By Guest on Thursday, 03 May 2018
Category: Social Networking

Drive Encryption For Windows - Free Practical Security For GDPR

As you are probably aware, new laws under the general data protection regulation (or GDPR) are now in full force. In our previous blog we covered two-factor authentication (2FA), which is a great way to keep your online accounts safe from hacker, but what about your offline data? Probably the best way to prevent this is by using a sort of secure encryption for your device. Most mobile phones are now encrypted by default, so why not encrypt your laptop too?! This blog will show you the simplest way to configure Bitlocker for Windows 10 Pro devices.

In What Scenario Is Encryption Useful?

Imagine if you were working on your laptop in a public place, such as a cafe, and it gets stolen. Many people might not worry too much as they have a password to log into their device, and so the thief can't get in, right? Well this may be true in deterring some thieves, but hackers will easily be able to remove your login password. Even those with little IT skill could very well take your hard drive out and plug it into their device, essentially bypassing your password. If you were working with customer data and personal information, then this is a big breach of GDPR. The best way to prevent this is to make your hard disk unreadable, i.e. encrypted. By doing so, it would take years for even specialised computers to decrypt and make the data usable again. This will prevent thieves from accessing your and your customer's private and sensitive data.

How To Enable Bitlocker

Bitlocker itself is part of Window's 10, but it is not obvious how to set it up to work properly. To correctly secure your device you will need to allow Bitlocker to ask for a password or PIN on the start-up of your device. We cannot stress how important it is that once you set the PIN or password, that you remember it.

If you lose or forget the PIN or password, then your data will be encrypted and unusable. Remember those news stories a few years ago about the FBI requesting a back-end to the encryption of iPhones? That's the level of security Bitlocker will place on your device. To the point that even the FBI won't be able to decrypt it. This is obviously ideal if you are working with sensitive customer data.

There is only one other thing besides the PIN/password that you set that will unlock your device. That's the recovery key. We will have a step on how to print out or save the recovery key. It is also very important that you not only keep the key safe, but you also securely lock it away from the reach of hackers.

Setup

Nb: This blog is aimed at older machines that won't have a built in "TPM". If you have a brand new machine you can probably just turn Bitlocker on (search for it on the computer, enable it) without all the fuss!

1. First we will need to allow Bitlocker to ask for additional authentication on start-up. This means we can setup a PIN or a password later. To do this go the search bar at the bottom-left of your screen and type in "gpedit" and open up "Edit group policy".

2. Once you are on the "Local group policy editor" open the following folders: Computer configuration -> administrative templates -> Windows components ->bitlocker drive encryption -> operating system drives. Then open the item called Require additional authentication at start-up.

This may seem complicated, but it is well worth it. You should have a screen that looks like the screenshot below: 

 

3. In this new window we want to set "Require additional authentication on start-up" to "Enabled" and then make sure all the settings below are set to "Allow..." as well as ticking the "Allow Bitlocker without a compatible TPM". This will allow Bitlocker to ask for a password before decrypting your device. You should have something similar to below. Once you do, click "Apply", then "OK" and close the window.

4. Once that has been done, we can start to look at Bitlocker. Type in "Bitlocker" into the search bar and open "Manage Bitlocker (control panel)". Once you have opened that you should see a window with the option to "Turn Bitlocker on", click on this and another window will open after a quick system check. You should see "Bitlocker Drive Encryption setup" with some information on what Bitlocker will do. Click on "Next". 

5. Some machines may get more stages than others. Just click on "Next" a few times until you get the "How to unlock your device at start-up" page. Then you will be able to either select "Enter a PIN" or "Enter a password". Do not worry which one you get (it differs depending on hardware) they both do the same thing. 

For users making PINs, PINs will have to be 6 to 20 characters long and can only include numbers. For others that setup passwords, passwords will have to meet a certain length and we would recommend using upper and lower case characters as well as numbers and symbols. 

6. Once you have entered your password/PIN twice click on next. You will then be shown a "How do you want to back up your recovery key?" screen. This recovery key is important as it is the only other way for you to unlock your device besides your PIN/password. Also, you should keep this key safe as hackers can use it to unlock your device in the same way that you can. If you or an admin has a preferred method of saving your key, then do that. If not, we recommend printing out your recovery key. Select the "Print the recovery key" option and then choose your printer to print it out. Once you have made sure that it has been printed or saved, click next. 

7. You will then be given a series of options for the final few steps for Bitlocker. If you have been told which options to choose by your IT team, then go with those. If not then we recommend, “Encrypt used disk space only”, “Use new encryption mode” and ticking the box to Run a system check. Once the system check has been completed you will be prompted that a restart is needed. After you restart your device, you should be greeted by a blue screen with "Bitlocker" and a bar at the top left. Enter in your PIN/password that you setup earlier and then you will continue as normal into your device.

And there you go; your drive will be encrypted every time you shut your device down and then decrypted every time you enter in your PIN or password. This is the quickest and easiest way to secure your device!

Enjoy the blog post? Then you would love our newsletter! Sign up here Signup and get a free Office 365 pitfall PDF guide

Call us on: 01865 988 217

Follow us here LinkedIn or here Twitter