Bitlocker is that often forgotten FDE tool from Microsoft.
It basically gives you the ability to encrypt your entire hard drive (or any external device), and roam safely around the globe without fear.
Default setting is AES with a 128 bit key with diffuser.
Most configuration is done using Local Group Policies. Some of those changes must be made BEFORE encrypting your disk…
So check out the options before encrypting everything!
To quickly check your current status (and which encryption type you’re using):
PS C:\Windows\system32> manage-bde -status BitLocker Drive Encryption: Configuration Tool version 6.3.9600 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Disk volumes that can be protected with BitLocker Drive Encryption: Volume C:  [OS Volume] Size: 237,96 GB BitLocker Version: 2.0 Conversion Status: Used Space Only Encrypted Percentage Encrypted: 100,0% Encryption Method: AES 128 Protection Status: Protection On Lock Status: Unlocked Identification Field: Unknown Key Protectors: TPM Numerical Password
Sidenote on this subject
AES 256 isn’t safer then AES with an 128 bit key length.
Choose the encryption strength
BitLocker supports two levels of cipher strength for BitLocker: 128-bit and 256-bit. Both use the Advanced Encryption Standard (AES) to perform encryption. Longer encryption keys provide an enhanced level of security and are less likely to be successfully attacked by the use of brute-force methods. However, longer keys can cause slower encryption and decryption of data. On some computers, using longer keys might result in noticeable performance degradation. You can use Group Policy to change the length of the encryption key used by BitLocker.
In addition, BitLocker supports a Diffuser algorithm to help protect against ciphertext manipulation attacks, a class of attacks in which changes are made to the encrypted data in an attempt to discover patterns or weaknesses. By default, BitLocker uses AES encryption with 128-bit encryption keys and Diffuser. You can also select encryption without Diffuser by using Group Policy if your organization is Federal Information Processing Standard (FIPS) compliant.
It is recommended that most organizations use AES 128-bit with Diffuser. For organizations that are required to use 256-bit encryption, the AES 256-bit with Diffuser option can be enabled by using Group Policy. => howto
Sidenote on recovery key
Keep that key somewhere quickly accessible. Especially with windows 8…
On your phone, a hardcopy in your wallet, a tattoo on your arm…
When Windows 8 detects something has gone wrong booting itself, it will try to recovery.
But it can’t recover without the partition unlocked. So you’ll need to enter the key.
When you cannot unlock it, and reboot again, it’s just going to try to recover again.
And you’re looping forever…
Damn windows 8!