Microsoft has been evolving its BitLocker-based full disk encryption technologies since its debut in Windows Vista. In Windows 8, Microsoft offers it’s best ever version of BitLocker to both consumers and businesses, and you can use an related feature, called BitLocker To Go, to protect portable storage devices like USB flash drives and hard drives.

Note: BitLocker and BitLocker To Go require Windows 8 Pro or Enterprise.

BitLocker and BitLocker To Go both provide full disk encryption functionality, unlike Microsoft’s older encryption feature, EFS (encrypting file system), which can be applied at the file or folder level. (EFS is still included in Windows 8 Pro and higher if you need this level of granularity.) And though they use slightly different technologies under the hood, they’re managed from the same place, the BitLocker BitLocker Drive Encryption control panel.

You can find the BitLocker Drive Encryption control panel most easily with Start Search (bitlocker).

ble-cp

Removable storage devices that are protected with BitLocker To Go will be locked and protected by default. For this reason, you are asked how you’d like to unlock the drive when you enable this feature. For most individuals, this will involve providing a password that will later be used to unlock the device for use.

unlock-how

The install wizard will also ask you to save a backup of the recovery key, which is essentially a way to recover the password if you should forget it. You can save this recovery key to a file or print it out. Given the length of the key, a file may be the better choice, but either way you should consider the security ramifications of how and where the key is stored.

Note: If you lose your recovery key, it’s over. There is literally no other recovery option available, and no back door, contrary to conspiracy theories. You’ll have to format the disk to use it again.

New to Windows 8, BitLocker To Go (and BitLocker) can optionally encrypt a disk much more quickly than before, by encrypting only the used space. Regardless, information added to the disk after it is protected by BitLocker To Go will be automatically encrypted on the fly.

encrypt-how

Encryption speed will vary on the size of the disk and whether you chose to encrypt only the used space.

encrypting

When you plug in a BitLocker To Go-encrypted disk, you’ll be prompted to unlock it using a new Metros-style UI.

unlock

The More options link provides access to two important options: A way to enter that recovery key and a way to automatically unlock this disk on this PC. Doing the latter will not prevent BitLocker To Go from asking for a password on other PCs, however. So if the disk is lost or stolen, you’re still protected.

Note: BitLocker To Go-encrypted disks work identically on Windows 7, though with a legacy Explorer-based UI. On Windows XP, you will get a read-only Reader interface that lets you access the contents of the disk.

Disks protected with BitLocker To Go are visually differentiated in both File Explorer and the BitLocker Drive Encryption experiences. From that latter control panel, you can change a number of BitLocker To Go features, and of course remove the encryption if you’d like.

icons

Secret: Windows RT and Windows Phone 8 both included a BitLocker-based full disk encryption technology that is always-on by default. This feature is not branded as BitLocker on these systems because it cannot be centrally managed via Active Directory and Group Policy as is BitLocker.