Windows BitLocker Encryption
ITS uses Windows native Bitlocker encryption with recovery key management through Sophos Central for Windows 10 Enterprise computers.
By encrypting the data on your computer, you are preventing someone from accessing your data without your password. Unencrypted computers can easily be accessed by removing the hard drive and attaching it to another computer. After the quick process of encrypting your hard drive through ITS, this is no longer a possiblity.
Index:
- Changes to your computer with Bitlocker
- Bitlocker Recovery
- Making a backup of your recovery key / Checking Bitlocker Status
Changes to your computer with Windows Bitlocker Encryption
Once Sophos Central has been installed and your computer has been encrypted with Bitlocker, you may notice a couple of minor visual changes.
New Sophos Central icon in your taskbar
New Hard Drive icon with lock in This PC/My Computer explorer window
BitLocker Recovery
If you power on your computer and you're presented with a screen similar to the one below, you need to follow the Bitlocker recovery process below.
Recovery via Bitlocker Recovery Key
If you're presented with a screen similar to the one above asking for a "recovery key". Please contact your local support technician or email help@ucsc.edu including the keywords "bitlocker recovery key". A support technician will confirm your identity over the phone and provide you the Bitlocker recovery key so you can continue to log in to your computer.
Recovery via Bitlocker Challenge/Response
Some Windows computers support Bitlocker Challenge/Response so the recovery screen will instead ask for a USB drive to perform the recovery. To get to challenge response screen, restart the computer and during boot it will ask you to hit any key to enter Challenge/Response. You will then be shown a "Challenge" string of characters and a support technician can assist you providing a "Response" string of characters that will unlock your PC and allow you to log in normally.
Please contact your local support technician or email help@ucsc.edu including the keywords "bitlocker recovery challenge/response". A technician will then contact you over the phone or schedule a visit to your computer. Follow the directions below right before you get in contact with a technician to access the Bitlocker Challenge/Response recovery screen.
Accessing Bitlocker Challenge/Response for Recovery
If your computer supports recovery via Bitlocker Challenge/Response then you will see some text on a black screen while your computer boots up.
"Press any key in 3 seconds to start C/R for Bitlocker Recovery.
"
If you are presented the blue screen above asking for a USB drive and Bitlocker recovery, then you need to restart and press any key during the presentation of the above message while your computer is starting to enter Bitlocker C/R. You will then be brought to the Bitlocker Challenge/Response recovery screen where you will read the "Challenge" code to a technician.
Making a Backup of your Recovery Key / Check the status of Bitlocker
If you are concerned about not having a backup of your recovery key you can make a copy for yourself. This process requires that you have the ability to be an admin on your computer. You will know if you are or not based on the options presented to you in the instructions below.
Security Warning: We recommend you store your recovery key in a password manager, do not leave it out in the open as it allows access to your data, and remember -- you should never give your recovery to anyone else (ITS will never ask for your recovery key).
Create Bitlocker Recovery Key Backup Process:
- Select the Windows start button
- Type "Manage Bitlocker"
- Select "Manage Bitlocker"
- Select "Back up your recovery key" from the Manage Bitlocker options (you won't see these options if you're not an admin)
- Select key export option:
- Save to USB flash drive: You can use this method temporarily but once you have your recovery key we recommend you transfer the key to a password manager. If you lose your key please contact ITS as we can cycle your encryption key.
- Save to a file: We do not recommend this option. You will not be able to save to the local encrypted system drive.
- Print the recovery key: With this method you can either print your recovery key to a printer or pdf to your local system hard drive. If you print to a physical printer do not leave your recovery key out in the open, be ready at the printer, transfer the key to a password manager, and securely shred your printed key. PDF - save key to desktop, transfer key to password manager, delete the pdf key, and empty your trash in Windows.
- If you ever go into Bitlocker Recovery and use this recovery key, the key will be swapped and you'll have to complete this process again for the new key. Once you login, after Bitlocker Recovery, you must suspend Bitlocker encryption from the same menu as above and restart once. This will assure your system will not lock up again in the immediate time period. If you have any questions, please contact help@ucsc.edu with subject "backup bitlocker recovery key".