Encryption is a conversion of data into a form that can’t be easily understood by unauthorized users. Last week, I mentioned Bitlocker in the post on what to do before you sell your Surface tablet. That prompted a few questions about Microsoft’s Bitlocker technology.
If you don’t know, BitLocker (or Device Encryption) is a technology that encrypts your hard drive but allows transparent (you don’t need to do anything to use it) access to authorized users.
Doing so can help block a nefarious person from accessing certain files in an attempt to discover your password, personal files, or anything else you have stored. It can also prevent someone from accessing your files even if they physically remove the hard drive from your Surface and put it in another PC.
However, Bitlocker WILL NOT prevent someone who knows your password from accessing the files by logging in as you. If you are trying to create an encrypted and password protected file to store private data, take a look at something like TrueCrypt.
Bitlocker/Device Encryption is one of those cases where Windows RT machines like the Surface RT or Surface 2 have an advantage over the Surface Pro line.
This is because the Windows RT version of Bitlocker is turned on by default and automatically saves a copy of your key to your Microsoft account as soon as someone with a Microsoft account and admin rights signs in to the machine.
So, this article really only applies to folks who have a Surface Pro/Pro 2 because the RT/2 users are already taken care of.
So, with that in mind, let’s get started…
Bitlocker on Surface: Enabling Bitlocker on Surface Pro/Pro 2 tablets
To enable Bitlocker on your Surface Pro/Pro 2 just follow these instructions. Make sure you have your Surface plugged in while you’re doing this, since it can take up to 30 minutes for the process to complete. I guarantee you don’t want your Surface to go to sleep or run out of power when the drive is only half encrypted.
For these instructions, we’ll be locking the C:\ Drive but, if you’ve installed a Micro SD card or USB drive, these same instructions will work to encrypt it as well.
- From the Desktop, open Windows Explorer
- Browse to the C:\ Drive under Devices and Drives then tap and hold it until the right-click menu appears. If you have a mouse, it’s a little easier to just right-click on it
- Select Turn on Bitlocker
- The Starting Bitlocker window will appear. After it finishes starting, you’ll be asked where you want to save your recovery key. Select Save to your Microsoft account
- After you’ve selected where to save your recovery key, you’ll be asked how much of your drive you want to encrypt. I recommend choosing Encrypt Entire Drive unless you’ve just started using your Surface
- Next, you’ll be asked if you’re ready to encrypt the drive. Before you continue, check the Run Bitlocker system check box before tapping the Start Encrypting button
- Your machine may need to restart at this time. After it comes back up, you’ll get a popup balloon telling you your drive is being encrypted. If you click on it, you’ll get a progress window
It will take a while to complete but you can continue to use your Surface while it’s encrypting your drive. When it’s done, you may notice that the icon for the C:\ Drive in Windows explorer now looks like the picture to the right. Before the drive was encrypted, the icon was lacking the padlock.
Congratulations! Your hard drive is now better protected from nefarious people who might want to access it.
Bitlocker on Surface: Where is my Recovery Key?
Now that Bitlocker is on, you might be wondering where the recovery key is kept. After all, you don’t want to get locked out of your own Surface because you can’t find the key if you need it, right?
If you selected “Save to your Microsoft account” when asked where to store your encryption key as instructed than your key is safely stored as part of your account on Microsoft’s servers.
If you want to see your key, just go the the following link and log in with your Microsoft account information: Microsoft Recovery Key Page
Bitlocker on Surface: Is there a performance hit?
If you’re a little tech savvy, it may have occurred to you that enabling Bitlocker on Surface tablets might impact their performance. I know the thought crossed my mind.
I did some testing and confirmed what I intuitively knew: there is a small performance downgrade however, it’s not really noticeable unless I’m looking at benchmarks.
I used PC Benchmark from with Windows Store to run a series of 20 (10 with Bitlocker on and 10 with Bitlocker off) benchmark tests. The only place where there was any significant (more than 3%) variation in the results was during the Disk Test.
The values below represents the average of the 20 passes.
As you can see, with Bitlocker turned OFF, there are some significant gains during the 4k test for both read and write along with a big gain during the linear read test.
I was surprised with the results for the 512k read test indicating that having Bitlocker ON yields better results as it seems counter-intuitive but it was persistent over the complete series of tests.
At any rate, as I indicated before, there is technically a performance hit but you will probably never notice it during day-to-day usage.
Bitlocker on Surface: Removable drives?
You can use Bitlocker to encrypt removable drives like USB keys or SD Cards. In fact, because of their removable nature, it’s probably more important to encrypt them than your C:\drive.
The procedure is pretty much the same as above with the exception that you will be asked how you want to unlock your device as one of the first steps. The screen for that looks like this:
I usually pick Use a Password to unlock the device since I don’t have a smart card.
After you enable Bitlocker on a removable drive, you will need to enter the password to access it when it is plugged into your machine.
I hope this post helps you setup Bitlocker if you are so inclined. As usual, if you have any questions, please let us know.