How to encrypt a disk or flash drive with secret data using Bitlocker. A few final words

The BitLocker Setup Wizard asks you if you are ready to encrypt the drive. Make sure the Run BitLocker system scan check box is selected, and then click Continue.

Confirm to restart your computer by clicking the Restart now button. After this, your computer will restart and BitLocker will check that it is compatible with BitLocker and is ready for encryption. If your computer is not ready, you will receive an error message after you log in.

When the computer is ready for encryption, the Encryption status bar displays with the encryption progress. To check the status of drive encryption, hover your mouse over the BitLocker Drive Encryption icon in the notification area at the right edge of the taskbar. Encrypting the disk will take some time. You can use your computer while encryption is running, but performance will be lower than usual. Once encryption is complete, a message indicating successful completion operations.

technet.microsoft.com

How to encrypt a disk in Windows 10 so that no one steals your files?

3. Double-click on “This policy setting allows you to configure the requirement for additional authentication at startup” and select the “Enabled” option. Now you can proceed directly to encryption: 1. Open “Explorer” > “My Computer” and select the drive that you want to encrypt. 2. Right-click the drive icon and select Enable BitLocker.

3. A dialog box will open with options for accessing encrypted data. Follow its instructions and restart your computer. The disk will be encrypted. The encryption process can be lengthy, its duration depending on the volume of data being encrypted. During the encryption setup process, you will need to create a key or password to decrypt the data. The password must use mixed-case letters and numbers. When the drive is installed in your computer, data is encrypted and decrypted automatically, but if you remove the encrypted drive from it and connect it to another device, you will need a key to access the files.

Data for key recovery can be stored on a flash drive, in Microsoft account, V text file or on a printed sheet of paper. Keep in mind that this is not the key itself, but only information that will help you recover it. The key can only be obtained after entering the login and password for the account Microsoft records, which makes it difficult to break the encryption.

If you have encrypted the system logical drive, then the password will have to be entered during a cold start of the device or after it reboots.

Encryption isn't just about stopping NSA - it's about protecting your sensitive data in case you ever lose your PC. Unlike all other modern consumer operating systems - macOS, Chrome OS, iOS and Android - Windows 10 still doesn't offer integrated encryption tools for everyone. You may have to pay for the Professional version of Windows 10 or use third party solution for encryption.

If your Windows supports encryption

Many new PCs that ship with Windows 10 automatically enable “Device Encryption.” This feature was first introduced in Windows 8.1 and requires special hardware capabilities. Not every computer will have this feature.

There is one more limitation: it actually encrypts your drive only if you sign into Windows with a Microsoft account. Your recovery key is then uploaded to Microsoft servers. This will help you recover your files if you are unable to log into your computer. ( This is why the FBI probably isn't too worried about this feature, but we still recommend using encryption as a means of protecting your data from thieves.)

Device encryption will also be enabled if you log in organization domain. For example, you might be logging into a domain that belongs to your employer or school. Your recovery key will then be uploaded to your organization's servers. However, this does not apply to computers regular user connected to domains.

To check, Is device encryption enabled?, open the application Options, go to System → About the program and find "Device Encryption" at the bottom of the About panel. If you don't see anything about device encryption here, your computer doesn't support device encryption or it's not enabled.

If device encryption is turned on, or you can turn it on by signing in with a Microsoft account, you'll see a message telling you so.

For Windows Pro users: BitLocker

If device encryption is not enabled or you want a more powerful encryption solution that can also encrypt removable USB drives, you should consider BitLocker.

Microsoft BitLocker encryption tool from Microsoft is now included in Windows composition several versions. However, Microsoft still limits BitLocker to professional, enterprise, and educational editions of Windows 10.

BitLocker is most secure on a computer that has Hardware Trusted Platform Module (TPM), present on most modern PCs. If you have collected your own computer, you can add a TPM chip to it. Look for a TPM chip that is sold as an add-on module. You'll need one that supports the motherboard inside your PC.

Windows usually says that BitLocker requires a TPM, but there is hidden option which allows enable BitLocker without TPM. You will have to use a USB flash drive as a "startup key" that must be present at every boot if you enable this option.

If you already have a professional version of Windows 10 installed on your computer, you can search for "BitLocker" in the Start menu and use the BitLocker Control Panel to enable it. If you upgraded to Windows 7 Professional or Windows 8.1 Professional for free, you should have Windows 10 Professional.

If you don't have Windows 10 Professional, you can pay approximately $99 to upgrade from Windows 10 Home to Windows 10 Professional. Just open the Settings app, go to Update and Security → Activation and press the button Go to the store. You'll get access to BitLocker and other features that Windows 10 Professional includes.

Security expert Bruce Schnee likes his own full disk encryption tool for Windows called BestCrypt. It is fully functional on Windows 10 with modern equipment. However, the cost of this tool is comparable to upgrading to Windows 10 Professional, so it is better to use BitLocker.

For everyone: VeraCrypt

Spending another $99 to encrypt your hard drive for some extra security may be too wasteful when modern Windows PCs often cost just a few hundred dollars. Meanwhile, you don't have to pay extra money for encryption because BitLocker isn't the only option. BitLocker is the most integrated, well-supported option, but there are other encryption tools you can use.

Dear TrueCrypt, full encryption tool with open source code, which is no longer in development, and has some issues on Windows 10 PCs. It cannot encrypt GPT system partitions and boot them using UEFI, for most Windows 10 PCs. However, VeraCrypt is an open source tool for complete Source-based encryption TrueCrypt supports system encryption EFI partition from version 1.18a and 1.19.

In other words, VeraCrypt will allow you to encrypt system partition PC Windows 10 free.

TrueCrypt developers have closed development and declared TrueCrypt vulnerable and insecure, but researchers still doubt the truth of these claims. Much of the discussion around this centers on whether the NSA and other security agencies have a way to break this open source encryption. If you are simply encrypting your hard drive to prevent thieves from accessing your personal files when they steal your laptop, you won't have to worry about it. TrueCrypt is quite secure.

VeraCrypt Project has improved security and could potentially be more secure than TrueCrypt. Whether you're encrypting just a few files or an entire system partition, this is what we recommend.

We'd like to see Microsoft give Windows 10 users more access to BitLocker or, by at least, has extended Device Encryption so that it can be enabled on other PCs. Modern computers Windows should have built-in encryption, just like all other modern operating systems. Windows users 10 no need to pay more or look for a third party software, to protect their important data if their laptops are ever lost or stolen.

This fall, Windows 10 was updated to version 1709, codenamed Fall. Creators Update or Redstone 3. Among the many changes, we were primarily interested in improved protection against unknown malware. Microsoft has taken a number of measures to counter ransomware Trojans and exploits. How successful were they?

Old new defender

Everything new is a well-rebranded old one. In the “autumn update for designers”, built-in security components were combined in the “Security Center” Windows Defender" Even the software firewall began to be called “Windows Defender Firewall,” but these changes are purely cosmetic. The more significant ones concern the new features, which we will look at in more detail below.

Another old-new component introduced in Redstone 3 is called Exploit Protection. Windows Defender Exploit Guard, or simply EG, is enabled through the Windows Defender Security Center in the Application and Browser Control section.

Technically, Exploit Guard is the former Enhanced Mitigation Experience Toolkit with a slightly increased feature set and a new interface. EMET appeared back in Windows times Vista has now been discontinued and Exploit Guard has taken its place. It belongs to the Advanced Threat Protection tools, along with the plug-in manager devices Device Guard and Application Guard. Evil tongues say that Microsoft initially wanted to introduce a common Advanced component System Security Guard, but the abbreviation turned out to be completely dissonant.

Exploit protection

Exploit Guard is just a risk reduction tool; it does not eliminate the need to close vulnerabilities in software, but it makes them more difficult to use. In general, the operating principle of Exploit Guard is to prohibit those operations that are most often used by malware.

The problem is that many legitimate programs use them too. Moreover, there are old programs (or rather, dynamic libraries), which will simply stop working if used in Windows new memory control functions and others modern means protection.

Therefore, setting up Exploit Guard is the same as using EMET previously. In my memory, many administrators spent months delving into the intricacies of settings, and then simply stopped using restrictive functions due to numerous user complaints.

If safety comes first and you need to tighten the screws, then the most popular features of Exploit Guard were (since the days of EMET) and remain:

• DEP(Data Execution Prevention) - preventing data execution. Does not allow execution of a code fragment that ends up in an area of ​​memory not intended for this purpose (for example, as a result of a stack overflow error);
• random memory reallocation- prevents attacks on known addresses;
• disabling expansion points- prevents the injection of DLLs into running processes (see about bypassing UAC, where this method was widely used);
• team DisallowChildProcessCreation- prohibits the specified application from creating child processes;
• filtering import address tables (IAF) and export address tables (EAF)- prevents a (malicious) process from brute-forcing address tables and accessing the memory page of system libraries;
• CallerCheck- checks for rights to call confidential APIs;
• SimExec- simulation of execution. Checks before actual code execution to whom sensitive API calls will return.

Commands can be passed via PowerShell. For example, a ban on creating child processes looks like this:

Set-ProcessMitigation -Name executable.exe -Enable DisallowChildProcessCreation

All x86 processors and chipsets of the last ten years support DEP at the hardware level, and for very old ones a software implementation of this function is available. However, for the sake of compatibility of new Windows versions with the old one Microsoft software still recommends enabling DEP in “only for system processes" For the same reason, it was possible to disable DEP for any process. All of this has been successfully used in DEP bypass techniques.

Therefore, it makes sense to use Exploit Guard only if it is possible to use several protective functions at once without causing a failure at least in the operation of the main applications. In practice this is rarely possible. Here is an example of an EG profile converted from EMET, which generally causes Windows 10 to crash into BSoD. Once upon a time, Hacker had a “Western Construction” section, and Exploit Guard would have fit perfectly into it.

Continuation is available only to subscribers

Option 1. Subscribe to Hacker to read all materials on the site

Subscription will allow you to read ALL paid materials on the site within the specified period. We accept payment bank cards, electronic money and transfers from mobile operator accounts.

If you store confidential information on your computer, then encryption systemic hard disk will be an excellent option to ensure the safety of your data.

In this article we will tell you how to encrypt your computer's system drive using the most popular encryption tool from Microsoft, the BitLocker utility, which comes with all professional versions of Windows.

What is BitLocker and where to download it

There is no need to download and install Biltocker, it is already built into the operating system and is only available in Window 10 Pro and Enterprise. You can see which edition of Windows is installed on your computer in Control panels on the tab System. If you have Window 10 Home installed, which does not support BitLocker, we recommend that you pay attention to a program such as.

Why Microsoft doesn't make this feature publicly available is an open question, given that data encryption is one of the most effective ways to keep it secure.

What is encryption

Encryption is a way to enhance the security of your data by ensuring that its contents can only be read by the owner of the appropriate encryption key. Windows 10 includes various encryption technologies. For example, EFS file system encryption and BitLocker Drive Encryption, which we will talk about in this article.

What you need to know and do before using BitLocker

• Encrypting your hard drive may take a long time. Before you begin, we recommend that you back up your data, as an unexpected power outage during the encryption process may damage it.
• The Windows 10 November update includes a more secure encryption standard. Please note that the new encryption standard will only be compatible with Windows 10 November Update systems.
• If your computer does not have a Trusted Platform Module (TPM), a chip that gives your computer additional security features, such as the ability to encrypt BitLocker drives. When you try to enable encryption, you may receive a TPM error message: "This device cannot use the Trusted Platform Module (TPM)"

To resolve this issue, use the EnableNoTPM.reg.zip file. Download, unzip and run this file, this will make the necessary changes to the registry to allow encryption without TPM.

How to Encrypt a Drive Using BitLocker

Create a strong password to unlock your hard drive. Every time you turn on your computer, Windows will ask you for this password to decrypt your data.

Choose how you want to back up the recovery key. You can save it to your Microsoft account, copy it to a USB drive, or print it.

Saved?! Now you need to specify which part of the disk you want to encrypt.

You will have two options:

• If you are encrypting a new drive or a new PC, you only need to encrypt the part of the drive that is currently in use. BitLocker will then automatically encrypt data as it is added.
• If you enable BitLocker on a PC or drive you're already using, we recommend encrypting the entire drive. This will ensure that all data is protected.

If you have the November Windows 10 updates installed, then you have access to the more secure XTS-AES encryption mode. Choose this option whenever possible.

When you are ready to start encryption, click the button "Continue"

Restart your computer when prompted.