, the encryption process is transparent to legitimate users and helps prevent unauthorized access.

BitLocker To Go extends these encryption capabilities to portable drives, such as external hard disks and USB flash drives. These removable media maintain protection when used on other Windows machines, safeguarding sensitive information during file transfers or collaboration. Built on AES encryption with options like XTS-AES, BitLocker offers strong disk-level protection for both fixed and removable storage.

Steps to encrypt a drive using BitLocker:

Open Control Panel and navigate to System and Security.

You can quickly access Control Panel by pressing Windows + R, typing control, and hitting Enter.
Select BitLocker Drive Encryption.
Click Turn on BitLocker next to the drive you want to encrypt.
Choose your unlock method.
1. TPM: The drive will automatically unlock when the computer starts if TPM is available.
2. Password: You will need to create a strong password to unlock the drive.
3. USB key: Use a USB flash drive that stores the decryption key to unlock the drive.
Save the recovery key to a secure location.
1. Microsoft account
2. A file on another drive
3. Print it and store it safely
Select whether to encrypt the entire drive or just the used space.
Choose New encryption mode for internal drives or Compatible mode for external drives.
Click Start Encrypting to begin the process.

Encryption may take time depending on the size of the drive. It is recommended not to turn off or restart your computer until encryption is complete.

Wait for the encryption to complete. The drive will now be protected by BitLocker.

C:\> manage-bde -status  
BitLocker Drive Encryption: Configuration Tool version 10.0.19041  
Copyright (C) 2013 Microsoft Corporation. All rights reserved.  

Volume C: [OS]  
[OS Volume]  
    Size:                 237.87 GB  
    Conversion Status:    Fully Encrypted  
    Percentage Encrypted: 100.0%  
    Encryption Method:    XTS-AES 128  
    Protection Status:    Protection On  
    Lock Status:          Unlocked  
    Identification Field: Unknown  
    Key Protectors:  
        TPM  
        Numerical Password

Use manage-bde -status to check encryption status and key protectors.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.

Discuss the article:

Comment anonymously. Login not required.