Encrypting a disk prevents offline access to files when a Windows PC, SSD, HDD, or removable drive is lost, stolen, or inspected by attaching the storage to another computer. Full-disk encryption keeps the raw contents unreadable until the drive is properly unlocked.

BitLocker encrypts an entire volume and unlocks it using key protectors such as a TPM, a PIN, a password, or a startup key on a USB drive. A recovery key is generated during setup as a break-glass unlock method, and removable media uses BitLocker To Go so protected drives stay encrypted when moved between systems.

BitLocker is typically available on Windows 10 and Windows 11 editions such as Pro, Enterprise, and Education, while many Windows Home systems use Device encryption instead. Enabling encryption requires administrative rights, a safe place to store the recovery key separate from the encrypted drive, and reliable power during the initial encryption pass to reduce interruptions and recovery prompts.

Related: How to encrypt a disk in Windows using device encryption
Related: How to create a full system image backup in Windows

Steps to encrypt a drive using BitLocker:

  1. Press Windows + R to open Run.
  2. Enter control in Run and press Enter.

    Control Panel provides the most consistent BitLocker workflow across Windows 10 and Windows 11.

  3. Select System and Security.
  4. Select BitLocker Drive Encryption.

    If BitLocker Drive Encryption is missing, the Windows edition may not include BitLocker.

  5. Click Turn on BitLocker for the drive to encrypt.
  6. Choose an unlock method for the drive.

    Options vary by drive type and policy: OS drives commonly use TPM or TPM + PIN, fixed data drives commonly use a password, and removable drives use BitLocker To Go with a password.

  7. Save the BitLocker recovery key to a secure location.

    Store the recovery key outside the encrypted drive (for example, a Microsoft account, a file on another drive, or a printed copy), because losing it can permanently block access to the encrypted data.

  8. Select how much of the drive to encrypt.

    Encrypt used disk space only is faster for new or mostly-empty drives, while Encrypt entire drive is safer for drives with existing data or previously deleted files.

  9. Select the encryption mode.

    New encryption mode is intended for fixed internal drives on modern Windows, while Compatible mode is preferred for removable drives that must be readable on older Windows versions.

  10. Click Start encrypting.

    Keep the device connected to AC power during initial encryption, and avoid forced shutdowns while the percentage increases.

  11. Restart the computer if prompted.

    OS drive encryption may require a restart to begin, and saving open work before reboot prevents data loss from application closure.

  12. Wait until the drive status shows BitLocker on.
  13. Open an elevated Command Prompt.
  14. Run manage-bde -status to verify encryption and protection status. 
    C:\> manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 10.0.22621
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Volume C: [OS]
[OS Volume]
    Size:                 237.87 GB
    Conversion Status:    Fully Encrypted
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        TPM
        Numerical Password

    Conversion Status and Percentage Encrypted show progress, while Protection Status confirms BitLocker is actively enforcing encryption.