Encrypt a Flash Drive to Secure Its Contents (BitLocker)


To totally unlock this section you need to Log-in


Login

Encrypting your removable drive is the best way to protect any data it contains. If you lose an unencrypted drive, anyone who finds the drive can easily access the data. The data on an encrypted drive cannot be accessed unless you know the encryption password. Any removable drive, such as a flash drive or external hard drive can be encrypted easily in Windows 10 using BitLocker.

Formatting the Drive you Want to Encrypt

The first step in encrypting your drive is to format it. This will completely erase the drive, so if you already have data on the drive, you must back it up to another location. After you format and encrypt the drive, you can copy the data back to the drive. Formatting the drive only takes a few minutes.

Connect your removable drive, wait for windows to recognize the drive and assign it a drive letter, and go to Start → Computer, right-click the drive and choose Format..., as shown below.

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

Select the exFAT file system and check the Quick Format box. Then click Start, as shown below.

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

Encrypting the Drive

After formatting the drive, you can begin encrypting the drive. Right-click Start then click Control Panel:

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

Click BitLocker Drive Encryption. BitLocker will list all the drives that can be encrypted.

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

Click Turn On BitLocker next to the removable drive you want to encrypt, as shown below.

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

Setting the Encryption Password

When choosing how to unlock the drive, check the box next to Use a password to unlock the drive. Enter the encryption password twice. Any time you connect the drive, you will need to provide this password to access its contents. Without the password, the data is inaccessible.

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

The password you use to unlock the drive is not tied to your login password and it cannot be reset or changed by the helpdesk. If you are going to encrypt your drive, use a password you can remember and create a recovery key.

Storing the Recovery Key

Next, select how you want to store the recovery key. The recovery key lets you access the drive if you forget the password. You can save the recovery key to a file or print the key out. If you print the key, make sure to keep it in a safe place.

If you lose the password and the recovery key, the data will not be accessible by anyone, anywhere, at all, ever. If you chose to save the key, keep this file somewhere safe and preferably on a different computer than the one used to encrypt the drive. Never store the recovery key on the same drive you’re encrypting.

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

Starting the Encryption

After saving or printing the recovery key, you can begin the encryption process. Depending on the capacity of the drive, this can take from several minutes to several hours so let this proceed uninterrupted, preferably overnight if you’re encrypting a high-capacity drive. After the drive is encrypted you can disconnect it from your computer or begin adding files to it.

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

Accessing the Encrypted Drive

When you connect the drive to a computer you will be asked immediately for the password. You can also prompt Windows to remember the password on the computer you’re using so you never have to supply it on that computer, but you will on other computers. Any computer running Windows 10, 8 or 7 will be able to read the contents, with the correct password, but it may not always be accessible on computers running Windows XP or Windows Vista.

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

BitLocker Drive Encryption Tools

BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.

Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.

Repair-bde is a special circumstance tool that is provided for disaster recovery scenarios in which a BitLocker protected drive cannot be unlocked normally or using the recovery console.

Manage-bde

Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel.

Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the manage-bde -on command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.

Using manage-bde with operating system volumes

Listed below are examples of basic valid commands for operating system volumes. In general, using only the manage-bde -on command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume.

A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:

manage-bde -status

This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:

Encrypt a Flash Drive to Secure Its Contents (BitLocker)

The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.

manage-bde –protectors -add C: -startupkey E:
manage-bde -on C:

Note: After the encryption is completed, the USB startup key must be inserted before the operating system can be started.

An alternative to the startup key protector on non-TPM hardware is to use a password and an ADaccountorgroup protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:

manage-bde -protectors -add C: -pw -sid <user or group>

This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on.

On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:

manage-bde -on C:

This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:

manage-bde -protectors -get <volume>

Repair-bde

You may experience a problem that damages an area of a hard disk on which BitLocker stores critical information. This kind of problem may be caused by a hard disk failure or if Windows exits unexpectedly.

The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key.

This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.

Tip: If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command manage-bde -KeyPackage to generate a key package for a volume.

The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true:

  • You have encrypted the drive by using BitLocker Drive Encryption.
  • Windows does not start, or you cannot start the BitLocker recovery console.
  • You do not have a copy of the data that is contained on the encrypted drive.

Note: Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.

The following limitations exist for Repair-bde:

  • The Repair-bde command-line tool cannot repair a drive that failed during the encryption or decryption process.
  • The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.