☑ Turn on BitLocker encryption for all data drives
☑ Back up your encryption keys
☑ Back up data files to the cloud
☑ Back up critical data files to local storage
Replacing a stolen laptop is inconvenient and expensive. Dealing with lost or stolen data is a nightmare. Physical security has its own challenges, but when it comes to keeping your data secure, you have two key goals:
- Encrypt your data files. If your computer or storage device is stolen, the thief can't access your files that are protected with robust encryption and a strong password.
- Back up your data files. With a good backup plan, you can restore files that are lost or damaged (even if the cause is hardware failure) and get back to work with a minimum of downtime.
Those precautions are especially important for files containing sensitive personal or financial information for customers or clients. If you work in a regulated industry or you're subject to data breach laws, the impact is even worse.
On a Windows 11 device, the single most important configuration change you can make is to enable BitLocker Device Encryption on the system drive and on all secondary drives, including USB flash drives. (BitLocker is the brand name that Microsoft uses for the encryption tools available in business editions of Windows. BitLocker features are identical on Windows 10 and Windows 11.)
With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. BitLocker uses the Trusted Platform Module (TPM) chip to store the encryption keys.
The steps to turn on BitLocker Device Encryption are different depending on which edition of Windows 11 is installed:
- Windows 11 Home: This edition supports strong device encryption, but only if you're signed in with a Microsoft account. It doesn't allow the management of a BitLocker device.
- Windows 11 Pro, Enterprise, or Education: These business editions provide full access to BitLocker management tools. For full management capabilities, you'll need to set up BitLocker using an Active Directory account on a Windows domain or an Azure Active Directory account. On an unmanaged device running a business edition of Windows 11, you can set up BitLocker using a local account or a Microsoft account, but you'll need to use the BitLocker Management tools to enable encryption on available drives.
It is crucial that you backup the recovery key for a BitLocker-encrypted drive. In the event that you ever have to reinstall Windows or experience account problems, you'll need that 48-digit number to access the data.
If you sign in with a Microsoft account, the BitLocker recovery key is saved in OneDrive by default. You can access it by signing in at onedrive.com/recoverykey. I recommend that you print a copy of that key and file it in a safe place, just in case.
On a managed PC using a domain or AAD account, the recovery key is saved in a location that is available to the domain or AAD administrator. On a personal device, you can use the Manage BitLocker app to save or print a copy of that recovery key.
Don't forget to encrypt portable storage devices. USB flash drives, MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive's contents. For details, see "Protect removable storage devices with BitLocker encryption.")
Finally, make sure that crucial data files are backed up to the cloud and to local storage (on an encrypted drive, naturally). This precaution can be invaluable if you suffer a disk crash, and it's also excellent protection against ransomware attacks.
If you're concerned about putting sensitive files in the cloud, encrypt the files using third-party software such as Boxcryptor, or consider a zero-knowledge service that has no access to your encryption keys, such as SpiderOak CrossClave.