Bitlocker For Home Edition

[Sherman Desrosiers]

Butwhat if we are using home edition? A password can prevent entry into the OS, but if one could still connect the hard drive to another computer so that the files in it could be read without knowing the password, then the data were not really securely protected.

Sign in using a Microsoft account that has administrator rights on the device. That action removes the clear key, uploads a recovery key to the user's OneDrive account, and encrypts the data on the system drive. Note that this process happens automatically and works on any Windows 10 edition.

So, does the password set on windows 10 protect files? Could someone circumvent the password by connecting the hard drive to a different computer or installing another copy of windows? Is the situation different for windows 7? Is the situation different for C:/(system) and D:/?

But what if we are using home edition? A password can prevent entry into the OS, but if one could still connect the hard drive to another computer so that the files in it could be read without knowing the password, then the data were not really securely protected.

You can use something like Veracrypt or Device Encryption if you want to use native Windows functionality. Device Encryption has specific hardware requirements in order to use it. If you are unable to enable it then your device does NOT meet the requirements. Device Encryption is required by Microsoft to come enabled on ALL OEM hardware.

At the bottom of the System Information window, find Device Encryption Support. If the value says Meets prerequisites, then device encryption is available on your device. If it isn't available, you may be able to use standard BitLocker encryption instead.

I don't understand why Windows has hardware encryption requirements when Linux Mint can encrypt your home folder natively if you were to install that instead. All Windows versions should have a native on-the-fly software based encryption method like Linux distributions or VeraCrypt.

Windows 10 Home edition does not include BitLocker, but if you have access to a copy of Windows 10 Professional, you can encrypt a drive with it and then move the drive to the Windows 10 Home machine. Pain in the rear, but maybe worth the effort depending on your data.

Does windows 11 home now provide pre-boot authentication too in addition to usage of tpm through the command line interface. Earlier in windows 10 home bitlocker was present with limited support. Pre-boot auth would be better instead of just relying on TPM.

I understand your point, but I think the lack of ease of use when you could just search for a generic key online is just not worth it. For example, changing your encryption password is probably going to be a pain in the ass.

and I tried to install this program to supposedly 'unlock' bitlocker on my Windows Home edition so I could encrypt my hard drive/operating system . I installed it, and it ran a DOS program for a split second, but it did not do anything after that, and neither did it even allo me to encrypt my drive.

@ajaaron: the test program outputs that BitLocker is disabled and so VeraCrypt should have displayed the same since they are both using the same code, but for some reason the behavior between the two is different. Something is definitely strange.

Concerning the program you installed, it looks suspicious to me especially after inspecting their website. In your place, I would be concerned about what this program did to the PC after installing it.

@enigma2illusion: the "EncryptionInProgress" is what is returned by the Windows API but it doesn't necessarily means that there is an encryption and that's why I ignore it. Somehow, Windows sets this value to 2 (or 4 in the case of OP) instead of 0.

Okey dokey...thanks for all your help Mounir. I managed to go to encryption settings area in windows and it gave me the option to 'decrypt' the drive, which I did...it took around 30min or so. it appears that dodgy program did something to make windows think it was encrypted. (not sure whether it really was encrypted or not, but I certainly didn't create an enceyption password, nor did I need to enter a password at any time).

I received my new laptop, directly from Lenovo yesterday. I've verified that the version of Windows shipped is actually Window 11 Home. And that BitLocker is encrypting all of the files on my new laptop (ThinkPad T-14 Gen3 AMD).

What may be new, is that bitlocker encryption was the default. Everything I received was encrypted upon my first use. And any thing I added (programs, text ...) was encrypted, without me having to jump through any hoops.

In my experience, encryption by default is a BAD idea. First most people do not need it on their home computers. Second, I doubt if the typical user knows how important is is to back up the recovery key. Third, hard drives DO fail and most users do not backup their files regularly. Things are different in a business with a good IT team for support, but they are probably not running the home edition.

Encrypting everything presents a dramatically reduced attack surface. My guess is that MS is trying to reduce attack risk and simplify things for most users. If so, I think that is a worthy path to pursue.

Your assertion left me a slightly confused. Are you referring to way back when a setup left you with a user account and an admin account? That has been a while. When we set her laptop up initially we did have to create a Microsoft account for her in the course of the process. It was something we had never done in the past as there was really no reason for her to have one. In the end she had a single login that was an admin account.

Hard disk encryption only provides protection from someone with physical access to the computer. It does nothing to protect from the much more common online threats. I recently had someone bring me a computer that was so infested with malware that it was basically unusable. It was VERY slow due to 100% CPU usage, constant lock-ups, and frequent unexpected reboots. I see this often so I proceeded as I usually do. Boot from a flash drive, backup user files, wipe the hard drive, then re-install the operating system / applications and restore the data files. In this case I discovered that the hard drive was encrypted with bitlocker. The owner had no idea what bitlocker was and certainly had not turned it on or backed up the recovery key. Fortunately I was able to get the computer to run stable enough to turn bitlocker off and proceed as usual. It was a long, slow process that was touch and go there for a while but was ultimately successful.

The standard install process on my new PC forced me to use, or create, a MS account. My recovery key was added to the account as part of the install process. Chalkie's experience seems to have been similar. I was not worried about a lost bitlocker recovery key. And for others using a similar process for a new computer, I don't think recovering a lost recovery key is a significant issue for them either.

My approach is really old school - I've been using it for about 15 years. Here's what I've been using for all of my passwords, verification codes, account numbers etc. It hasn't been updated in many years, but for my use, it doesn't need to be. BTW, it took me years to recognize the meaning of the chosen file name: "fSekrit.exe" = file Secret. I renamed my file with a name like mysecrets.exe.

Another advantage of using fSekrit is that your un-encrypted data is never stored on your harddisk. With a traditional encryption utility you would have to decrypt your file to disk, view or edit it, and then re-encrypt it. Unless you use secure file wiping tools, it would be a trivial matter for someone to retrieve your un-encrypted data, even though you deleted the temporary file. This is not a viable attack against fSekrit, though, since it never stores your un-encrypted data on disk. (See security notes about swapping and hibernation, though!)

fSekrit uses very strong encryption to ensure that your data is never at risk. Rather than using hocus-pocus home-brewed algorithms, fSekrit uses the standard, military grade, peer-reviewed AES/Rijndael in CBC mode, with a 256-bit keysize.

Dan I do the same but used folder names and file names that one would not think were PWs and secret data. BUt first they have to find the mini flash drive. IT and its clone are not accessible without knowing where they are locked up away from the systems.

As you may know, Bitlocker full disk encryption used to be available only on the enterprise and ultimate editions of Windows Vista, when it was introduced more than 12 years ago. Windows 7 continued that exclusive tradition. Windows 8 made it available to the professional edition for the first time, which allowed a lot of home users that had purchased Pro to finally use it on their private devices. But what could you use, if you had bought the Home edition of Windows and you wanted to keep away from 3rd party encryption software?

So, with that said, why would I try to go beyond device encryption? In other words: why would I even write this article? It is because Microsoft only allows device encryption on Windows 10 home when two conditions are met:

So possibly, Microsoft is trying to act in the best interest of the home users that might, after all, not know what they are doing when they are choosing to enable disk encryption and keeps them from using that feature, so that they don't lock themselves out of their computer, possibly rendering their data inaccessible.

But what about you, the home version users, who do understand all of that? This method is for you. This method will give you the same protection and features like device encryption, but on any hardware.

Be aware, that if you have set up Windows in a non-standard way (with legacy "MBR" partitioning, that is) and at the same time you use a TPM 2.0 module, you will not be able to use this method right away, so let's begin with two little tests:

3a8082e126