How to use encryption to secure your data

BitLocker encrypts entire volumes, but you'll need a high-end version of Windows Vista or 7 to use it

There was a time when all you really worried about was your laptop being stolen. But what about its contents? It's likely to be loaded with sensitive work, personal files, banking info, precious photos and irreplaceable videos.

Suddenly the laptop ceases to be the worry; now losing your data is what keeps you awake at night. And then there's the humble thumb drive – capacious yet oh so easy to lose.

The good news is that there's a simple solution to the danger of data loss: encryption. This involves encoding data using a mathematical process. These vary, but most use your password as a mathematical seed around which the code is built – if you don't know the password, you can't get to the data.

Most coding systems are somewhat vulnerable, but even the simplest will defeat most hackers. Given the availability of encryption systems, you've no excuse not to lock up your data.

We'll start with a look at BitLocker. This is the encryption system built into the Enterprise and Ultimate versions of Windows Vista and 7. If you don't use these OSes, don't worry – we'll check out some free alternatives.

BitLocker protection

BitLocker is a system designed to encrypt the entire Windows operating system volume on your hard disk. That all sounds pretty good. The problem is that BitLocker is notoriously difficult to set up on a PC already running Vista.

BitLocker needs two NTFS partitions – one for the system volume and one for the operating system volume. The split is needed because BitLocker's pre-startup authentication and system integrity verification must happen outside the encrypted operating system volume.

The unencrypted system volume should be at least 1.5GB. This means that there will be enough space for boot files and Windows' set-up programs. So if you're already running Vista then unfortunately you'll need to do some hefty repartitioning work before you begin installing the encryption system.

Thankfully, Microsoft released the BitLocker Drive Preparation Tool to help with all this. The tool comes as part of Vista Service Pack 1. If you're a Vista user, then there's a good chance you'll have it already. If you're a Windows 7 user, then the tool is integrated.

How to set up BitLocker

Now we can turn our attention to the Trusted Platform Module. This is a chip built into some motherboards that holds encryption keys. When you type in your password, Windows sends it to the TPM for validation. If your key is validated, BitLocker will carry out your request.

If your motherboard doesn't have a TPM chip, you can use a USB key. If you choose to go with the USB, the first step is to enable support for your flash drive as an alternative form of validation. Press [Windows]+[R], type gpedit.msc and press [Enter] to launch the Group Policy Editor. Next, browse to 'Computer Configuration | Administrative Templates | Windows Components | BitLocker Drive Encryption'.

If you're running Windows 7, expand the Operating System Drives folder and double-click 'Require additional authentication at startup'; Vista users should simply double-click 'Control Panel Setup: Enable advanced startup option'. Finally, select 'Enabled', click 'OK' and then close the Group Policy Editor.

Now back to the hard disk setup. Assuming you're using Windows Vista and the BitLocker Drive Preparation Tool is present, creating the necessary split loading hard disk setup is simple.

Click 'Start | All Programs' and select 'Accessories'. Click' System Tools' followed by 'BitLocker' and then double-click the 'BitLocker Drive Preparation Tool'. When the tool has finished working its magic, restart the computer.

Finally, visit Control Panel and enable BitLocker. Help is available here.

Windows 7 users should follow exactly the same steps as those demanded by the BitLocker Drive Preparation Tool, complete with obligatory reboot. Then it's just a case of following a simple wizard from beginning to end.

The options you see will depend on whether or not you have a TPM installed. If necessary, insert a flash drive that you can save the required key to. You'll also be prompted to create a recovery key, which can be saved to a flash drive, as a file or printed out. You'll need this should BitLocker block access to the drive, so make a copy now (you can make additional copies through the Manage BitLocker utility later).

Once the drive is encrypted, you can encrypt more drives by right-clicking them and choosing 'Turn on BitLocker'.


NEVER FORGET: You'll need to enter your recovery key if BitLocker won't let you in