Skip to content

Encryption for you Windows device

Introduction

Without disk encryption, the person who has physical access to a computer can get access to all the data stored on this computer’s fixed (HDD or SSD) disks, including documents and emails stored in the local copy of the users’ mailbox. This is particularly relevant to portable computers in case they are lost or stolen.

Windows 10 and later operating systems have a full disk encryption technology called BitLocker built into the operating system. This document presents the configuration steps to enable BitLocker to encrypt the fixed disks in your Windows computer. Before deciding whether to encrypt the disk or not, please note the following side effects of disk encryption.

Bitlocker at CERN

It is essential to save the recovery key, store the recovery key it in a secure place. It is also essential to properly back up your data.

If you are using a CMF Managed Windows PC, your data (My Documents, Desktop, etc.) is normally synchronized with CERNBox. Any document saved in another local folder should be backed up before proceeding.

  • Bitlocker is ENABLED by default on all CMF Centrally Managed devices minus OpenStack virtual machines.
  • For CMF Locally Managed devices, a package is available in CMF and should be deployed by Locals Administrators
  • Enabling Bitlocker in the scenario of multiple operating systems (Dual-boot) is not recommanded as it might corrupt the bootloader
  • The grace period to retrieve a bitlocker key after a computer oject has been altered (deleted/moved/recreated) in the domain Active Directory is 330 Days

Maximising the protection provided by BitLocker on Windows BitLocker provides the strongest protection when:

  • A PIN is required on computer start-up and

  • When not used, your computer is shut down or hibernated rather than put to sleep.

Once the operating system is running, the encryption key is loaded in the memory and the computer can be vulnerable to other types of security attacks.

By default Bitlocker encrypts: Only your system drive, without PIN.

Side effects of disk encryption

Disk encryption makes it impossible to access the data on the disk without first decrypting it. This has the following side effects:

  • Neither you nor the Service Desk personnel will be able to access the data on your disk without the recovery key in case:

    • You forget your PIN

    • Your computer hardware is damaged

    • Your BIOS is updated

    • You want to access your disk from a different computer

  • In case of physical damage to the disk, it may be impossible to recover the data even with the recovery key.

  • An unsuccessful attempt to encrypt the disk could result in data loss.

On the other hand, the recovery key enables anyone to decrypt the disk.

Additional settings

If you want to add a startup PIN, please follow those configuration steps: - Right click on Command Prompt and “Run as administrator”.
- Then type in
manage-bde -protectors -add c: -TPMAndPIN
- Type your PIN when asked and validate by pressing “Enter”.

Post-installation information

Once Bitlocker is enabled, your hard drive contains a new partition which is not visible in Windows Explorer.

In case of reinstallation of your operating system you first need to clean the complete disk by clicking on Disk 0 on the left part and then on “Clean Complete Disk” before installing Windows again.

If you need the recovery key, you can find it on this page