Bit Locker Drive Encryption
From a technological standpoint, Device Encryption and BitLocker are identical. Both device encryption and BitLocker default to 128-bit Advanced Encryption Standard (AES), but BitLocker can be configured to use AES-256.
The most important advantages for BitLocker in enterprise scenarios involve control and manageability. BitLocker comes with a long list of features that are appropriate for enterprise-class data protection, including the capability to use a TPM plus a PIN for encryption. The Network Unlock feature allows management of BitLocker-enabled devices in a domain environment by providing automatic unlocking of operating-system volumes at system reboot when connected to a trusted wired corporate network.
How Bitlocker works?
Normally, BitLocker uses software-based encryption to protect the contents of Windows operating-system and data volumes. On devices without hardware encryption, BitLocker in Windows 10 encrypts data more quickly than in Windows 7 and earlier versions. With BitLocker in Windows 10, you can choose to encrypt only the used space on a disk instead of the entire disk. In this configuration, free space is encrypted when it’s first used. This results in a faster, less disruptive encryption process so that enterprises can provision BitLocker quickly without an extended time commitment.
An administrator can use Group Policy settings to require that either Used Disk Space Only or Full Encryption is used when BitLocker Drive Encryption is enabled. The following Group Policy settings are located under the \Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption path of the Local Group Policy Editor:
- Fixed Data Drives\Enforce drive encryption type on fixed data drives
- Operating System Drives\Enforce drive encryption type on operating system drives
- Removable Data Drives\Enforce drive encryption type on removable data drives
For each of these policies, you can also require a specific type of encryption for each drive type. In addition, the user experience is improved by allowing a standard user, one without administrative privileges, to reset the BitLocker PIN.
In Windows 8 and later versions, BitLocker supports a new type of storage device, the Encrypted Hard Drive, which includes a storage controller that uses hardware to perform encryption operations more efficiently. Encrypted Hard Drives offer Full Disk Encryption (FDE), which means encryption occurs on each block of the physical drive rather than data being encrypted on a per-volume basis.
Windows 10 is able to identify an Encrypted Hard Drive device, and its disk-management tools can activate, create, and map volumes as needed. API support in Windows 8.1 and later versions allows applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption. The BitLocker Control Panel allows users to manage Encrypted Hard Drives using the same tools as on a standard hard drive
On any device that supports the InstantGo (formerly Connected Standby) standard and is running Windows 8.1 or Windows 10, data is encrypted by default. On a device that clears those two hurdles, even one intended for casual use by consumers, encryption is automatically enabled for the operating-system volume during setup.
This encryption initially uses a clear key, allowing access to the volume until a local administrator signs in with a Microsoft account and, by so doing, automatically turns on encryption. The recovery key is automatically stored in the user’s OneDrive storage in case an administrator needs to recover the encrypted data later (if a password is lost, for example, or an employee leaves the company and management needs to access encrypted files on a company-owned device). If you need to reinstall the operating system or move the drive to a new PC, you can unlock the drive with the recovery key (which is stored at http://onedrive.com/recoverykey) and reseal the drive with a key from your new machine