Encryption is a way to enhance the security of a message or file by scrambling the contents so that it can be read only by someone who has the right encryption key to unscramble it. For example, if you purchase something from a website, the information for the transaction (such as your address, phone number, and credit card number) is usually encrypted to help keep it safe. Use encryption when you want a strong level of protection for your information.
For more information, see What is Encrypting File System (EFS)?
What is Encrypting File System (EFS)?
Encrypting File System (EFS) is a feature of Windows that you can use to store information on your hard disk in an encrypted format. Encryption is the strongest protection that Windows provides to help you keep your information secure.
Some key features of EFS:
- Encrypting is simple; just select a check box in the file or folder's properties to turn it on.
- You have control over who can read the files.
- Files are encrypted when you close them, but are automatically ready to use when you open them.
- If you change your mind about encrypting a file, clear the check box in the file's properties.
Note
- EFS is not fully supported on Windows 7 Starter, Windows 7 Home Basic, and Windows 7 Home Premium. For those editions of Windows, if you have the encryption key or certificate, you can do the following:
- Decrypt files by running Cipher.exe in the Command Prompt window (advanced users)
- Modify an encrypted file
- Copy an encrypted file as decrypted to a hard disk on your computer
- Import EFS certificates and keys
- Back up EFS certificates and keys by running Cipher.exe in the Command Prompt window (advanced users)
Help protect your files using BitLocker Drive Encryption
You can use BitLocker Drive Encryption to help protect all files stored on the drive Windows is installed on (operating system drive) and on fixed data drives (such as internal hard drives). Your can use BitLocker To Go to help protect all files stored on removable data drives (such as external hard drives or USB flash drives).Unlike Encrypting File System (EFS), which enables you to encrypt individual files, BitLocker encrypts the entire drive. You can log on and work with your files normally, but BitLocker can help block hackers from accessing the system files they rely on to discover your password, or from accessing your drive by removing it from your computer and installing it in a different computer.When you add new files to a drive that is encrypted with BitLocker, BitLocker encrypts them automatically. Files remain encrypted only while they are stored in the encrypted drive. Files copied to another drive or computer are decrypted. If you share files with other users, such as through a network, these files are encrypted while stored on the encrypted drive, but they can be accessed normally by authorized users.If you encrypt the operating system drive, BitLocker checks the computer during startup for any conditions that could represent a security risk (for example, a change to the BIOS or changes to any startup files). If a potential security risk is detected, BitLocker will lock the operating system drive and require a special BitLocker recovery key to unlock it. Make sure that you create this recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files. If your computer has the Trusted Platform Module (TPM) chip, BitLocker uses it to seal the keys that are used to unlock the encrypted operating system drive. When you start your computer, BitLocker asks the TPM for the keys to the drive and unlocks it.If you encrypt data drives (fixed or removable), you can unlock an encrypted drive with a password or a smart card, or set the drive to automatically unlock when you log on to the computer.You can turn off BitLocker at any time, either temporarily by suspending it, or permanently by decrypting the drive.Note
- The ability to encrypt drives using BitLocker Drive Encryption is not available in all editions of Windows.
To turn on BitLocker
- Click Turn On BitLocker. This opens the BitLocker setup wizard. Follow the instructions in the wizard.
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
- Do one of the following:
- To temporarily suspend BitLocker, click Suspend Protection, and then click Yes.
- To turn off BitLocker and decrypt the drive, click Turn Off BitLocker, and then click Decrypt Drive.
What's the difference between BitLocker Drive Encryption and Encrypting File System?
There are several differences between BitLocker Drive Encryption and Encrypting File System (EFS). BitLocker is designed to help protect all of the personal and system files on the drive Windows is installed on (the operating system drive) if your computer is stolen, or if unauthorized users try to access the computer. You can also use BitLocker to encrypt all files on fixed data drives (such as internal hard drives) and use BitLocker To Go to encrypt files on removable data drives (such as external hard drives or USB flash drives). EFS is used to help protect individual files on any drive on a per-user basis. The table below shows the main differences between BitLocker and EFS.BitLockerEncrypting File System (EFS)BitLocker encrypts all personal and system files on the operating system drive, fixed data drives, and removable data drives.EFS encrypts personal files and folders one-by-one and doesn't encrypt the entire contents of a drive.BitLocker does not depend on the individual user accounts associated with files. BitLocker is either on or off, for all users or groups.EFS encrypts files based on the user account associated with it. If a computer has multiple users or groups, each of them can encrypt their own files independently.BitLocker uses the Trusted Platform Module (TPM), a special microchip in many computers that supports advanced security features to encrypt the operating system drive.EFS does not require or use any special hardware.You must be an administrator to turn BitLocker encryption on or off on the drive that Windows is installed on and on fixed data drives.You do not have to be an administrator to use EFS.You can use BitLocker Drive Encryption and EFS together to get the protection offered by both features. When using EFS, encryption keys are stored with the computer's operating system. Although the keys used with EFS are encrypted, their security still could be compromised if a hacker is able to access the operating system drive. Using BitLocker to encrypt the operating system drive can help protect these keys by preventing the operating system drive from booting or being accessed if it is installed in another computer.For more information about EFS, see What is Encrypting File System (EFS)?What is a BitLocker Drive Encryption startup key or PIN?
When you use BitLocker Drive Encryption to encrypt the drive that Windows is installed on, you can use a startup key or personal identification number (PIN) to start your computer for added security. If you use a PIN, you will need to remember it and type it each time you start the computer. If you use a startup key, you will need to save it on a USB flash drive and insert the flash drive each time you start the computer. Having a startup key or PIN is optional, unless your computer is at a workplace and your system administrator requires it.You can create either a startup key or a PIN, but not both. The PIN can be any number that you choose from 4 to 20 digits in length (the minimum length of your PIN might be longer if your computer is part of a domain). The PIN is stored on your computer. You can create a startup key or PIN when you turn on BitLocker for the first time. After you create the startup key or PIN, you can use Manage BitLocker to change the PIN, but you cannot change the startup key. You can make additional copies of the startup key in case you lose the original.Notes
- A startup key can also be used to store the encryption keys for the drive that Windows is installed on if your computer does not have the Trusted Platform Module (TPM) security hardware. BitLocker seals its encryption keys in the TPM hardware, which is a special microchip in many computers that supports advanced security features. You can only use a startup key instead of the TPM if your system administrator has set up your network to allow the use of startup keys. For more information about TPM, see What is the Trusted Platform Module security hardware?
- If you create backup copies of your startup key, make sure you store them on separate removable media.
- Assistive technology software that runs on Windows, such as screen reading software, cannot read BitLocker startup screens because they are displayed during BIOS startup and before Windows runs. This includes screens used when you type a PIN or recovery key, and any BitLocker error messages.
To copy your startup key or change your PIN
- Click Manage BitLocker, and then follow the instructions.
What is a BitLocker recovery key?
A BitLocker recovery key is a special key that you can create when you turn on Bitlocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive.You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a folder on another drive on your computer that you are not encrypting. You cannot save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Store the recovery key separate from your computer. After you create a recovery key, you can use Manage BitLocker to make additional copies.Notes
- If your computer is part of a domain, your system administrator might control which recovery key options are available.
- Assistive technology software that runs on Windows, such as screen reading software, can't read BitLocker startup screens because they are displayed during basic input/output system (BIOS) startup before Windows starts. This includes screens used when you type a personal identification number (PIN) or recovery key, and any BitLocker error messages.
- Click Manage BitLocker, and then follow the instructions.
What's the difference between suspending BitLocker Drive Encryption and decrypting the drive?
BitLocker can be turned off in two ways: by suspending BitLocker or by decrypting the drive. When you suspend BitLocker, your drive is still encrypted but your computer uses a plain text decryption key that is stored on the drive to read the information. When you decrypt the drive, everything on your drive is decrypted.Suspending BitLocker Drive Encryption is a temporary method for removing BitLocker protection without decrypting the drive Windows is installed on (the operating system drive). Suspend BitLocker if you need to update the computer’s basic input/output system (BIOS) or startup files; this will help prevent BitLocker from locking the drive and can help avoid a lengthy decryption process. When the update is complete and you have restarted the computer, you can click Resume Protection.You can only suspend BitLocker on operating system drives. If you want to turn off Bitlocker on a fixed data drive (such as an internal hard drive) or a removable data drive (such as an external hard drive or a USB flash drive), you must decrypt the drive.Decrypting an operating system drive means that BitLocker protection is removed from the computer, which can be time-consuming.To temporarily suspend BitLocker or decrypt the drive
- Do one of the following:
- To temporarily suspend BitLocker, click Suspend Protection, and then click Yes.
- To turn off BitLocker and decrypt the drive, click Turn Off BitLocker, and then click Decrypt Drive.
Note
- If your computer is part of a domain, some BitLocker features and settings might be controlled by your system administrator.
Why BitLocker Drive Encryption might block your computer from starting
If you use BitLocker Drive Encryption to encrypt the drive that Windows is installed on (operating system drive) and your computer has at least version 1.2 of the Trusted Platform Module (TPM) security hardware (a special microchip in many computers that supports advanced security features), the TPM checks the system during startup for conditions that could indicate a security risk. These conditions could include disk errors, changes to the basic input/output system (BIOS), changes to other startup components, or evidence that the hard disk is being started in a different computer.If the TPM detects such a condition, BitLocker will not unlock the operating system drive and will enter a recovery mode that requires the BitLocker recovery key to unlock it.Warning
- It is very important that you create a recovery key when you turn on BitLocker for the first time; otherwise, you could permanently lose access to your files.
If you use BitLocker to encrypt the system drive and your computer doesn’t have at least version 1.2 of the TPM, BitLocker will not check for changes to the startup environment. However, you will still need the recovery key in case your BitLocker startup key doesn’t unlock the system drive.Notes
- If your computer is part of a domain, some BitLocker features and settings can be controlled by your system administrator.
- Assistive technology software that runs on Windows, such as screen reading software, cannot read BitLocker startup screens because they are displayed during BIOS startup and before Windows runs. This includes screens used when you type a PIN or recovery key, and any BitLocker error messages.
No comments:
Post a Comment