Windows - How to Set Up Encryption

Overview

Encryption is used to secure data that others shouldn't be able to read; for example, social security numbers (SSN) or financial data. These are suggested methods for using encryption in Windows, but they should always be used with discretion and caution. (You don't want to lock yourself out from the information either.) It is also highly advisable to make a backup of your information before implementing.

As a best practice, whenever using encryption, create the necessary backups, recovery keys, certificate exports, etc. necessary to ensure you have a way to restore or recover your data.

• Bitlocker for Windows 11 Disk Encryption
• Internal Drive - Full Disk Encryption
• External Drive Disk Encryption
• File and Folder Encryption
• After Encrypting Your Data - Certificate Backup
• Decrypting Files and Folders

BitLocker for Windows 11 Disk Encryption

Windows 11 Pro, Education, and Enterprise provides disk encryption through BitLocker Drive Encryption. Microsoft describes BitLocker as, "A data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline."

Contact site licensing at https://www.hawaii.edu/sitelic/ to ensure you purchase the correct version of Windows 11 to use BitLocker Drive Encryption.

If you enable BitLocker Drive Encryption, it is imperative you backup the recovery key during setup. If you do not backup your recovery key, your data will not be recoverable.

BitLocker Overview

Internal Drive - Full Disk Encryption

1. Type "BitLocker" in the Windows search bar, then press Enter. Select Turn on BitLocker.
   
2. BitLocker provides three recovery key backup options: "Save to your Microsoft Account", "Save to a file", or "Print the recovery key". Choose the option that works best for you.
   IMPORTANT: Be sure to record and keep this BitLocker recovery key in a safe place. You cannot access the data without this recovery key.
3. Select how much of the disk to encrypt: Choose Encrypt Entire Drive.
4. Select Encryption Mode: Select the encryption that matches your situation. We recommend New Encryption Mode.
5. BitLocker System Check: It is recommended to select Run BitLocker System Check before encrypting your drive to ensure BitLocker can read your recovery key. Click Continue and wait for the scan to complete.
6. Click Start Encrypting to begin the BitLocker process of encrypting your internal drive.

Back to Top

External Drive - Full Disk Encryption

1. Plug in your external drive to an available USB slot.
2. Type "BitLocker" in the Windows search bar, then press Enter. Under "Removable data drives - BitLocker To Go", select Turn on BitLocker.
3. Choose how you want to unlock this drive: Select Use a password to unlock the drive.
4. Create a strong password that will be used to unlock the drive.
5. BitLocker provides three recovery key backup options: "Save to your Microsoft Account", "Save to a file", or "Print the recovery key". Choose the option that works best for you.
   IMPORTANT: Be sure to record and keep this BitLocker recovery key in a safe place. You cannot access the data without this recovery key.
6. Select how much of the disk to encrypt: Choose Encrypt Entire Drive.
7. Select Encryption Mode: If you plan on using the external drive on any Windows operating system older than Windows 11, select Compatible Mode. Otherwise, select New Encryption Mode.
8. Click Start Encrypting to begin the BitLocker process of encrypting your external drive.
   IMPORTANT: Do not move files, make changes to files, or unplug the external drive during the encryption process.

Back to Top

File and Folder Encryption

Microsoft also offers the ability to encrypt specific files and folders. This can be done through BitLocker Drive Encryption.

1. Locate your files in File Explorer: Type "File Explorer" in the Windows search bar, then press Enter.
2. Navigate to the file or folder that you would like to encrypt and right-click on it. Click Properties.
3. On the "General" tab, click on Advanced. In the "Advanced Attributes" window, select Encrypt contents to secure data, then click OK.
   
4. Click OK in the properties window to close it. 
5. You will be prompted to choose what will be encrypted, select one:
   If you want to encrypt only the folder, click Apply changes to this folder only, and then click OK.
   If you want to encrypt the contents in the folder along with the folder click Apply changes to this folder, subfolders and files, and then click OK.
   If you want to encrypt only the file, click Encrypt the file only and click OK.
   
   Note: While it is possible to encrypt both files and folders, Microsoft's Best Practices suggest encrypting folders not individual files. This prevents applications from unintentionally removing the encryption from a file.
    
6. Windows will now proceed to encrypt your data. How long it takes depends on the amount and size of the files you choose to encrypt. When it is complete the folder will be encrypted. However, this does not mean that others cannot view the contents of the folder. Encrypting the files prevents them from opening items in the encrypted folder.

Back to Top

After Encrypting Your Data - Certificate Backup

Once you have encrypted your files or folders, it is important to backup your certificate to not lose access should you forget your password. If you do not backup your certificate and subsequently forget your password, there will be no way to recover your data. Back up your certificate and store it in a secure location. Follow the instructions below to backup your certificate.

1. Type "Manage User Certificates" in the Windows search bar, then press Enter.
2. In the left pane, click on Personal to expand the folder, then click the Certificates folder.
3. In the main panel, find the certificate with your Username under the "Issued to" column, and Encrypting File System under "Intended purposes". 
4. Right click the certificate, then select All Tasks then click Export.
5. The Certificate Export Wizard window will now open. When prompted "Do you want to export the the private key?", select Yes, export the private key. Click Next.
6. Under the "Export File Format" menu, ensure that Personal Information Exchange - PKCS #12 (.PFX) is selected. 
7. Check the two following boxes:
   Include all certificates in certification path if possible
   Enable certificate privacy
8. Click Next. On the "Security" menu, select Password.
9. Under "Encryption", select AES256-SHA256. Enter and confirm a strong password, then click Next. This password is used to protect the exported certificate.
10. Specify the location of where you want to save the certificate. You can back up to another location on your hard-drive or a USB drive. You can also back up the certificate to multiple locations.
11. Click Save, then click Next. Then, click Finish. A dialog box should confirm: "The export was successful". Click OK.
12. You can now close the Certificates window and Certificate Manager window.

Back to Top

Decrypting Files and Folders

Decryption is very similar to the encryption process, but in reverse order.

1. Right-click on the folder or file you want to decrypt, then click Properties.
2. Click Advanced, then uncheck Encrypt contents to secure data. Make sure the box is left unchecked, then click OK.
   
3. Click OK to close the Properties window.
4. If it is a folder, and it has files in it, the 'Confirm Attribute Changes' dialog box appears. You can choose to decrypt only the folder, but this won’t decrypt any of the files in the folder.
5. If you want to decrypt all the contents of the folder, click Apply changes to this folder, subfolders, and files, and then click OK.

Back to Top