uog logo
School of Physics and Astronomy – computing
phas it logo

Enabling full-disk encryption on Windows systems

This uses Microsoft's standard ‘Bitlocker’ software, which should be available by default in your Windows system.

The University has generic advice on enabling Bitlocker; the following is specific to P&A.

In applying full disk encryption to your machine's hard drive it is important to make sure you create a recovery key (.bek file) and save this in a secure and safe place. Should anything go wrong with your machine which requires the removal of the disk drive in order to retrieve your files, the only way these can be read is by using the recovery key to unlock the disk encryption.

A USB memory stick will be required to save the recovery key file. You should label and store this in a secure and safe place (possibly with your group's secretary).

It is strongly recommended, also, that you make a second copy of your recovery key file (on a second, labelled, USB stick used only for this purpose and stored safely, or in a secure location on your group's file server).

If your machine is connected to the internet when you run the script to initiate the Bitlocker encryption process, then a further copy of the recovery key will be emailed to a School IT support address set up specifically for the purpose of providing central secure storage of all recovery keys. If your machine is not connected to the internet when you run the script, you can still, if you want, manually email the key to phas-encrypt@glasgow.ac.uk.

Note that full disk encryption is not a substitute for using a strong password on your user account. In combination with a strong password it only protects against unauthorised access to the files on your machine in the event that your machine is lost or stolen

Applies to:

(but you really shouldn't be using Windows 7 any more).

Steps:

  1. Back up any data on your machine's disk to external storage.

  2. Browse to http://wiki.physics.gla.ac.uk/downloads/powershell and save the file Enable-Bitlocker.ps1 to a suitable location on your hard drive.

  3. Open a security elevated command prompt. In ‘Accessories’ right-click ‘Command prompt’ and select ‘Run as Administrator’.

  4. Type the command:

    powershell set-executionpolicy unrestricted

    ...and respond "yes" to any prompts for confirmation

  5. Type the command:

    powershell <disk-directory>\enable-bitlocker.ps1

    ...where <disk-directory> is the location you chose in step 2.

    Follow the script instructions.

Depending on the hardware specification of your machine, you may be required to enter a startup password. Note this password carefully in a safe place. You will be required to enter it whenever you start your machine to gain access to the disk.

During the encryption procedure (and prior to the encryption process starting) you will be requested to accept the reboot of your machine in order to validate the encryption recovery key. Upon startup the encryption process will commence, and may take some time.