Complete BitLocker To Go tutorial: secure encryption on USB drives and external drives

If you work with external hard drives, USB flash drives or SD cardsThe likelihood of losing your device or it falling into the wrong hands is higher than we'd like. That's where BitLocker To Go comes in, Microsoft's solution to ensure that even if you lose your device, no one can read a single byte without your password or recovery key.

Throughout this guide you will see, in much more detail than usual, What exactly is BitLocker To Go, how do you configure it in Windows, how do you manage it with group policies, and what to do if you lose your password? And what alternatives do you have if you want to take encryption a step further? We'll also cover standard BitLocker, the role of the TPM chip, its impact on performance, and more. Tricks advanced features with PowerShell so you can control the tool as if you were from the IT department.

What is BitLocker and what does BitLocker To Go add?

BitLocker is the drive encryption function included in Windows in the Pro, Enterprise, and Education editions (from Windows Vista onwards). Its purpose is to protect all the contents of a disk (including the operating system) so that no one can read the data without the correct password, even if they boot the computer from another system or connect the disk to another computer.

In the case of devices managed in companies, BitLocker encryption is usually included. centrally controlled by the IT departmentMany organizations even require the encryption of certain disks or all of them. portable through group policies, without the user being able to decide.

From the Control Panel you can access the module of BitLocker Drive Encryption, where Windows shows you all the drives with assigned letters: the operating system drive, internal data drives, and removable drives, which are the ones we are interested in for BitLocker To Go.

BitLocker To Go is the BitLocker variant designed specifically for Removable media: USB flash drives, SD cards, and external hard drives with file systems NTFS, FAT16, FAT32 or exFAT. Its purpose is simple: that if someone finds or steals your USB drive, they will only see a locked drive and will not be able to read anything without the password, a smart card, or the recovery key.

Differences between BitLocker and BitLocker To Go

Although they share the same technological base, BitLocker and BitLocker To Go have slightly different approachesBitLocker focuses on encrypting the system drive and other internal disks, while BitLocker To Go is geared towards removable drives that you frequently plug and unplug.

In system drive encryption, BitLocker can be combined with TPM, PIN of Bootpasswords and keys stored on USB To ensure the computer starts up. Immediately upon power-up, even before Windows loads, the system verifies integrity and requires the defined authentication; otherwise, the system will not boot.

When you encrypt an internal data partition or a non-boot disk, BitLocker will prompt you for the password when you double-click the drive. Without entering the key, the content remains encrypted., regardless of the NTFS permissions that the folders or Windows users have.

BitLocker To Go, meanwhile, focuses on the practical use of encrypted USB drives that you can carry with youConnect the USB drive to a compatible Windows computer, enter the password or use your smart card, and the drive will mount decrypted. When you copy files to that USB drive, they are encrypted on the fly; when you copy them off, they are automatically decrypted.

On older systems like Windows XP or some editions of Vista, which don't natively support BitLocker To Go, Microsoft offers the BitLocker To Go reader, a small utility that allows you to open FAT drives protected by BitLocker in read-only mode, so that you can at least recover information.

Supported Windows versions and requirements

BitLocker and BitLocker To Go are available on the Windows Pro, Enterprise, and Education editionsYou won't find them in the Home versions, where you'll have to use third-party tools like VeraCrypt if you want to encrypt entire disks.

En Windows 7, 8, 8.1, 10 and 11, the configuration options and available algorithms These may vary slightly depending on the specific version. Starting with Windows 10 version 1511, the ability to choose different encryption methods for boot drives, internal data drives, and removable drives was introduced via Group Policy.

Many devices integrate a chip Trusted Platform Module (TPM) on the motherboard, which reinforces BitLocker security by generating and securely storing part of the keys in hardwareTo view it, you can open the Device administrator and check if a TPM “Security” device appears, or run tpm. msc with Windows + R.

If your computer doesn't have a TPM, don't worry: you can configure it using group policies. BitLocker works without TPM Use passwords or a USB drive with the boot key. Simply enable the "Require additional authentication at startup" option and check "Allow BitLocker without a compatible TPM."

In terms of performance, on most modern systems with AES-NI hardware encryption support, the impact is quite moderateHowever, if you notice slow transfer on USBSignificant performance drops have been observed in some SSD specifics (for example, noticeable reductions in random reads on certain high-end drives) when BitLocker is run by software only instead of relying on the SSD's own hardware encryption.

How to access and activate BitLocker To Go on Windows

To manage BitLocker and BitLocker To Go from the graphical interface, the easiest way is to go to Control Panel > System and Security > BitLocker Drive EncryptionThere you will see the drives grouped into: operating system drive, fixed data drives and removable data drives (BitLocker To Go).

Another quick way to get there is by using Windows Search. With your has administrator permissions Once started, open the Start menu, type “BitLocker” and select “Manage BitLocker”. This takes you to the same Control Panel applet, where all drives will appear with their encryption status.

On units where it is not yet active, you will see the option “Activate BitLocker”When you tap it on a removable drive, the BitLocker To Go wizard opens, which will first ask you how you want to unlock the drive.

On USB drives and external hard drives, you can choose a unlock password or by using a smart card. The password must be strong, combining uppercase and lowercase letters, numbers, and symbols; Windows will require a minimum length, and in corporate environments, the policy may be stricter.

Before starting encryption, the wizard will ask you to choose how save recovery key, the lifeline you'll need if Forgot your password?You have several options: Microsoft account (uploaded to OneDrive), unencrypted USB flash drive, text file, or paper printout. Microsoft recommends, for home computers, linking it to your Microsoft account or, at least, saving it in a location that isn't encrypted with the drive itself.

Encryption options: space used, full disk, and algorithms

When you start encrypting a drive, BitLocker asks if you want to encrypt only the used space or the entire disk. Encrypting only what's used is much faster, ideal for new or recently formatted disks; but on disks with a history, deleted data may still be in free sectors and could be recovered if someone accesses them without encryption.

For drives that have already contained content, the safest option is encryption. the whole albumAlthough it may take longer. This way, even previously deleted information remains protected. On small drives (USB drives or moderate-capacity SSDs), this extra time is usually acceptable.

Regarding algorithms, Windows uses by default XTS-AES with 128-bit key for internal drives and AES-CBC with 128-bit key For external drives and USB flash drives. XTS-AES is more modern, considered more robust in certain scenarios, and usually offers superior performance.

If you want to raise the bar for security, through the editor of local group policies (gpedit.msc) You can specify the use of 256-bit keys for both XTS-AES and AES-CBC. This theoretically increases resistance to brute-force attacks, at the cost of slightly higher resource consumption, although the impact is minimal on modern systems.

Microsoft provides several policies called “Choose drive encryption method and encryption strength for…” that allow define, separately, the algorithm and the key length for system drives, internal data drives and removable drives, adapting it to the operating system and its version.

Managing BitLocker To Go with group policies in companies

In corporate environments, it doesn't make sense for each user to decide whether or not to encrypt their USB drive, how to store the keys, or which algorithm to use. To avoid this chaos, encryption is implemented using... group policies (GPO), from which the administrator enforces the BitLocker To Go configuration and automates the storage recovery keys in Active Directory.

Specific policies for removable drives are located at: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data DrivesFrom there you can, for example, block writing to USB drives that are not encrypted with BitLocker.

The key directive in this regard is “Deny write access to removable drives not protected by BitLockerIf you enable it, any unencrypted USB drive will mount in read-only mode, and Windows will warn you that BitLocker needs to be enabled to save data.

The wizard that opens when starting encryption can be customized so that show fewer options to the userFor example, you can predefine that only the used space or the entire disk is always encrypted, or choose a specific algorithm, from the GPOs "Enforce drive encryption type on removable data drives" and "Choose drive encryption method and encryption strength".

Regarding recovery key management, it is common to configure “Choose how to recover BitLocker-protected removable drives"and force them to be automatically stored in Active Directory. If "Bypass BitLocker Setup Wizard recovery options" is also selected, users will not be able to save them to files or print them out on their own.

Organizational identity control and password enforcement

Another interesting aspect is the ability to Mark the encrypted USB drives with the organization identifierthrough the directive “Provide unique identifiers for your organization”. Each encrypted unit is labeled with that ID, which can be a string of up to 260 characters.

Combining that identifier with the option “Do not allow write access to devices configured in another organization."(included within the same category of BitLocker To Go policies), you can prevent users from continuing to use USB drives that they encrypted on their own before the corporate policy was implemented, or that do not meet the internal standard.

The directive “Configure password usage for removable data drives" is used to adjust the minimum complexity of BitLocker To Go passwords: length, mix of character types, etc. Normally, these rules are coordinated with the domain's global password policy to maintain a uniform level of security.

If you also disable “Allow users to suspend and decrypt BitLocker protection on removable data drives”, you will achieve the no one can remove the encryption from a corporate USB drive on their own; only administrators, from their console, would have that ability.

This entire centralized configuration ensures that the encryption of portable drives does not depend on the goodwill of each employee, but on a coherent and applicable security policy throughout the organization, greatly reducing the risk of information leaks from lost USB drives.

TPM, boot security, and using BitLocker without TPM

The TPM (Trusted Platform Module) is a small cryptochip integrated into many modern motherboards This significantly strengthens BitLocker's security, especially when the boot drive is encrypted. It generates and stores part of the encryption keys and verifies that the boot environment has not been tampered with.

Among its key functions is the data encryption and protection against malware BootThe TPM creates a key pair (public and private), retains part of the private key, and checks during startup that the boot manager and other critical components have not been altered. If it detects anything suspicious, it can prevent normal startup.

The chip can also activate a quarantine mode When it detects a potential compromise, it allows the system to attempt repair before booting normally. Furthermore, it serves as a secure repository for certificates, passwords, and encryption keys, much more robust than storing them in disk files.

It's not all advantages: the use of TPM implies a certain hardware dependencyThis means that a chip failure can render encrypted data inaccessible if backups and recovery keys haven't been prepared. Furthermore, not all systems and applications are fully compatible, and management can be complex for inexperienced users.

If your computer lacks a TPM or you still want to encrypt the system drive, you can use the workaround of enabling the "Require additional authentication at startup" policy and checking the box to allow BitLocker without a TPM. In that case, the boot process is secured using USB drive with boot key or pre-boot password, which you will have to enter every time you turn on the computer.

Advanced BitLocker management with PowerShell

In addition to graphical tools, Windows provides you with a range of PowerShell cmdlets to manage BitLocker and BitLocker To Go with much more flexibility, ideal for automating tasks, writing scripts, or managing dozens of computers at once.

PowerShell is a very powerful console and scripting environment that replaces the old .bat files of MS-DOS. From there you can check the status of the drives, enable encryption, add or remove protections, lock or unlock disks, and disable BitLocker, all based on commands well defined.

To view the status of a specific unit, the cmdlet is used Get-BitLockerVolumewhich accepts the MountPoint parameter (for example, F:). If you add a “| fl” at the end, you get a detailed list with the configured protectors, the encrypted percentage, the lock status, etc.

The management of security features (passwords, recovery keys, boot keys) is done with Add-BitLockerKeyProtectorYou can add a password protector, a recovery key (which is saved as a file in a specified path), a 48-digit recovery password protector, or a boot key that goes on a USB drive.

Once you have configured the desired protectors, encryption is initiated by Enable-BitLockerSpecify the drive with the MountPoint and the type of protection to use. The system will begin encrypting the disk and will display (or you can force it with fvenotify.exe) a progress window.

When you want to lock, unlock, or configure the auto-unlock of an encrypted drive, you have the following options available. Lock-BitLocker, Unlock-BitLocker, Enable-BitLockerAutoUnlock and Disable-BitLockerAutoUnlockUnlock-BitLocker lets you choose which security you want to use to open the drive: normal password, recovery password, or recovery key file.

Deactivating and decrypting a drive you no longer want to protect involves using Disable-BitLockerWhen you run it, the drive is gradually decrypted until it becomes plain text, and again you can follow the progress through the notification box if you run fvenotify.exe.