In the next very second, someone out of nowhere comes and steals your laptop away from you whilst you are standing there just about to buy that Starbucks cappuccino. You fall down onto your knees and cry like you never cried before as you have all your naked bath photos playing with your rubber duck stored on that stolen laptop.
So what should you have done?
You should have enabled Full-disk encryption on your laptop. In this guide I’ll show you how to enable Windows 10 Encryption which is especially for if you’re a Windows 10 user.
Why you should enable Full-Disk Encryption
Encryption is not entirely based on fending off the NSA or the FBI from spying on us, it is also about protecting your sensitive data, which in case if something were to happen to your PC, encrypting helps keep your data safe.
Here’s an in depth video on How Does Full Disk Encryption Work?
Do these before you proceed
1. Make sure you backup your computer before doing any of these methods
2. Check if your computer supports Windows Device Encryption
Most of the PC’s after Windows 8.1 (but not all) will already have Device Encryption enabled and mostly all of the new PCs that came with Windows 10 will have it but you should just to make sure before going through with the full disk encryption.
To an extent, this kind of device encryption only encrypts your drive if you sign into Windows with a Microsoft account.
After you do so, your recovery key is then uploaded to Microsoft’s servers which will then help recover your files if you ever forget or can’t log into your PC.
If you’re in this to stop the NSA, then it is certainly not going to be very effective as the NSA can easily take advantage of your information through Microsoft’s servers. However, you can stop laptop thieves from stealing your information.
To find out whether your computer has Device Encryption enabled, follow these steps
Step 1: Open the Settings app
Step 2: Navigate to System and then About
Step 3: Look for a Device encryption setting at the bottom of the About pane.
If you don’t see anything about Device Encryption here, your PC doesn’t support Device Encryption and it’s not enabled. However if you do see Device Encryption as enabled or if you can enable it by signing in with your Microsoft account then you’ll see a message here. (like the picture below)
How to Enable Windows 10 Encryption : 3 Simple Ways
1. Use BitLocker
Note: You got to be on Windows 10 Professional to do this (as BitLocker is only available on Windows 10 Professional) and Sign in with your Microsoft account
These are the six simple things you need to check before you go through with BitLocker encryption.
your computers should be equipped with a Trusted Platform Module (TPM) chip.
you can use BitLocker without a TPM chip by using software-based encryption, but it requires some extra steps for additional authentication
your computer’s BIOS must support TPM or USB devices during the startup. Otherwise you would have to check your PC manufacturer’s support website to get the latest firmware update for your BIOS before trying to set up BitLocker.
your PC’s hard drive must contain two partitions: a system partition, which contains the necessary files to start Windows, and the partition with the operating system; where both of which must be formatted under the NTFS file system.
you need time, loads of time, as the process to encrypt an entire hard drive isn’t difficult, but it’s time-consuming.
you need power so make sure to keep your computer connected to an uninterrupted power supply throughout the entire process.
How to check if your computer has TPM hardware
Before you go through with the BitLocker encryption check first if your computer contains TPM hardware. TPM is a special microchip that enables your device to support advanced security features and provides a tamper-resistant way to store encryption keys on a computer.
You can check if you have TPM hardware in your computer by following these steps
Step 1: Press Windows+R to open a run dialog window
Step 2: Type tpm.msc into it
Step 3: Press Enter to launch the tool
Step 1: Use the Windows key + X keyboard shortcut to open the Power User menu. Then select Device Manager.
Step 2: Expand Security devices. If you have a TPM chip, you should be able to see there as Trusted Platform Module together with the version number.
Note: Your computer must have a TPM chip version 1.2 or later to support BitLocker.
Oh and another thing (I know its kinda of a pain in the ass since there’s a lot of prerequisites needed for this method), if you see information about the TPM in your computer with a message at the bottom right corner of the window saying which TPM version your chip supports then that means your PC does have a TPM.
However that is not the case, if you see a Compatible TPM cannot be found message instead, as this means your computer does not have a TPM.
How to enable BitLocker
Once you know that you have TPM hardware on your computer then you can now finally follow these steps to enable BitLocker.
Step 1: Use the Windows key + X keyboard shortcut to open the Power User menu and select Control Panel (Or you can just go to the Start button and then select Control Panel)
Step 2: Click System and Security.
Step 3: Click BitLocker Drive Encryption.
Step 4: Under BitLocker Drive Encryption, click Turn on BitLocker
Step 5: Here you can choose how you want to unlock your drive during startup: You can Insert a USB flash drive or Enter a password. For now I’ll choose the easier method, select Enter a password to continue.
Step 6: Now you’ll have to enter a password that you’ll use every time you boot Windows 10 to unlock the drive (and something you can remember). After that, click Next to continue. (Make sure to create a strong password mixing uppercase, lowercase, numbers, and symbols.)
Step 7: Don’t worry if you might ever forget your password, as you will be given several options to save a recovery key to regain access to your files in case if you ever forget your password in the future.
Here are the options you can choose
Save to your Microsoft account
Save to a USB flash drive
Save to a file
Print the recovery
Make sure you do select the option that is most convenient for you, and save the recovery key in a safe place.
Decided your preferred option?
Great! Now all you have are just a few little steps and then you can go grab a Nutella.
Step 8: Click Next to continue.
Step 9: Now you have to Select the encryption option that best suits your needs.
Here are the encryption options that you can choose from
Encrypt used disk space only (faster and best for new PCs and drives)
Encrypt entire drive (slower but best for PCs and drives that are already in use)
Step 10: After that, Choose between these two encryption options.
New encryption mode (best for fixed drives on this device)
Compatible mode (best for drives that can be moved from this device)
Step 11: Click Next to continue.
Step 12: Now make sure that you check the Run BitLocker system check option. Then, click Continue.
Step 13: You’re done! Now all you got to do now is just restart your computer to begin the encryption process.(so that you can test this all out)
Step 14: Once your computer reboots, BitLocker will prompt you to enter your encryption password to unlock the drive. Type the password and press Enter.
Things you need to know
After you reboot, you’ll notice that your computer will quickly boot to the Windows 10 desktop.
However, if you go to Control Panel > System and Security > BitLocker Drive Encryption, you’ll see that BitLocker is still encrypting your drive.
What should you do?
Absolutely nothing. You can now go grab that Nutella that I was talking about earlier. 😛
It can take some time. Well a long time, depending on the option you chose earlier and the size of your drive and Yes, you can continue to use your computer and the finishing touches will be done whilst in the background.
Once you find that the encryption process is complete, the drive level should read BitLocker on.
You can verify that BitLocker is turned on by the lock icon on the drive when you open This PC on File Explorer.
How to turn on BitLocker (if you don’t have TPM)
Here’s how you can turn on BitLocker if you don’t have TPM on your computer
Step 1: Use the Windows key + R keyboard shortcut to open the Run command, type gpedit.msc, and click OK.
Step 2: Under Computer Configuration, expand Administrative Templates.
Step 3: After that, expand Windows Components.
Step 4: Now expand BitLocker Drive Encryption and then select Operating System Drives.
Step 5: On the right side, double-click on Require additional authentication at startup.
Step 6: Select Enabled.
Step 7: Now you got to make sure that you do check the ‘Allow BitLocker without a compatible TPM(requires a password or a startup key on a USB flash drive)’ option.
Step 8: That’s it. Now Click OK to complete this process.
2. Use Veracrypt
If you do not want to spend another $99 dollars just to get Windows 10 Professional just for BitLocker, then you might as well go for a free option like Veracrypt (a successor to the once acclaimed Truecrypt).
BitLocker is the most complete and well-supported option but that doesn’t mean you should write off Veracrypt, as it is just as good as BitLocker.
Step 2: Just double-click on the .exe file and follow the instructions in the wizard. Then select the Install option.
How to Create an Encrypted Volume
Here’s how you can follow up with your installation by creating an encrypted volume in just a few simple steps
Step 1: Once you find that the installation has finished, navigate to the Start menu and then launch VeraCrypt. You’ll be greeted with the screen below.
Step 2: The very first thing that you’ll need to do now is create a volume. So to do that, click on the Create Volume button. This will launch the Volume Creation Wizard and then you will be asked to choose one of the following volume types:
Note: Volumes can be as simple as a file container you place on a drive or disk or as complex as a whole-disk encryption for your operating system. I have made this guide simple for you to munch into, so we will be focusing on getting you set up with an easy-to-use local container.
Step 3: Select Create an encrypted file container.
Step 4: Next, the Volume Creation Wizard will ask you if you want the create a Standard or a Hidden volume. Again, for the sake of simplicity, I am going to skip messing around with Hidden Volumes at this point.
Step 5: After that, you’ll need to pick a name and location for your volume. The only important parameter here that you need to know is whether the host drive has enough space for the volume which you want to create.
Step 6: Done? Now it’s time to pick your encryption scheme. You really can’t go wrong much here.
Step 7: The next step needs you to select the volume size. You can set it in KB, MB, or GB increments. I created a 5GB test volume for this example.
Step 8: Now you have to generate your own password. However there is one important thing that you should keep in mind here and that’s: Short passwords are a bad idea. You should create a password at least 20 characters long.
Step 9: You’re nearly there! Before you create the actual volume, the Volume Creation Wizard will ask if you ever intend to store large files. If you do intend to store files larger than 4GB within the volume, tell it so
Step 10: Now you have reached the fun part! On the Volume Format screen, you’ll need to move your mouse around to generate some random data. Once you’ve generated enough random goodness, hit the Format button.
Step 11: Finally, once the format process is complete, you’ll be returned to the original VeraCrypt interface. You will find that your volume you created is now a single file wherever you parked it and ready to be mounted by VeraCrypt.
How to Mount an Encrypted Volume
Step 1: Start off by clicking on Select File in VeraCrypt’s main window and then navigate to the place where you stored your VeraCrypt container. (referring the previous step)
Step 2: Once you have selected the file you have created, pick from one of the available drives in the box above.
Step 3: Click Mount.
Step 4: Now enter your password that you created before and then click OK.
Step 5: Voila! That was quite a few steps you went through; give yourself a pat on the back. 😀
Now you can go take a look at My Computer and see if your encrypted volume was successfully mounted as a drive.
Now whenever you need to pack all your secret files, you can now do that by opening the volume you’ve just created.
Things you need to know
Now even if you have followed the above methods to get Windows 10 Encryption, you don’t want to leave a trail of breadcrumbs to your protected information do you? Since you are just going to bring your potential threat right to you.
So make sure you don’t forget to securely wipe all the files once you’ve copied them into your new encrypted volume.
The regular file system storage that you normally use is insecure and traces of the files you just encrypted will remain behind on the unencrypted disk unless you properly wipe the space.
Another thing that you shouldn’t forget to do is to pull up the VeraCrypt interface and Dismount the encrypted volume you created when you aren’t actively using it.
3. Other Alternative Ways
If you do not want to use Veracrypt, these are the other alternative Windows 10 encryption options you can opt to get for instead 🙂
Symantec Drive Encryption
Send a Snap to Saint (SOS)
Still not working? 🙁
If you find any of the above methods to get Windows 10 Encryption too difficult to follow , You can always add Saint on Snapchat. (Username: saintlad) and drop me a message there and i’ll try to get Windows 10 Encryption for you. 🙂
Because if you have any problem, question or error/bug, you can always take a picture of it and send it to me and I will try my best to help you.