Your Hard Drive May Be Encrypted…

AND YOU MIGHT NOT EVEN KNOW IT.

No, this isn’t a warning about the latest virus, ransomware, or hacker-related misery (unless you’re one of those Mac or Linux fanatics who views Microsoft as pure evil). It’s about a feature built into your computer and Windows that you probably didn’t know about, want or ask for, and was provided to help protect you from those very things, but has the potential to cause data loss itself.

I’m writing this while waiting for a client’s ailing hard drive to decrypt so that I can make a full image backup of it and use that to move the system onto a new solid state drive. I hope the drive doesn’t fail in the process, and I’ve already backed up the data files separately in case it does. But how did this happen? The client was unaware that their drive was encrypted, and their computer runs Windows 10 Home. Most people assume Windows 10 Home doesn’t support drive encryption thanks to Microsoft’s minimal and misleading information on the subject, which mosty contains reminders that Bitlocker is not supported on Windows 10 Home! So, how did this situation come about?

I’ll try to keep this post from getting too long and complicated by simply saying that all flavors of Windows have supported drive encryption – generally referred to as “device encryption” – since Windows 7. However, until recently, computers didn’t have the hardware support to make it easy to implement and enable at the operating system level. That has changed over the last few years, and now nearly all mass-produced personal computers sold in the United States implement technologies such as Unified Extensible Firmware Interface (UEFI), Secure Boot and some form of Trusted Platform Module. When Windows 8.1 and later are installed on a computer that have those features present and turned on, they automatically install with device encryption enabled, but not fully activated. The problem is that the installation does not tell you at any point that it is doing this, nor does it tell you how – or even that it is necessary – to take action in order to obtain your encryption key. What I find outrageous about this is that if you don’t take action to obtain your encryption key, Windows encrypts your drive *anyway*, just with a generic key. Look in any Windows support forum, and you’ll find plenty of requests for help from people who had no idea that their hard drives were encrypted until something went wrong, and you’ll find plenty of solutions suggested. Sometimes, one of those solutions helps someone get his computer back into Windows, but in all too many cases, none work, Windows must be reinstalled from scratch, and the data is lost.

I’m not saying that any of these technologies – UEFI, Secure Boot, drive encryption, or Windows 10 – are bad. Quite the contrary, actually. It’s good to have hardware support for drive encryption, especially in laptops, which are often targeted by thieves while their users are traveling. It’s not hard at all to get data off of a computer, even if you don’t know the user’s password, but hardware-supported drive encryption prevents that. However, I am saying that Microsoft’s decision to turn this feature on by default, without informing the user and making sure he either turns it off or takes action to obtain and secure his encryption key, is irresponsible. It leads to users getting locked out of their computers when manufacturers’ driver updates or Windows updates fail to install properly, and, in cases like the laptop that prompted me to write this, the potential to increase repair costs or even lose data when a hard drive starts to malfunction.

Here is what you need to do to ensure that drive encryption doesn’t bite you:

1. First, find out if it’s turned on. If your computer runs Windows 7 or 8.0, you can stop right here, because unless you explicitly purchased and installed a drive encryption system, your hard drive is not encrypted. If your computer runs Windows 8.1, its hard drive is still probably not encrypted. If you have Windows 10, click your Start button, then click on Settings, and then click on Update & Security. Look at the list on the left side. If you don’t see “Device encryption” listed, then you’re done. If you do see it listed, click on it, and the left pane will then tell you if device encryption is disabled, enabled or if you need to take action to finish setting it up.

2. If Device Encryption is turned off, and you want to simply leave it that way, then you’re done. Similarly, if the screen reports simply that Device Encryption is turned on, then you can simply leave it that way, although you may want to log into your Microsoft Account to make sure you know how to get to your recovery key.

3. If the Device Encryption screen reports that “You need a Microsoft account to finish encrypting this device”, then you need to decide whether you want to turn encryption off or finish activating it. Clicking the “Turn off” button will decrypt your drive. Clicking the “Sign in with a Microsoft account instead” link will take you to a screen where you can switch from logging in with a local account to logging in with a Microsoft account, after which you should return to the Device Encryption screen and finish setting up Device Encryption.

If you choose to use Device Encryption, then I strongly advise storing your encryption recovery key in your Microsoft Account, rather then relying on keeping it on a printout or a USB flash drive (the other two options). Anything kept on paper or flash drives is subject to being lost, damaged beyond recovery or stolen. You can misplace the credentials for your Microsoft Account, but you’re more likely to recover from that than you are to get back a recovery key that was stored on a lost, stolen or damaged flash drive or piece of paper.

Another consequence of using Windows 10 Device Encryption (or BitLocker, if you have Windows 10 Pro) is that it complicates data recovery efforts if Windows becomes completely unbootable or the encrypted drive starts to fail. Data recovery tools won’t work on an encrypted drive, and the drive can’t be decrypted if you can’t at least get into the Windows Recovery Environment. I’m always advising people to make regular backups anyway, but it’s absolutely critical to do so if your drive is encrypted.

As always, Lebowitz IT Services is available to assist you in protecting your precious data.