On Windows Vista, Windows 7 and Windows 8 Pro versions and above, the developers have created a special technology for encrypting the contents of logical partitions on all types of external drives and USB flash drives - BitLocker.
What is it for? If you run BitLocker, then all files on the disk will be encrypted. Encryption occurs transparently, that is, you do not need to enter a password every time you save a file - the system does everything automatically and quietly. However, once you turn off this drive, the next time you turn it on you will need a special key (a special smart card, flash drive or password) to access it. That is, if you accidentally lose your laptop, you won’t be able to read the contents of the encrypted disk on it, even if you take it out HDD from this laptop and try to read it on another computer. The encryption key is so long that it takes the longest time to try all possible combinations to select the correct option. powerful computers will last for decades. Of course, the password can be found out through torture or stolen in advance, but if the flash drive was lost by accident, or it was stolen without knowing that it was encrypted, then it will be impossible to read it.
Setting up BitLocker encryption using Windows 8 as an example: encrypting the system drive and encrypting flash drives and external USB drives.
Encryption system disk
A requirement for BitLocker to work is to encrypt the logical drive on which the operating system is installed. Windows system, is the presence of an unencrypted boot partition: the system must still start from somewhere. If you install Windows 8/7 correctly, then during installation two partitions are created - an invisible partition for the boot sector and initialization files and the main partition on which all files are stored. The first one is precisely the section that does not need to be encrypted. But the second partition, in which all files are located, is encrypted.
To check if you have these partitions, open Computer management
go to section Storage devices - Disk management.
In the screenshot, the partition created to boot the system is marked as SYSTEM RESERVED. If it is, then you can safely use the BitLocker system to encrypt the logical drive on which Windows is installed.
To do this, log into Windows with administrator rights, open Control Panel
go to section system and safety
and enter the section BitLocker Drive Encryption.
You will see in it all the drives that can be encrypted. Click on the link Enable BitLocker.
Setting up security policy templates
At this point, you may receive a message stating that disk encryption is not possible until security policy templates are configured.
The fact is that in order to run BitLocker, the system needs to allow this operation - this can only be done by an administrator and only with my own hands. This is much easier to do than it seems after reading incomprehensible messages.
Open Conductor, press Win+R- an input line will open.
Enter and execute:
gpedit.msc
Will open Local Group Policy Editor. Go to section
Administrative Templates
- Windows components
-- This policy setting allows you to select BitLocker drive encryption
---Discs operating system
---- This policy setting allows you to configure the requirement for additional authentication at startup.
Set the parameter value Included.
After this, save all values and return to Control Panel- you can run BitLocker drive encryption.
Creating a key and saving it
The system will offer you two key options to choose from: password and flash drive.
When using a flash drive, you can use hard drive only if you insert this flash drive, the key will be written on it in encrypted form. If you use a password, you will need to enter it every time you access the encrypted partition on this disk. In the case of a computer's system logical drive, a password will be needed during a cold boot (from scratch) or a full restart, or when trying to read the contents of a logical drive on another computer. To avoid any pitfalls, create a password using English letters and numbers.
After creating the key, you will be asked to save information to restore access if it is lost: you can save a special code in text file, save it to a flash drive, save it to your Microsoft account, or print it.
Please note that it is not the key itself that is saved, but a special code required for the access restoration procedure.
Encryption of USB drives and flash drives
You can also encrypt external USB drives and flash drives - this feature first appeared in Windows 7 under the name BitLocker To Go. The procedure is the same: you create a password and save the recovery code.
When you mount a USB drive (connect it to a computer) or try to unlock it, the system will ask you for a password.
If you do not want to enter a password every time, because you are confident in the security when working on this computer, then you can indicate in the additional parameters when unlocking that you trust this computer - in this case, the password will always be entered automatically until you unconfigure the trust. Please note that on another computer the system will ask you to enter a password, since the trust setting on each computer works independently.
Once you've worked with the USB drive, unmount it, either by simply unplugging it or through the menu safe removal, and the encrypted disk will be protected from unauthorized access.
Two encryption methods
When encrypting, BitLocker offers two methods that have the same result, but different execution times: you can encrypt only the space occupied by information, skipping the processing of empty space, or go through the entire disk, encrypting the entire space of the logical partition, including unoccupied space. The first happens faster, but it remains possible to restore information from scratch. The point is that with the help special programs you can restore information even if it was deleted from the Recycle Bin, and even if the disk was formatted. Of course, this is difficult to do practically, but the theoretical possibility is still there if you do not use special utilities for deletion that permanently delete information. When encrypting the entire logical drive, the space marked as empty will be encrypted, and it will be possible to recover information from it even with the help of special utilities it won't be anymore. This method is absolutely reliable, but slower.
When encrypting a disk, it is advisable not to turn off the computer. It took me about 40 minutes to encrypt 300 gigabytes. What happens if the power suddenly goes out? I don’t know, I haven’t checked, but on the Internet they write that nothing bad will happen - you just need to start encryption again.
Conclusion
Thus, if you constantly use a flash drive on which you store important information, then with the help of BitLocker you can protect yourself from getting caught. important information into the wrong hands. You can also protect information on hard drives computer, including system ones - it is enough to completely turn off the computer, and the information on the disks will become inaccessible to outsiders. Using BitLocker after setting up security policy templates does not cause any difficulties even for untrained users; I did not notice any slowdown when working with encrypted drives.
We bring to your attention an overview of the most popular hardware and software to encrypt data on an external hard drive.
Let's start with the simplest. Mac OS X has a built-in Disk Utility that allows you to create an encrypted disk image. You can also use third-party software to encrypt files or folders, such as Espionage, FileWard, StuffIt Deluxe. In addition, some backup applications offer encryption of backups out of the box.
These methods are good. But sometimes using software encryption is not the best option. For example, when you need to encrypt Time Machine backups. To protect such backups, you will have to do some tricky manipulations, because Time Machine does not support encryption. Conventional software will not help when you need to create an encrypted copy of the boot disk so that it remains bootable. Encrypted disks also have another limitation: they cannot be used on other computers (Mac or PC) without special software.
PGP Whole Disk Encryption for the Mac is one of those applications that allows you to encrypt the contents of a disk, which remains bootable and usable on Mac and PC. This is a great application, but to access information, PGP must be installed on each computer to which such a drive is connected. Also, if the disk is damaged, encryption may prevent data recovery.
If you need universal solution, which does not impose restrictions on disk usage, it is worth purchasing a HDD with built-in encryption. The disk independently encrypts and decrypts data, so the need to install additional software absent. In this case, the disk can be used as a boot volume or for Time Machine. One caveat: if the drive's controller or other electronics fail, you will not be able to transfer data from the device (even with fully working mechanics) until the HDD is fully restored.
Encryption-enabled hard drives come in several types, depending on the decryption mechanism:
Hardware keys
Some manufacturers offer encrypting HDD boxes that are locked using a physical device. As long as the key is present (connected or near the disk), the disk can be read.
HDDs of this type: RadTech's Encrypted Impact Enclosures ($95), RocStor Rocbit FXKT drives and several devices from SecureDISK ($50+). All boxes have two or three compatible keys, which are connected to a special port on the device. SecureDISK offers RFID Security External Enclosure with an infrared key (the media must be nearby to use the drive).
Fingerprint scanners
If you are worried about losing physical media, then you can look towards HDD boxes with a fingerprint scanner. A few examples: MXI Security Outbacker MXI Bio ($419-$599) and LaCie SAFE hard drives ($400 for a 2GB model). (Some older models of LaCie boxes, 2.5″ format, do not encrypt data, but use less reliable locking in the firmware). These drives are easy to use and can store fingerprints of up to five people. It is worth noting that there are several techniques for deceiving the finger scanner (without the presence of the original finger).
Keyboard
($230-480) – encrypting disk boxes that do not require physical keys or biometric readers. Instead, the keyboard is used to enter a password (up to 18 characters). Using a keyboard instead of a physical key is convenient when the disk often passes between hands. The drives support a “self-destruct” feature that deletes all stored information after several unsuccessful password attempts.
Hard drive - popular modern device, which allows you to expand your computer's memory without opening system unit. Modern exterior hard disks can fit into any handbag, which means you can always have large amounts of information at hand. If you store confidential information on your hard drive, then The best way Protecting it means setting a password.
A password is a universal means of protecting information, which is a key that can consist of any number of letters, numbers and symbols. If the user enters the password incorrectly, then access to the data stored on the external hard drive cannot be obtained.
How to set a password on an external hard drive?
We have already covered this on our website before. Moreover, the question of the correct one was also considered. Below we will talk about how to apply a password for this device.
Setting a password using built-in Windows tools
Setting a password in this case is used successfully both for regular USB drives and external hard disks that have large amounts of disk space. The main advantage this method is that you will not be required to download and install third-party programs.
Connect your external hard drive to your computer, and then open Windows Explorer. Specifically, we are interested in the “This Computer” section, which displays all connected drives to the computer. Click on external hard drive right click mouse and in the displayed context menu go to the point "Enable BitLocker" .
The utility will start launching on the screen. After a moment, a window will appear on the screen in which you will need to check the box “Use a password to unlock the disk” , and in the lines below indicate twice New Password. Click the button "Further" .
Next, you will be asked to choose the option of saving a special recovery key. You have three options to choose from: save to your account Microsoft, save it to a file on your computer or immediately print the key on a printer. In our opinion, the second option is most preferable, since this file you can upload, for example, to the cloud, and at any time, if the password is from an external hard drive will be forgotten, open it.
The next setting item asks you to configure data encryption. You can either select to encrypt only the occupied space on the disk, or encrypt the entire disk.
Please note that if you choose to encrypt the entire disk, you need to be prepared for the fact that the encryption process may take some time. long hours. Therefore, if you do not have a lot of time, it is also recommended to open the hard drive modern computers, we recommend choosing the first encryption option.
The final setup step is to select an encryption mode from two available: new encryption mode and compatibility mode. Considering that we are working with an external hard drive, check the option "Compatibility Mode" , and then move on.
Actually, this completes the BitLocker setup process. To start the password process, all you have to do is click the button "Start encryption" and wait for the process to complete.
If, after encryption is complete, we open Windows Explorer in the “This PC” section, our external hard drive will be listed with a lock icon. An open icon with a lock indicates that access to the data has been obtained, and a closed icon, as shown in the screenshot below, indicates that a password is required.
Having opened the disk twice, a miniature window will appear on the screen in which the user will be asked to enter the password for the connected external hard drive.
Setting a password using archiving
Many users do not trust the data encryption process because this way you cannot access the entire drive. Therefore, we will use this method in a slightly different way - we will place the information saved on an external hard drive in an archive without compression, i.e. An external hard drive, if necessary, can be used without a password, but to access the information stored in it, you will need to enter a security key.
To set a password using archiving information, you will need almost any archiver program. In our case, we will use the popular tool WinRAR , which you can download from the link given at the end of the article.
As soon as the archiver program is installed on your computer, open the contents of the external hard drive, select it with a simple keyboard shortcut Ctrl + A, or select certain folders and files in case you need to hide not all information on the external hard drive under a password. After that, right-click on the selection and select the item in the context menu that appears "Add to archive" .
A window will appear on the screen in which you will need in the block "Compression method" select option "Without compression" , and then click the button "Set password" .
In the window that appears, you will need to enter a password of any length twice. Below, if necessary, you can activate encryption of the data contained in the archive (without activating this item, the names of folders and files will be visible, but access to them will be limited).
When the creation of the archive is completed, the root folder of the hard drive, in addition to the files, will also contain the archive you created. Now files on the disk, except the archive, can be deleted.
When you try to open the archive, a window will appear on the screen asking you to enter a password. Until the archive password is received, access to information will be limited.
What's the result?
Most effective method storage confidential information- usage standard means BitLocker. This is a wonderful utility, which, perhaps, cannot be found with analogs that are superior in quality. The second method, which involves using an archiver, can be considered the most preferable, since it does not restrict access to the external hard drive, but only to the information that you want to password-protect.
Of course, there are still a lot of information encrypting programs, but we did not focus on them, since the two methods described in the article are the most optimal for most users.
Read, how to protect your hard drive or external drive from unauthorized access by encrypting it. How to set up and use the built-in Windows feature– BitLocker encryption. The operating system allows you to encrypt local disks and removable devices using built-in BitLocker ransomware. When the TrueCrypt team unexpectedly shut down the project, they recommended that their users switch to BitLocker.
Content:
How to enable Bitlocker
BitLocker for Drive Encryption and BitLocker To Go require the Professional, Enterprise edition of Windows 8, 8.1 or 10, or the Ultimate edition of Windows 7. But the “core” OS Windows versions 8.1 includes the “Device Encryption” feature for accessing encrypted devices.
To enable BitLocker, open Control Panel and go to System and Security - Drive Encryption with BitLocker. You can also open Windows Explorer, right-click on the drive and select Enable BitLocker. If this option is not in the menu, then you have an unsupported version of Windows.
Click on the option Enable BitLocker on the system drive, any logical partition or removable device to enable encryption. Dynamic drives cannot be encrypted using BitLocker.
There are two types of BitLocker encryption to enable:
- For logical partition. Allows you to encrypt any built-in disks, both system and not. When you turn on the computer, the bootloader starts Windows from the System Reserved partition and offers an unlocking method - for example, a password. BitLocker will then decrypt the drive and start Windows. The encryption/decryption process will happen on the fly, and you will operate the system in the same way as before enabling encryption. You can also encrypt other drives on your computer, not just the operating system drive. An access password will need to be entered the first time you access such a disk.
- For external devices : External storage devices such as USB flash drives and external hard drives can be encrypted with BitLocker To Go. You will be prompted to enter an unlock password when you connect the drive to your computer. Users who do not have a password will not be able to access files on the disk.
Using BitLocker without TPM
If yours does not have a Trusted Platform Module (TPM), then when you enable BitLocker you will see a message:
“This device cannot use the Trusted Platform Module (TPM). The administrator must set the "Allow BitLocker without a compatible TPM" setting in the policy - Require additional startup authentication for OS volumes.
Drive encryption with Bitlocker by default requires a TPM on the computer to secure the operating system drive. This is a microchip embedded in motherboard computer. BitLocker can store the encrypted key in the TPM, as this is much more secure than storing it on the computer's hard drive. The TPM chip will only provide the encryption key after checking the computer's status. An attacker can't simply steal your computer's hard drive or create an image of an encrypted drive and then decrypt it on another computer.
To enable disk encryption without a TPM, you must have administrator rights. You must open the Local Security Policy Group editor and change the required setting.
Click Windows key+R to run the run command, type gpedit.msc and press Enter. Go to Policy « Local computer» – "Computer Configuration" – "Administrative Templates" – "Windows Components" – "BitLocker Drive Encryption"– “Operating system disks.” Double-click "This policy setting allows you to configure the requirement for additional authentication at startup." Change the value to Enabled and make sure the Allow BitLocker without a compatible TPM checkbox is checked, then click OK to save.
Select unlock method
Next, you need to specify how the disk will be unlocked at startup. You can choose different paths to unlock the drive. If your computer does not have a TPM, you can unlock the drive by entering a password or by inserting a special USB flash drive, which works like a key.
If your computer is equipped with a TPM, you will be able to additional options. For example, you can set up automatic unlocking upon boot. The computer will contact the TPM module for the password and will automatically decrypt the disk. To increase the level of security, you can configure the use of a PIN code when loading. The PIN code will be used to securely encrypt the key to open the disk, which is stored in the TPM.
Select your preferred unlock method and follow the instructions for further setup.
Save the recovery key in a safe place
BitLocker will provide you with a recovery key before encrypting the drive. This key will unlock the encrypted drive if you lose your password. For example, you will lose your password or USB flash drive used as a key, or the TPM module will stop functioning, etc.
You can save the key to a file, print it and store it with important documents, save it to a USB flash drive, or upload it to your Microsoft online account. If you save the recovery key to your Microsoft account, you can access it later at – https://onedrive.live.com/recoverykey. Make sure that this key is stored securely so that if someone gains access to it, they will be able to decrypt the drive and gain access to your files. It makes sense to keep multiple copies of this key in different places, because if you don't have the key and something happens to your main unlock method, your encrypted files will be lost forever.
Decryption and unlocking of the disk
Once enabled, BitLocker will automatically encrypt new files as they are added or changed, but you can choose what to do with files that are already on your drive. You can encrypt only the currently occupied space or the entire disk. Encrypting the entire disk takes longer, but will protect against the possibility of recovering the contents deleted files. If you're setting up BitLocker on a new computer, encrypt only used disk space—it's faster. If you're setting up BitLocker on a computer you've previously used, you must use full-drive encryption.
You will be prompted to run a BitLocker system scan and restart your computer. When you boot your computer for the first time, the disk will be encrypted. The BitLocker icon will be available in the system tray; click on it to see the progress. You can use your computer while the disk is being encrypted, but the process will be slower.
After you restart your computer, you will see a prompt to enter your BitLocker password, PIN code, or a prompt to insert a USB key.
Press Escape if you are unable to unlock. You will be prompted to enter your recovery key.
If you choose to encrypt your removable drive with BitLocker To Go, you'll see a similar wizard, but your drive will be encrypted without requiring a system reboot. Do not disconnect the removable device during the encryption process.
When you connect an encrypted flash drive or external drive to your computer, you will be required to enter a password to unlock it. BitLocker-protected drives have a special icon in Windows Explorer.
You can manage protected drives in the window control panel BitLocker – change password, turn off BitLocker, do backup copy recovery key and other actions. Right-click on the encrypted drive and select Enable BitLocker to go to Control Panel.
Like any encryption, BitLocker additionally loads system resources. Microsoft's official help for BitLocker says the following. If you work with important documents and you need encryption, this will be a reasonable compromise with performance.
Loading...
