Enabling full-disk encryption on Windows systems
This uses Microsoft's standard ‘Bitlocker’ software, which should be available by default in your Windows system.
The University has generic advice on enabling Bitlocker; the following is specific to P&A.
In applying full disk encryption to your machine's hard drive it is
important to make sure you create a recovery key (.bek
file) and
save this in a secure and safe place. Should anything go wrong with your
machine which requires the removal of the disk drive in order to retrieve
your files, the only way these can be read is by using the recovery key
to unlock the disk encryption.
A USB memory stick will be required to save the recovery key file. You should label and store this in a secure and safe place (possibly with your group's secretary).
It is strongly recommended, also, that you make a second copy of your recovery key file (on a second, labelled, USB stick used only for this purpose and stored safely, or in a secure location on your group's file server).
If your machine is connected to the internet when you run the script
to initiate the Bitlocker encryption process, then a further copy of
the recovery key will be emailed to a School IT support address set up
specifically for the purpose of providing central secure storage of all
recovery keys. If your machine is not connected to the internet when you
run the script, you can still, if you want, manually email the key to
phas-encrypt@glasgow.ac.uk
.
Note that full disk encryption is not a substitute for using a strong password on your user account. In combination with a strong password it only protects against unauthorised access to the files on your machine in the event that your machine is lost or stolen
Applies to:
- Windows 7 Enterprise
- Windows 7 Ultimate
- Windows 10 enterprise
- Windows 10 Pro
(but you really shouldn't be using Windows 7 any more).
Steps:
-
Back up any data on your machine's disk to external storage.
-
Browse to http://wiki.physics.gla.ac.uk/downloads/powershell and save the file
Enable-Bitlocker.ps1
to a suitable location on your hard drive. -
Open a security elevated command prompt. In ‘Accessories’ right-click ‘Command prompt’ and select ‘Run as Administrator’.
-
Type the command:
powershell set-executionpolicy unrestricted
...and respond "yes" to any prompts for confirmation
-
Type the command:
powershell <disk-directory>\enable-bitlocker.ps1
...where
<disk-directory>
is the location you chose in step 2.Follow the script instructions.
Depending on the hardware specification of your machine, you may be required to enter a startup password. Note this password carefully in a safe place. You will be required to enter it whenever you start your machine to gain access to the disk.
During the encryption procedure (and prior to the encryption process starting) you will be requested to accept the reboot of your machine in order to validate the encryption recovery key. Upon startup the encryption process will commence, and may take some time.