Bitlocker is an encrypting file system that was designed in part to protect the boot process in Windows. Bitlocker also protects personal files. If a machine is reset, personal files are not recoverable but the machine can be put to use as a new machine.
Bitlocker shipped with Windows Vista Business and ultimate. More recent versions of Windows have made some changes to deal with security issues discovered since Vista was released. or example, Windows 10 changed the encryption which is not backwards compatible to support new FIPS requirements.
Generally Bitlocker is used on the main Windows disk. Bitlocker can be used in additional internal disks if present.
Bitlocker can also be used with removable devices like USB sticks. Key management is needed with encrypted USB sticks which is at its best with Windows 10 and above using a Microsoft account. For example a key can be emailed and when the storage unit arrives it can be considered to be secure even if it is copied en-route.
TRUSTED PLATFORM MODULE
Bitlocker works best if the machine has a Trusted Platform Module (TPM) built-in. Bitlocker requires TPM 1.2 or above. Bitlocker can also use your Microsoft account with Windows 10 and above..
Windows 10 also introduces the use a PIN to logon to Windows using your Microsoft account credentials. This PIN can integrate with Bitlocker and the TPM to make it easier to secure a system. TPM+PIN makes the boot process very secure.
Our old Lenovo T500 has a TPM 1.2 hardware and our HP Stream 7 has a TPM 2.0 hardware. Some gaming motherboards have headers that can have a TPM added however some modern motherboards now have them built-in..
TO USE BITLOCKER
Before using Bitlocker, be sure to clear the TPM in the BIOS before enabling it. This way ownership etc can be enabled. With Windows 10 and above your Microsoft account handles the recovery key safely.
To enable Bitlocker, simply open My Computer, right click on the hard disk and select Turn on Bitlocker. Windows will reboot to begin the process.
To disable Bitlocker,imply open My Computer, right click on the hard disk and select Turn off Bitlocker. Windows will decrypt the disk..
To use manage-bde you need to open an elevated command prompt. The status can be used to see if a task is complete.
- manage-bde -status
See: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde for more information about manage-bde options.
Microsoft first released the toolset, called the Computer Online Forensic Evidence Extractor (COFEE), to law enforcement in June 2008 and it’s now being used by over 2,000 agencies around the world.
COFFEE cannot break bitlocker which is designed to prevent penetration by even well funded government agencies. UEFI machines are more resistant with secure boot capability.