One of the extra features you get in Windows 10 Pro, compared to the Home version, is BitLocker. It allows you to encrypt all the data on your hard drive(s) so no-one can access it without your Windows login details.
If someone takes the drive out of your PC and tries to access them via another one, the contents will be unreadable. It sounds like a great idea, but there drawbacks and requirements you should be aware of first:
- BitLocker has a performance hit, especially if you have to use software encryption
- If you ever forget or lose your password you may not be able to access your own files
- You ideally need a computer with a TPM chip
You should also be aware that there is an alternative to BitLocker: an SSD with full-disk encryption. With such a drive, the contents are encrypted automatically but this is transparent to Windows, so it treats it like any other drive.
Typically, this option is not enabled by default so you might have to download the manufacturer's software (such as Samsung's Magician) to switch on the encryption. You might find this involves formatting the drive, in which case you'll have to copy off any data you need first, and potentially re-install Windows if it's your boot drive.
Do I need a TPM chip for BitLocker?
No, but without a Trusted Platform Module chip, BitLocker has to use a software-based method which isn't as secure. It usually means reduced read and write performance too, and requires you to insert a specific USB flash drive and enter a password in order to boot up your PC each time. That, in turn, means your motherboard's BIOS must allow booting from USB drives.
To check if your computer meets BitLocker's requirements - if you have Windows 10 version 1803 or later - open Windows Defender Security Centre from the Start menu and click on Device Security in the left-hand menu.
Another way to check it to open the Control Panel and click on System & Security > BitLocker Drive Encryption.
Pick a drive from the list - the one on which your sensitive data is stored - and click the Turn on BitLocker link.
An even quicker way is to open File Explorer, click on This PC and then right-click on any hard drive:
If all is ok, you can follow the on-screen instructions to set up BitLocker on your drive.
Note: If your drive is already quite full of data, the process will take a long while to complete. You can see the status by returning to the same page in the Control Panel, and this will either say BitLocker Encrypting or BitLocker On.
And once BitLocker is enabled, you will see a locked padlock icon over the drive in File Explorer.
Is BitLocker hardware- or software encryption?
BitLocker supports both methods. If it can use a hardware TPM and you choose to encrypt the entire drive then it should use hardware encryption.
If you opt to just encrypt a volume on a disk (i.e. one of several partitions) then it will use software encryption. You can also choose to use software encryption if your computer doesn't meet BitLocker's requirements.
What if my computer isn't compatible with BitLocker
If, instead of beginning the setup wizard you see a message like the one below, then there are a couple of things you can do.
The message doesn't necessarily mean your hardware is incompatible. It could be that the relevant options are not enabled in the BIOS.
Enter the BIOS or UEFI and look for a TPM setting and ensure it is switched on.
If you have an AMD-based system from 2013 onwards, you might find it has a PSP instead of a TPM. This stands for Platform Security Processor, and can mean the processor itself - such as a Ryzen chip - has a security module which can be used instead of a TPM.
Again, you may need to enable this in the BIOS (look for AMD fTPM), even if you see AMD PSP in Device Manager as shown below.
Note that it was discovered back in January 2018 that AMD PSP has a security flaw and microcode updates (delivered via Windows security updates) disabled, or partially disabled PSP to mitigate this flaw. If that's the case on your PC, you may well not be able to use BitLocker in hardware mode.
If you're happy to run it in software mode, and take the associated performance hit, then you'll need to use the Local Group Policy Editor. Here's how:
Type gpedit in the Start menu search box and click on Edit group policy when it appears in the results.
Now, navigate using the left-hand pane to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives
On the right-hand side, double-click on Require additional authentication at startup. This brings up a new window where you need to check the 'Enabled' radio button.
Also, make sure Allow BitLocker without a compatible TPM is checked.
If you're still stuck, check Microsoft's FAQ for BitLocker.