Enable Disk Encryption

On a desktop or laptop computer, you typically type in a username and password to protect your data. Although that can be good, there is another risk of which you might not be aware.

The Problem:

Imagine you left your laptop in your vehicle, and it was stolen while you are at lunch. If it’s a dumb criminal, they will realize they can’t log in and either A) sell it at a pawn shop as-is or B) maybe try to re-install Windows or macOS and put it on eBay.

However, if they are not a dumb criminal, or if the person who ultimately receives your laptop knows a few things about computers, you may have a data leak. The issue is that if you have not encrypted your hard drive, it is readable outside of your computer. Put another way, the bad actor can take the disk drive out of your laptop, hook it to another computer where they are already logged-in, and see the contents of your C: drive, or system drive in macOS.

The Solution (for Windows):

The solution in Windows is to enable “BitLocker“. BitLocker encrypts fixed drives in your computer using the Trusted Platform Module (TPM). On older computers without a TPM module, BitLocker can be configured to use a password unlock the drive.

To get started go into Windows Explorer (WindowsKey+E), click on This PC in the left navigation. Select your “Local Disk (C:)” drive. Right-click on it. Choose “Turn on BitLocker”:

This will bring up a short wizard. On this next page, I typically choose to “Print the recovery key”, and then discard that sheet. For me personally, I have backups of my data, so having the recovery key laying around poses more of a risk than me losing my disk. However, make a choice that makes sense for your device:

Next, if this is newer computer (newer disk drive) you can choose to encrypt the used space only. That means if someone stole your laptop, then tried to look at the contents of the drive, they might be able to recover old data from a previous re-formatting.

Conversely, if you choose to encrypt the entire drive, it will take longer, but it will encrypt the entire drive. This would only be necessary if it’s an older or re-used disk drive.

Next, unless there is some other reason to do this, choose to use the latest encryption mode:

Lastly, you should check the checkbox to run a system check first, before attempting to encrypt the disk:

You will be prompted to reboot:

When you come back from a reboot, you will see a new (temporary) icon in the system tray:

If you click on it, it brings up a status window of the encryption process:

After minutes to perhaps an hour, this process will complete:

The disk is now encrypted. To view or manage the encryption, right-click on the “Local Disk (C:)” from Windows explorer. On Windows 11, you’ll need to click “Show more options” first:

on Windows 10, this will be visible right-away:

Choose “Manage Bitlocker”. That brings up a screen like this:

Now, going back to the original problem: if your laptop has BitLocker turned on, and is stolen, this bad actor can try to guess your password. If they give up, take out the drive and put it into another computer (with a different TPM module), the disk will not be readable.

The Solution (for macOS):