Configure BitLocker on external drives step by step

If you work with external hard drives or USB flash drives full of sensitive information, Configure BitLocker on external drives It's probably one of the best security decisions you can make in Windows. This Microsoft encryption feature lets you protect all the contents of a drive so that, without the password or recovery key, that data is completely inaccessible.

However, BitLocker and Windows device encryption have their nuances: It doesn't work the same on the system drive as it does on an external hard drive.There are differences between Windows versions, it matters whether you have a TPM chip or not, it can affect performance somewhat (especially on some SSDs), and there are also alternatives when your Windows edition doesn't include BitLocker. Let's look, step by step and in detail, at everything you need to know to encrypt external drives without messing things up and without losing data.

BitLocker and device encryption: what each one is and how they differ

In Windows, two concepts coexist that are very similar but not exactly the same: device encryption y BitLocker drive encryptionUnderstanding this difference helps you know what you can and can't do with your external hard drives.

Device encryption is a feature that certain Windows computers have enabled by default. When you start a new PC with a Microsoft account, whether work or schoolThe system can automatically activate internal disk encryption. The recovery key is uploaded to that account without you having to do anything. With a local account, however, it usually doesn't activate automatically.

The big difference is that device encryption is designed for non-advanced users and computers that typically come with Windows HomeWhile the "classic" BitLocker (the full version with all options) is only available in Pro, Enterprise, and Education editions. In practical terms, BitLocker gives you much more control: you can encrypt external drives, USB flash drives, additional partitions, and the system drive using different methods and keys.

If you want to know why the device encryption option doesn't appear on your PC, you can open the "System Information" tool as administrator and look at the value of Automatic compatibility with device encryptionThere you will see messages such as "meets requirements", "TPM cannot be used", "WinRE is not configured" or "PCR7 link is not supported", which tell you what piece is missing for it to activate automatically.

How BitLocker works: passwords, keys, and drive behavior

BitLocker encrypts entire drives, whether internal or external. When you enable encryption, you'll need to define a Password to unlock the drive Or use other protections such as recovery keys, smart cards, or a USB drive. That password is critical: if you lose it and haven't properly saved the recovery key either, the data will most likely be unrecoverable.

Once an external drive is encrypted, the behavior is quite convenient: Everything you copy to the drive is encrypted on the fly. And everything you read is automatically decrypted after you unlock it. You don't have to encrypt file by file or do anything unusual; Windows does it in the background.

If you encrypt the drive where the operating system is located, what changes is when you are prompted for your password or authentication: even before Windows startsIf you don't enter the correct BitLocker key, the system won't finish starting. Afterward, you can log in with your Windows username and password as usual; these are two separate processes.

When we talk about internal or external data disks (without an operating system), it is common that, when starting Windows, you will see the drive with a padlock icon. When you double-click on that drive, you will be prompted for your BitLocker password.Once unlocked, you can work with it normally until you lock it again or turn off the computer.

Algorithms, encryption strength, and their impact on performance

BitLocker can work with various encryption algorithms and key lengths. By default, modern internal hard drives use XTS-AES with a 128-bit key.While on removable drives and USB drives it usually uses AES-CBC, also at 128 bits, for compatibility with older versions of Windows.

XTS-AES is a newer and optimized mode: It provides greater security against certain block manipulations and is usually faster.AES-CBC is still secure if you use strong passwords, but it is slightly less efficient and has more cryptographic drawbacks, so it is considered transitional.

In professional editions of Windows, you can go a step further and, through local group directivesYou can adjust both the algorithm (XTS-AES or AES-CBC) and the key length (128 or 256 bits). From a practical standpoint, 256 bits offers a greater theoretical security margin, and on modern systems the performance difference is minimal, especially if the processor supports AES-NI.

However, it's not all advantages. Some high-end NVMe SSDs have been found to have issues with performance. when BitLocker operates in fully software-based modeRandom read/write speeds can drop significantly. For example, on a 4TB Samsung 990 Pro, drops of up to 45% have been observed in certain tests with BitLocker enabled.

In those extreme cases, the options are to disable BitLocker (sacrificing security) or Configure the SSD to use hardware-based encryptionor assess measures to enable write caching on external drives and speed up transfers, which usually involves reinstalling Windows and ensuring the drive is configured correctly from the start. For most users, however, the impact will be almost imperceptible.

What is a group policy and how to change the encryption method

Group policies in Windows are an advanced way of adjust the operating system behavior both at the team and user level. In a home environment, we're talking about local group policies, which are edited with the gpedit.msc utility in the Pro, Enterprise, and similar editions.

To adjust the BitLocker encryption algorithm and strength, open the policy editor (Win + R, type gpedit.msc) and navigate to: Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption. There you will see several policies specific to your Windows version.

You'll find separate policies for older versions and for Windows 10 and laterIn the most recent versions, you can choose a different algorithm for internal boot disks, internal data disks, and removable/USB drives. For each, you can select XTS-AES or AES-CBC, as well as 128 or 256 bits, and whether or not to apply an additional diffuser on older systems.

Please note that these changes only apply to discs that you encode from that moment onEncrypted drives will retain their original configuration. Furthermore, these policies only take effect if they match the actual installed version of Windows.

Once you've made the necessary changes, it's advisable to force a policy update to avoid waiting for the standard interval (approximately 90 minutes). To do this, open Run (Win + R) and launch the command gpupdate /target:Computer /forceThis applies the changes instantly, and you can then encrypt new drives with the chosen configuration.

How to activate BitLocker on internal and external drives from the graphical interface

Windows offers several graphical ways to enable BitLocker without using commands. In all of them, the important thing is that the drive is... formatted and with assigned fontOtherwise, it will not appear as encryptable.

The most direct route is through File Explorer: Right-click on the internal or external drive. Select the device you want to protect and then select "Turn on BitLocker." This opens the wizard where you'll choose your unlock password, how to save your recovery key, and the encryption type.

Another way is through the classic Control Panel. From the Start menu, open Control Panel > System and Security > BitLocker Drive Encryption. You'll see a grouped list of drives: system disk, data disks, and further down, removable devices, where BitLocker To Go for USB flash drives and external hard drives comes into play.

You can also access it from the Settings app (especially in Windows 10/11). Go to System > About and at the bottom, you should see a link to BitLocker settings, which takes you to the same administration panel.

When you start the wizard on a specific drive, the first step will be to define the unlock password. It should include uppercase, lowercase, numbers and symbolsNext, you'll need to decide how to save the recovery key (Microsoft account, file, USB, printout) and whether to encrypt only the used space or the entire disk—something especially relevant if the external drive already has [something missing in the original text]. old data deleted that could be recovered.

External disk encryption and BitLocker To Go

For external drives (USB drives, flash drives, etc.) Windows uses a specific mode called BFor practical purposes, the interface is almost identical, but internally the default algorithm is adjusted to maximize compatibility with other Windows computers that are not fully updated.

The procedure is very simple: connect the external drive, wait for it to appear in File Explorer, right-click on the drive, and choose "Turn on BitLocker." The wizard will then ask you to configure the unlock password, and then it will suggest you back up your recovery key.

When you later connect that drive to another compatible Windows PC, the system will detect that it is encrypted and It will display a box to enter the password.You can check the box so that it will be automatically unlocked on that specific computer in the future, which is very useful if it's a trusted PC.

In the advanced settings of the already encrypted drive, you will have options such as changing the password, removing it (provided you configure another authentication method), generating new copies of the recovery key, Enable automatic unlocking or completely disable BitLocker to decrypt the disk.

If you're still using very old systems like Windows XP or Vista, they don't natively recognize BitLocker To Go drives. In that case, Microsoft offered a tool called "BitLocker To Go Reader" that allowed at least read-only access to FAT-formatted encrypted USB drives, provided the correct key was entered.

TPM: The chip that strengthens BitLocker (and how to use it without TPM)

The TPM (Trusted Platform Module) is a small chip on the motherboard designed to store cryptographic keys and check boot integrityWhen combined with BitLocker, part of the encryption key is stored in the TPM and another part on the disk, so an attacker cannot simply move the disk to another computer and read it.

The TPM also helps detect suspicious changes in hardware or firmware. If, for example, you update the BIOS, replace critical components, or manipulate certain boot parameters, the TPM may consider the environment untrusted and It will require you to enter the recovery key. BitLocker on the next boot.

It's not all advantages: as a physical component, if the TPM chip fails or you replace it without having your recovery keys backed up, you could lose access to your encrypted data. Furthermore, not all systems or programs take full advantage of TPM, and there's always the possibility of implementation flaws, bugs, or vulnerabilities.

To check if your computer has an active TPM, you can press Win + R and run tpm. mscIf you open the management console and see a status like "TPM ready for use," you're on the right track. If you see an error indicating that a compatible TPM cannot be found, it may be disabled in the BIOS/UEFI or your motherboard may not have one at all.

Even so, BitLocker does not require TPM as a mandatory requirement. It is possible Use BitLocker without TPM by enabling a policy The gpedit.msc file allows you to require additional authentication at startup and enable its use without a TPM module. In these cases, the primary security measure can be a password or a key stored on a USB drive that you must have connected to boot.

Using BitLocker with and without TPM on the system drive

Encrypting the disk where the operating system is installed is a very powerful security measure, but it requires some extra considerations. BitLocker creates a small unencrypted boot partition where it stores the files necessary to start the system, and the main system partition remains encrypted until authentication is validated.

If you have a TPM, the ideal approach is to combine it with an additional PIN or password in "TPM + PIN" mode to strengthen the boot process. This way, even if your entire computer is stolen, they will need both the hardware and the password that you know. Windows manages this combination relatively transparently.

When there is no TPM or you don't want to use it, you should use the "Require additional authentication at startup" policy on the operating system units within the group policy editor. Enabling the option to allow BitLocker without TPMThe wizard will let you use a password at startup or a USB drive containing a file with the unlock key.

In this scenario, the assistant will ask you to insert a USB flash drive To save the boot key, or to set a complex password. This USB drive cannot be removed during the encryption process or during initial restarts. It's also a good idea to adjust the boot order in the BIOS so the computer doesn't try to boot from the USB drive containing the key.

Once the encryption is complete and you have verified that the system boots correctly, it is advisable to save copies of that boot key (and the recovery key) in a very secure place: another encrypted device, a password manager, or, if you use it, your Microsoft/OneDrive account.

BitLocker and networks: behavior of encrypted external drives

One detail that often raises doubts is how it behaves an external hard drive encrypted with BitLocker when shared over a networkIt is important to understand that BitLocker protects against direct physical access to the device; it does not act as an authentication system on the network.

This means you can't, for example, enter your BitLocker password from another remote computer to unlock the drive. The first thing to do is unlock the drive on the computer to which it is physically connectedAfter that, you can share folders or the entire volume using Windows file sharing options.

Once shared, network users will access the data using their usual Windows credentials (network username/password, NTFS and sharing permissions, etc.), but BitLocker encryption is handled by the computer with the connected drive. If that computer shuts down or locks the drive, the resource becomes unavailable.

Recovery keys and backups: your safety net

Each time you encrypt a drive with BitLocker, the wizard generates a 48-digit recovery keyIt's your lifeline when you forget your usual password or when, due to hardware or firmware changes, the system decides it needs to ask for that extra key at startup.

Windows offers several ways to save that key: in your Microsoft account (it's stored in your OneDrive profile), on an unencrypted USB drive, in a text file, or directly printed on paper. Ideally, at least two methods should be combined. and never leave the only copy of the key on the disk you are encrypting.

If you encrypt multiple drives, each recovery key file has a unique identifier in its name (a GUID) that matches the one displayed when the system prompts you for the key. Maintaining this relationship is crucial to know which file corresponds to which drive in case of an emergency.

Beyond BitLocker, the only solid strategy against hardware failures, corruption, or lapses in security is to maintain full backups on separate devicesIf these copies are also stored on another encrypted disk or in a cloud service that also encrypts the data, you will have a very high level of protection against loss or theft.

Remember that if an encrypted drive suffers physical damage, even if you manage to recover isolated sectors using forensic techniques, Without the correct keys, that data will remain encrypted. and they won't be readable. That's why the combination of encryption and redundant backup is so important.

PowerShell and cmdlets for advanced BitLocker management

In addition to the graphical interface and the manage-bde console utility, Windows includes BitLocker-specific PowerShell cmdletsvery useful when you want to automate tasks or manage many units at once and measure disk I/O per process.

The basic command to view the status of the units is Get-BitLockerVolumewhich accepts the -MountPoint parameter to specify a specific drive. Adding "| fl" at the end gives you detailed output with all configured protectors, encryption status, percentage completed, etc.

To add different types of protection (password, recovery key, recovery password, or boot key), you use Add-BitLockerKeyProtector with the appropriate parameters for each case (for example, -PasswordProtector, -RecoveryKeyPath, -StartupKeyProtector…). This way you can prepare a drive with all its unlocking methods before activating encryption.

The cmdlet that actually starts the encryption is Enable-BitLockerYou pass the drive letter (-MountPoint) and the protections you want to apply at that moment to this command. To stop or resume encryption, or to manually lock or unlock a volume, you have commands such as Lock-BitLocker, Unlock-BitLocker, Enable-BitLockerAutoUnlock, or Disable-BitLockerAutoUnlock.

Finally, if at any point you decide to fully decrypt a disk and remove BitLocker, you will use Disable-BitLockerThe process may take a while depending on the size of the drive and the speed of the hardware, but when it finishes, the volume will be back to plain text and without any associated protectors.

Common BitLocker problems and how to solve them

Although it's a fairly stable technology, BitLocker isn't without its occasional glitches. One of the most common is that, after a BIOS update, a hardware change, or any alteration to the boot configuration, The system will start asking for the recovery key at each startup.

The usual way to fix it is to boot once by entering the recovery key, and then temporarily disable the protectors Using `manage-bde` (for example, `manage-bde -protectors -disable C:`), make the necessary changes and then re-enable them with `manage-bde -protectors -enable C:`. This "resets" the TPM's trust regarding the current state of the machine.

It's also common to see a yellow triangle over the drive in Explorer or Device Manager, indicating that BitLocker is suspended or that changes are pending after an update. In these cases, it's usually enough to go to the BitLocker settings of the affected drive and resume protection, or use manage-bde -resume C: on a console with administrator privileges.

If the error messages point to problems with the TPM (from tpm.msc or Device Manager), it's advisable to check in BIOS/UEFI that TPM/Intel PTT/AMD fTPM is enabledUpdate the firmware and, if necessary, clear the TPM from your management console (which will regenerate the associated keys and require reconfiguring BitLocker).

Beyond these typical cases, the key is not to activate encryption lightly: it's always advisable to ensure you have up-to-date backups and multiple copies of recovery keys before making deep changes to hardware or firmware.

Alternatives to BitLocker for encrypting external drives

Not all computers have a BitLocker-compatible edition of Windows, and it's not always worth upgrading just for that feature. In those situations, you can resort to other encryption tools to protect external hard drives and USB flash drives.

One of the most popular is VeraCrypt, a free and open-source project that allows encryption entire disks, loose partitions, or containers (files that act as encrypted virtual disks). It supports algorithms such as AES, Serpent, or Twofish and modern modes such as XTS, making it very flexible and cross-platform.

Another option is programs focused on encrypt specific folders, such as Anvi Folder Locker or Hook Folder Locker. Their approach is different: instead of encrypting the entire drive, you select specific directories, assign them a master password, and the program handles locking or unlocking access as needed.

If you prefer to remain within the Windows ecosystem without BitLocker, there's also EFS (Encrypted File System), which lets you encrypt files and folders associated with a specific user. It's fast and relatively convenient, but It is not as robust nor as independent of the system. Like BitLocker: the key is stored in the operating system itself, there may be remnants of information in caches or temporary sectors, and if someone accesses your Windows session, they see the data in plain text.

Therefore, when you have the option, the best way to encrypt external drives is to stick with BitLocker or, failing that, VeraCrypt. EFS and folder utilities are fine as a temporary measure, but they don't replace full drive encryption when you want to protect an entire disk.

Overall, having a good encryption scheme on your external drives, combining it with regular backups, and having a good understanding of how recovery keys work allows you to handle sensitive information with much more peace of mind both in your daily life and when you physically take those devices out of your home or office.

Related articles:

Complete BitLocker To Go tutorial: secure encryption on USB drives and external drives

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.