How to remotely protect your data using BitLocker
Before you start!
BitLocker is a volume encryption service available for certain versions of Windows only. In order to take advantage of this functionality in Prey, your device must be compatible with BitLocker, as per the requirements below. Prey does not encrypt your data; rather, it instructs BitLocker to do it.
With the Disk Encryption action, you can use BitLocker to remotely protect your Windows device’s data by ciphering its volumes. To do so, you can follow these steps:
Make sure your device is compatible with BitLocker
There are three requirements for a device to be compatible with BitLocker:
- Your device must be running Windows 10 Professional, Enterprise or Education. BitLocker is not included in any other version of Windows, and Prey can only work with BitLocker in Windows 10.
- Your device must have a physical Trusted Platform Module (TPM) installed and active. This will physically keep your encryption keys safe. If your device does not have a TPM installed, BitLocker will not be able to encrypt your data.
- The required service to run BitLocker must be up to date; if this service is outdated, you can update it by executing the following command:
You can also review if your device is compatible with BitLocker directly on your Prey panel. On the actions sidebar, you should see the “ Disk encryption” option.
If a yellow alert appears below the action, your device is not compatible and you will not be able to encrypt your data. If the action is not supported, but you believe your device meets all the requirements, just click on the Disk encryption button and a pop-up should tell you exactly what is missing.
Select the volumes you want to encrypt
If your device meets all the requirements for disk encryption, once you select the action you will see a pop-up telling you where to find the encryption keys once the action is executed ( Spoiler alert: All encryption keys are available in the Hardware Information tab. More on that later), plus all available volumes on the device. It can take a couple of minutes to sync all the volumes in your device.
While this information will be updated automatically, you can also forcibly update it by clicking the refresh button.
In this view, you will be able to see which volumes are encrypted or decrypted, and also the ones that are still in process. If a volume has a padlock next to its name, that means it has already been ciphered and locked by BitLocker. Just pick the volume (or volumes) you want to encrypt, and click the “ Encrypt” button.
Choose the encryption method and security standard that best suit your needs
Once you select the volumes you want to encrypt, the next window will allow you to choose the type of encryption you want to use, along with the security standard you wish to cipher your volumes with.
The options for encryption method are:
- Full Disk: This option encrypts empty space along with already existing data. This is the best option for systems that are already in use.
- Used Space Only: This option encrypts only space that is currently being occupied by data.
For security standards, you can select between AES128 (best for fixed volumes) and XTS_AES128 (which is best for removable devices).
Once you click on “ Start”, the action will be sent to the Prey client, and executed.
If the client in your device is unavailable for whatever reason (such as the device being offline), the action will be queued until the client is available.
The encryption process can take a very long time, but you will be notified via e-mail once the process is done.
Reviewing your encryption information
If you need your encryption or recovery keys, they will be readily available for you in the Hardware Information tab on the left-hand side of your panel.
Since encryption and recovery keys are sensitive data, you will be required to enter your Prey password in order to view them. Once you enter your password, all the information will be displayed as per the image below.
Volumes locked by BitLocker, identified with a padlock next to the volume name, will only display their Recovery Key, as the data we can access from such volumes is much more limited.
If you wish to know the Encryption Key for a volume that has been locked by BitLocker, please unlock it first.
Decrypting your volumes
Decrypting volumes is super simple. All you have to do is select the volume (or volumes) you want to decrypt from the Disk Encryption action and click Decrypt. This action may take a very long time, and will be queued in case the device is offline.
When decrypting volumes that have been locked by BitLocker, Prey will attempt to unlock them. If the decryption keys are different, you will have to decrypt them directly with BitLocker.