Hard disk encryption is a tool that can help you secure your data in case of a stolen or lost laptop. While it is important to protect your company’s information from thieves, it’s just as important to make sure that you don’t lose the data by being unable to access an encrypted drive. Today we’ll look at the pros and cons of Bitlocker, Microsoft’s disk encryption solution, and help you know what it takes to keep your data safe and recoverable.

Disk Encryption 101

Bitlocker is a technology for securing your disk with a cryptographic key. This differs from using your password or login credentials to access the hard disk because the keys that it generates are a stronger form of protection than a human readable password: it’s sort of like a password that is 48 digits long. Without going into any of the details of the cryptographic process, suffice it to say that a 48-digit key is quite strong. For the disk to be read, your operating system needs to know what that key is before it can use any of the information on the disk.

What this does is prevent the disk from being accessed by anyone who doesn’t have the key. The main scenario where disk encryption protects you is a stolen laptop or workstation: without encryption, thieves could just take an unencrypted drive out of the computer, plug it into their own workstation, and get the files off of it (even if you have a password of fingerprint set up for your login). In other words, they don’t have to login to your laptop to get the data from the hard disk.

Responsible Key Storage

While there are some structural vulnerabilities to disk encryption that are important to keep in mind—for example, it only protects data when it’s not being used—the main challenge with encrypting your drive is making sure you can access the key when you need it. You use Bitlocker to generate the key for your disk then (usually) store it in your Microsoft account. This way, you have access to the key any time you’re logged into Windows with your Microsoft account and your workstation seamlessly decrypts and encrypts data as necessary.

There are other options for storing the key, like printing it out or keeping it on a USB drive, but those have their own security implications too: if you lose access to the key, you lose all of the data on the drive. You might lose a physical copy of the key, but if you’ve stored it in the cloud, you have to 1) know which account you used to generate and store the key, and 2) maintain access to that account.

You can find any keys that are associated with your disks by visiting https://account.microsoft.com/ and going to Devices. Click on “View Details” for the device, and go to “Manage Recovery Keys.” Remember, storing this key insecurely could be a risk on its own, since it might be exfiltrated as part of a different kind of attack. Besides, taking a screenshot of the recovery key and putting it on the encrypted drive means that you wouldn’t have access to the screenshot if you need to unlock the drive.

Bitlocker Off/Bitlocker On

As usual, having a password manager with a strong (but memorizable) master password can help you keep your account accessible. You should also have Multi-Factor Authentication implemented for your account. Maintaining access to the accounts that you set up Windows with is very important to making sure you don’t lose your data, because many people have reported that Bitlocker turns itself on in certain scenarios. If that happens, you need to remember how to access the account and get the recovery key for the disk, because without it, your disk will become inaccessible.

-Written by Derek Jeppsen on Behalf of Sean Goss and Crown Computers Team