6.4 Enabling BitLocker on removable data drives
Encrypting removable data drives protects the data stored on
the volume. Any removable data drive formatted with FAT, FAT32,
exFAT, NTFS, or ReFS can be encrypted with BitLocker. The length of
time it takes to encrypt a drive depends on the size of the drive,
the processing power of the computer, and the level of activity on
the computer.
Before you enable BitLocker, you should configure the
appropriate Removable Data Drives policies and settings in Group
Policy and then wait for Group Policy to be refreshed. If you don’t
do this and you enable BitLocker, you might need to turn BitLocker
off and then turn BitLocker back on because certain state and management
flags are set when you turn on BitLocker.
To be sure that you can recover an encrypted volume, you
should allow data-recovery agents and store recovery information in
Active Directory. If you use a flash drive with earlier versions of
Windows, you can use the Allow Access To BitLocker-Protected
Removable Data Drives From Earlier Versions Of Windows
policy to ensure that you have access to the removable data drive on
other operating systems and computers. Unlocked drives are
read-only.
You can enable BitLocker encryption on a removable data drive
by following these steps:
-
After you connect the removable data drive, open the
BitLocker Drive Encryption console. In Control Panel, tap or
click System And Security, and then tap or click BitLocker Drive
Encryption.
-
In the BitLocker Drive Encryption console, available
drives are listed by category. Under the Removable Data Drives
heading, tap or click Turn On BitLocker for the removable data
drive you want to encrypt. BitLocker verifies that your computer
meets its requirements and then initializes the drive. If
BitLocker is already enabled on the drive, you have management
options instead.
-
On the Choose How You Want To Unlock This Drive page,
choose one or more of the following options and then tap or
click Next:
-
Use A Password To Unlock This
Drive Select this option if you want the user to be
prompted for a password to unlock the drive. Passwords allow
a drive to be unlocked in any location and to be shared with
other people.
-
Use My Smart Card To Unlock The
Drive Select this option if you want the user to
use a smart card and enter the smart card PIN to unlock the
drive. Because this feature requires a smart card reader, it
is normally used to unlock a drive in the workplace and not
for drives that might be used outside the workplace.
-
On the How Do You Want To Back Up Your Recovery Key? page,
tap or click Save The Recovery Key To A File.
-
In the Save BitLocker Recovery Key As dialog box, choose a
save location and then tap or click Save.
-
You can now print the recovery key if you want to. When
you finish, tap or click Next.
-
If it is allowed in Group Policy, you can elect to encrypt
used disk space only or the entire drive and then tap or click
Next. Encrypting the used disk space only is faster than
encrypting an entire volume. It is also the recommended option
for newer computers and drives (except in high-security
environments).
-
On the Are You Ready To Encrypt This Drive? page, tap or
click Start Encrypting. Be sure to pause encryption before
removing the drive and then resume the process to complete the
encryption. Do not otherwise remove the USB flash drive until
the encryption process is complete. How long the encryption
process takes depends on the amount of data to encrypt and other
factors.
The encryption process does the following:
-
It adds an Autorun.inf file, the BitLocker To Go reader, and a Read Me.txt file to
the removable data drive.
-
It creates a virtual volume with the encrypted contents of
the drive.
-
It encrypts the virtual volume to protect it. Removable
data drive encryption takes approximately 6 to 10 minutes per
gigabyte to complete. The encryption process can be paused and
resumed, as long as you don’t remove the drive.
When you connect an encrypted drive, Windows displays a
notification on the secure desktop, as shown in Figure 19. If the notification
disappears before you can tap or click it, simply remove and
then reinsert the encrypted drive.
-
Tap or click the notification to display the BitLocker
dialog box. This dialog box also is displayed on the secure
desktop.
-
When you are prompted, enter the password. Optionally, tap
or click More Options to expand the dialog box so that you
select Automatically Unlock On This Computer to save the
password in an encrypted file on the computer’s system volume.
Finally, tap or click Unlock to unlock the drive so that you can
use it.
-
If you forget or lose the password for the drive but have
the recovery key, tap or click More Options and then tap or
click Enter Recovery Key. Enter the 48-digit recovery key and
then tap or click Unlock. This key is stored in the
XML-formatted recovery key file as plain text.
