BitLocker Icon

To protect sensitive and personal information, you may encrypt the file with data encryption software. BitLocker is a disk encryption software comes with the Pro and Enterprise editions of Windows 10/11. By default it uses the AES encryption algorithm in cipher block chaining (CBC) mode with a 256-bit key. 256-bit AES encryption is a strong encryption standard adopted by the US government.

Warning: It is important to note that once information is encrypted by any encryption software, it can only be opened with the CORRECT password. Losing the password means losing the information for good.

The followings are procedures in using BitLocker to protect sensitive data on an office PC or on a USB thumb drive:

  • Create a Virtual Hard Disk (VHD) file as a container
  • How to dismount a Virtual Hard Disk
  • How to mount a Virtual Hard Disk
  • Protecting sensitive data on a USB thumb drive using "BitLocker To Go"

  • Create a Virtual Hard Disk (VHD) file as a container

    BitLocker is a disk-based encryption tool, you are recommended to create a Virtual Hard Disk as a container for data protection.

    1. Create a new Virtual Hard Disk (VHD) file . Right click on the Start menu button and select Computer Management Manage.
      BitLocker setup
    2. Select Disk Management.
      BitLocker setup
    3. Select Action -> Create VHD from the menu bar.
      BitLocker setup
    4. Provide the file location and size for the VHDx file from the "Create and Attach Virtual Hard Disk" windows. And choose the option "Fixed size" and click "OK". (Note: The maximium size of a VHD file is 2,040 GB. If you are using Windows 10, 11, you can choose VHDX which supports up to 64 terabytes (TB) in size.)
      BitLocker setup

    5. BitLocker setup
    6. Initialize the new virtual drive. Click the new disk icon using the right mouse button and select Initialize Disk.
      BitLocker setup
    7. Make sure "GPT" partition style is selected. Then press "OK". When done, the disk status will becomes "online",
      BitLocker setup
    8. Then create a partition on the virtual drive. Right click the Unallocated space and select "New Simple Volume"
      BitLocker setup
      • Press Next for the welcome screen.
        BitLocker setup
      • Press Next for the Volume Size (It will use all available size by default).
        BitLocker setup
      • Give a volume label of the disk and use the default settings for the partition format and press Next.
        BitLocker setup
      • Press Finish to start format the virtual disk.
        BitLocker setup
    9. Now we need to encrypt the new virtual drive using BitLocker. Right click the drive in Explorer and select "Turn on BitLocker...". (Warning: Please be careful to choose the Virtual Hard Disk for encryption rather than the physical disk.)
      BitLocker setup
    10. Tick the option "Use a password to unlock the drive" and enter your password. Then press "Next".
      BitLocker setup
    11. Choose a way to store the recovery key. Then press "Next".
      (Warning: It is important to note that once information is encrypted, it can only be opened with the CORRECT password. Losing the password and the recovery key means losing the information for good.)
      BitLocker setup
    12. Check Encrypt used disk space only (faster and best for new PCs and drives).
      BitLocker setup
    13. Check New encryption mode (best for fixed drives on this device).
      BitLocker setup
    14. Press "Start Encrypting"
      BitLocker setup
    15. Press "Close" when completed.
      BitLocker setup

    16. BitLocker setup
    17. Then you can store data to the new virtual drive encrypted by BitLocker.


    How to dismount a Virtual Hard Disk

    For Window 10/11:

    • To dismount the drive, right click on the drive and choose "Eject".
      BitLocker eject


    How to mount a Virtual Hard Disk

    For Window 10/11:

    • To mount the drive again, right click your VHD file and choose "Mount" from the menu bar.
      BitLocker setup
    • Enter your password when prompt.
      BitLocker setup
    • Click Open folder to view files .
      BitLocker setup

    Note: Do NOT delete the VHD volume (i.e. the file "My Encrypted Disk" in this example). Otherwise, all the files stored in the container will also be deleted.



    Protecting sensitive data on a USB thumb drive using "BitLocker To Go"

    Basically, "BitLocker To Go" allows you to encrypt a USB drive and restrict access with a password. When you connect the USB drive to a Windows 7 computer, you are prompted for the password, and upon entering it you can read and write to the drive as you normally would.


    Setting up a USB drive:

    1. Once you insert a USB drive, right-click on it and select the Turn on BitLocker
    2. "BitLocker To Go" will begin initializing your USB drive. (When BitLocker To Go initializes your USB drive, you don't have to worry about any data that is already on the drive.)
    3. Once the initialization process is complete, BitLocker To Go will prompt you to set up a password that you will use to unlock the drive.
    4. After you set up a password, BitLocker To Go will prompt you to store a recovery key. (You can use the recovery key to unlock your drive in the event that you forget the password.)
    5. To ensure that you don't lock yourself out of your drive, BitLocker To Go will create a recovery key.
    6. When the encryption is complete, you'll notice that the drive icon shows a lock on the drive.

    To access the USB thumb drive using another PC:

    Using a BitLocker To Go encrypted drive:
    1. When you insert the BitLocker To Go encrypted drive in the Windows 10/11 system, you will be prompted to enter the password. (If you wish, you can click the "Eye" button, so that you can see the letters)
      BitLocker enter password
    2. Then press "Unlock".