Security :: BitLocker Encryption for Windows 7/Windows 8/Windows Server 2012

Printer-friendly version

BitLocker is included with Windows 7/Windows 8/Windows Server 2012 and provides Full Volume Encryption. By encrypting the entire hard drive, the operating system can provide a much higher level of security against offline attacks. BitLocker uses HSU's Active Directory to store keys and help manage data protection.

´╗┐Data, whether encrypted or not, can unexpectedly become unrecoverable. For this reason, It is important NOT to encrypt the only copy of protected data. Backups are important insurance for all computers in order to avert a disaster.

Mobile Data Protection 

Mobile devices and their stored data are inherently more vulnerable to damage, loss or theft. Encryption and backups can play an important role in insuring against data loss. WIndows 7 and Windows 8 have BitLocker and BitLocker To Go (for USB flash drives and hard drives) built in. If the device is lost or stolen, you're still protected. Please work with your ITS Liaison to create a data security plan that includes backup, encryption, and recovery in the event of a catastrophic failure. 


To use BitLocker, your computer must have

  • Windows 7, Windows 8, or  Windows Server 2012 
  • Two system volumes (one for unencrypted boot files and another for encrypted OS and data)
  • The BIOS set to start up first from the hard drive, not USB or CD drives.

If you use BitLocker with the Trusted Platform Module (TPM) for authentication, you'll also need:

  • TPM chip version 1.2 or higher
  • A BIOS compatible with TPM that supports USB devices during startup


There is no single recommended method to install BitLocker in an enterprise environment, and the steps will vary depending on your department’s deployment tools and methods.

The two NTFS drive partitions, one for the system boot volume and one for the operating system volume, can be created prior to installing the OS by using disk partition tools from a bootable CD or DVD; Microsoft also provides an automated tool for prepping the hard drive on systems where the OS has already been installed. You may find it simpler to download and install the BitLocker Drive Preparation Tool to create the necessary drive volumes.

Once the system partitions have been created, go to Control Panel -> BitLocker Drive Encryption and select Turn On BitLocker. The BitLocker applet will prompt for an authentication method and recovery key backup, and will run a system check to ensure the computer can support USB devices during boot. After the computer has passed the system check, BitLocker will begin to encrypt the drive. Encryption can take several hours, but the computer can be used normally during the process.