Bitlocker on Surface Tablets

26

Bitlocker on SurfaceCan I Encrypt Files on my Surface?

Encryption is a conversion of data into a form that can’t be easily understood by unauthorized users. Last week, I mentioned Bitlocker in the post on what to do before you sell your Surface tablet. That prompted a few questions about Microsoft’s Bitlocker technology.

If you don’t know, BitLocker (or Device Encryption) is a technology that encrypts your hard drive but allows transparent (you don’t need to do anything to use it) access to authorized users.

Doing so can help block a nefarious person from accessing certain files in an attempt to discover your password, personal files, or anything else you have stored. It can also prevent someone from accessing your files even if they physically remove the hard drive from your Surface and put it in another PC.

However, Bitlocker WILL NOT prevent someone who knows your password from accessing the files by logging in as you. If you are trying to create an encrypted and password protected file to store private data, take a look at something like TrueCrypt.

Bitlocker/Device Encryption is one of those cases where Windows RT machines like the Surface RT or Surface 2 have an advantage over the Surface Pro line.

This is because the Windows RT version of Bitlocker is turned on by default and automatically saves a copy of your key to your Microsoft account as soon as someone with a Microsoft account and admin rights signs in to the machine.

Nice, huh?

So, this article really only applies to folks who have a Surface Pro/Pro 2 because the RT/2 users are already taken care of.

So, with that in mind, let’s get started…

Bitlocker on Surface: Enabling Bitlocker on Surface Pro/Pro 2 tablets

To enable Bitlocker on your Surface Pro/Pro 2 just follow these instructions. Make sure you have your Surface plugged in while you’re doing this, since it can take up to 30 minutes for the process to complete. I guarantee you don’t want your Surface to go to sleep or run out of power when the drive is only half encrypted.

For these instructions, we’ll be locking the C:\ Drive but, if you’ve installed a Micro SD card or USB drive, these same instructions will work to encrypt it as well.

  • From the Desktop, open Windows Explorer
  • Browse to the C:\ Drive under Devices and Drives then tap and hold it until the right-click menu appears. If you have a mouse, it’s a little easier to just right-click on it
  • Select Turn on Bitlocker

Bitlocker on Surface: Turning it on

  • The Starting Bitlocker window will appear. After it finishes starting, you’ll be asked where you want to save your recovery key. Select Save to your Microsoft account

Bitlocker on Surface Turning it on

  • After you’ve selected where to save your recovery key, you’ll be asked how much of your drive you want to encrypt. I recommend choosing Encrypt Entire Drive unless you’ve just started using your Surface

Bitlocker on Surface Turning it on

  • Next, you’ll be asked if you’re ready to encrypt the drive. Before you continue, check the Run Bitlocker system check box before tapping the Start Encrypting button

Bitlocker on Surface Turning it on

  • Your machine may need to restart at this time. After it comes back up, you’ll get a popup balloon telling you your drive is being encrypted. If you click on it, you’ll get a progress window

Bitlocker on SurfaceIt will take a while to complete but you can continue to use your Surface while it’s encrypting your drive. When it’s done, you may notice that the icon for the C:\ Drive in Windows explorer now looks like the picture to the right. Before the drive was encrypted, the icon was lacking the padlock.

Congratulations! Your hard drive is now better protected from nefarious people who might want to access it.

Bitlocker on Surface: Where is my Recovery Key?

Now that Bitlocker is on, you might be wondering where the recovery key is kept. After all, you don’t want to get locked out of your own Surface because you can’t find the key if you need it, right?

If you selected “Save to your Microsoft account” when asked where to store your encryption key as instructed than your key is safely stored as part of your account on Microsoft’s servers.

If you want to see your key, just go the the following link and log in with your Microsoft account information: Microsoft Recovery Key Page

Bitlocker on Surface: Is there a performance hit?

If you’re a little tech savvy, it may have occurred to you that enabling Bitlocker on Surface tablets might impact their performance. I know the thought crossed my mind.

I did some testing and confirmed what I intuitively knew: there is a small performance downgrade however, it’s not really noticeable unless I’m looking at benchmarks.

I used PC Benchmark from with Windows Store to run a series of 20 (10 with Bitlocker on and 10 with Bitlocker off) benchmark tests. The only place where there was any significant (more than 3%) variation in the results was during the Disk Test.

The values below represents the average of the 20 passes.

Bitlocker on Surface: Benchmark

As you can see, with Bitlocker turned OFF, there are some significant gains during the 4k test for both read and write along with a big gain during the linear read test.

I was surprised with the results for the 512k read test indicating that having Bitlocker ON yields better results as it seems counter-intuitive but it was persistent over the complete series of tests.

At any rate, as I indicated before, there is technically a performance hit but you will probably never notice it during day-to-day usage.

Bitlocker on Surface: Removable drives?

You can use Bitlocker to encrypt removable drives like USB keys or SD Cards. In fact, because of their removable nature, it’s probably more important to encrypt them than your C:\drive.

The procedure is pretty much the same as above with the exception that you will be asked how you want to unlock your device as one of the first steps. The screen for that looks like this:

Bitlocker on removable drives

I usually pick Use a Password to unlock the device since I don’t have a smart card.

After you enable Bitlocker on a removable drive, you will need to enter the password to access it when it is plugged into your machine.

Bitlocker on removable drives - enter password

I hope this post helps you setup Bitlocker if you are so inclined. As usual, if you have any questions, please let us know.

Tim


SHARE
is a professional geek with over 23 years of experience working in Information Technology and dealing with everything from large-scale storage to remote systems management and automation for organizations such as Texas Instruments, Mobil Oil, and the University of Michigan (where he was an Academic IT Director). He co-founded JTRTech along with Joanna to realize his long-time dream of working for himself.

26 COMMENTS

  1. Hello Tim,

    What about encryption on your SDcard on Surface RT/2? I think that most people write their data to an SDcard on their surface. Is this also possible?

    Reinier Roelofs

    • Sorry for the delay in getting back to you.

      It is possible to do this with Bitlocker. It will just behave a little differently. Basically when you turn bitlocker on you’ll be asked to enter a password or designate a smartcard which will be required to access the device when you insert it into a device.

      Hope this helps,
      Tim

  2. Thanks Tim. Even after reading about Bitlocker in the past, I never felt comfortable doing it. With the Surface Pro 2, and using my Microsoft Account as my log-in (doing that on other non-AD Win8.1 devices now also), and reading your detailed steps, I am comfortable doing it. With the large SSD, and extreme portability, Having a drive level encryption is even more important than ever. Thanks again for helping the Surface family!

  3. Hi Tim,

    What is the unlocking process like for the Surface Pro when Bitlocker is turned on for the OS drive? Do I need to have a keyboard attached to unlock it?

    I am looking to turn bitlocker on with my Surface pro 2 but don’t want to get locked out! 🙂

    Cheers

    • Just to clarify, I enabled Bitlocker on my SPro2 on my OS drive (without specifying a key), and it works fine without any extra key entries. Took approx. 45 minutes for a 256 GB HDD (encrypted the whole drive).

      I am aware not having a key entry on startup is not as secure, however it is a balance so if it gets stolen, my data is not (as) readily available.

      FYI – no noticeable performance difference.

      • Russ,

        Sorry for the delay in getting back to you. We were out of town.

        I’m glad that it looks like you came up with the answer to your question on your own and that you’re happy with it.

        Thanks for sharing your experiences,
        Tim

  4. Daniel,

    Your Surface Pro has a TPM module and should not require any sort of PIN to log in because of Bitlocker. It could be disabled or messed up somehow, I guess?

    When does it ask for a PIN? Is it right at start up or after the Surface logo and “dot loop de loop” appears?

    Tim

  5. Sorry for confusion.
    When I activate OS hard disc encryption the check up before encryption starts fails since I cannot enter a pin on the bitlocker startup screen.

    • OK Daniel,

      I think you’re going to want to get into the UEFI settings and make sure the TPM module is on.

      Just power down your Surface with a keyboard cover attached and hold the shift key down as you boot it. You should get into the recovery options. From there choose Troubleshoot then UEFI Firmware Settings. Tell it to restart from there.

      When the machine restarts, you should see a black screen with text on it. The top option will refer to the Trusted Platform Module. Make sure its activated.

      Once it’s activated, you should be good to go. If it wont activate, you might need to contact Microsoft.

      Also, where are you? It’s possible you’re in a location where Microsoft doesn’t support certain features (like Bitlocker).

      Thanks,
      Tim

  6. I had already checked this issue. In the UEFI Settings the TPM module is active. Since bitlocker is forced to use TPM only according to my group policy’s settings, I expect that I couldn’t start bitlocker encryption at all if my UEFI settings were different.

    Since

    – TMP is active
    – Bitlocker starts with system check

    it seems to me as actually there is no problem with bitlocker itsself. — But my keyboard is not detected in the pre-boot extension, hence I cannot enter the bitlocker pin at the startup screen.

    Yes, bitlocker is available in my country (Germany).

  7. I’ve just ordered a new Pro 2 and I’m planning on encrypting the entire drive (Better safe then sorry). I wanted to know if you need the keyboard attached to enter the pin on startup? I don’t have a keyboard as of yet and I don’t want to be locked out for a month until I get one.

    My biggest question, is BitLocker already installed on the Pro 2 (128gb)? Do I need to pay extra for it? I use TrueCrypt on my home PC and I found that it works great. Is it similar to TC? How much does it effect initial startup time? Thanks so much!

    • TheJosh,

      Nope you don’t have to pay for Bitlocker. It’s included and free on your Surface (since it has Windows 8.1 Pro). It simply isn’t turned on by default like it is with the Windows RT devices.

      It’s similar in concept to using Truecrypt whole disk encryption but, is a little more transparent (i.e. you don’t need to enter a password at boot).

      Lastly, it doesn’t really affect boot time at all. At worse, it adds a second or two.

      Hope this helps,
      Tim

  8. Additionally, I seen somewhere else that you don’t need to enable a pin. The drive can be tied your account. Does this mean that I only have to login at the log-on screen with my Microsoft Account? Is this still as safe? I want it so that my tablet is as useless to thieves as possible. Thanks again!

    • That’s true. You can attach your key to your MS account and it’s functionality the same as saving it to a file or printing it out (and it’s more convenient).

      It will make it much more difficult for someone who gains physical access to your Surface to use it (unless they have your password).

      In the interest of full disclosure, nothing is perfect and Bitlocker can be cracked but, in general, only advanced computer folks would be likely to do it.

      Hope this helps,
      Tim

  9. Hello again,
    I seen another tech website (not sure if true or not) that you can bypass encryption on most computers by booting from a removable device and then formatting the computer. They also mentioned you can disable booting from removable devices, but did not state how. I searched for it, but I couldn’t find any other information on this.
    Is this true for Bitlocker? Is there anyway to prevent it?
    Thank you!

    • Without going into too much detail, Bitlocker and the Trusted Platform Module built into the Surface hardware prevent’s most attempts to do what you’re describing.

      That said, if someone with a lot of tech knowledge has physical access to your machine, it’s possible they could eventually crack the encryption and get to the data. It will take them a long time and, unless you’re transporting state secrets, no one is going to bother.

      Frankly, if they wanted your data, they would be better off going with the XKCD method and hitting you with a $5 wrench until you gave them the password.

      😉

      Now, keep in mind I’m just talking about your data since you said bypass encryption (which I took as getting into your files). If the person just stole your Surface and doesn’t care about your files, it’s a lot easier. All you have to do (again without going into a lot of detail) is wipe the drive partitions with a bootable Linux CD and start over.

  10. Hi Tim

    If I encrypt my microsd (surface 3), would it keep on asking me to input the password after my Surface goes to sleep or after I turn it off and then on?

    Or would it only ask me if I ejected it and put it back in?

    Thanks
    Ran

    • It should only ask if you eject it and put it back in. Be aware, though, that if the Surface loses conenction with it for any reason (it comes loose, for example) it will ask for the password.

  11. I’m so glad I found this article. I need to do some tweaking in System Configuration (msconfig), but when I click Apply I get a warning about BitLocker. Is there any way to disable it temporarily until I do the tweaks. I have a Surface 3. (64 RAM, 128GB) Thanks.

Leave a Reply