BitLocker without a startup PIN – I wouldn’t! (typo fixed)

[I am grateful to Paul B who noticed a typo – it’s fixed below (bold and underlined)]

Over recent times I have had a number of conversations about the use of MS BitLocker, and there seems to be some misconceptions, so I hope that I can make things clearer.

Whole drive encryption, if suitably implemented, is one of the steps to protect against a personal data breach, and may have a very significant impact on your approach and required actions if and when a breach occurs; it can make your life much simpler as well as protect your data subjects more thoroughly.

Various free and chargeable third party solutions are available, and we have used most of them over the years. The most common free software is Veracrypt, an offshoot of Truecrypt. By the way, in most cases if you are using either of these they are likely to be acceptable so don’t think you necessarily need to change.

Certain versions of Microsoft Windows include BitLocker, which can encrypt fixed and removable disks, but here we are interested in its whole disk encryption capabilities when used on your device’s main disk.

If you just turn BitLocker on, without doing anything else, your whole disk will be encrypted with a unique key that is held within the TPM chip on the motherboard. If a device (such as a laptop) is stolen, the culprit cannot remove the hard disk and attach it to another computer and access the data.

That may seem fine, but your device is still vulnerable if it is set to automatically connect to a network, and more importantly if anyone can break the Windows password.

BitLocker offers an additional facility, whereby you can specify a startup PIN (either digits or passphrase such as ‘MaryHadAL1ttl3Lamb’). This provides an additional level of security (and of inconvenience, but that is always the trade-off). This will require you to enter this passphrase each time you start the device or bring it back from hibernation, and will be familiar to Veracrypt/Truecrypt users.

Personally, I would not use BitLocker without the startup PIN (passphrase).

Setting the startup PIN requires editing of group policies and if you don’t know what they are, then please don’t try; but it’s quite straightforward for your IT support team.

As always, check with whoever provides your IT support before you make any changes, as they may have their own views and solutions which you ought to work with.