Glossary
What is BitLocker — Windows disk encryption that protects data on a lost or stolen device
BitLocker is disk encryption built into Windows. With it on, a stolen PC or a removed drive stays unreadable without your credentials or recovery key. How it works, how to enable it, and the easiest pitfall — keeping the recovery key safe — explained defensively.
"I dropped / got my laptop stolen — is the data safe?" That's what BitLocker is for. Here's how it works, how to turn it on, and the pitfall people hit most.
What it protects — and what it doesn't
Encryption isn't a cure-all. Know where it helps.
| Situation | Does BitLocker help? |
|---|---|
| Laptop lost or stolen (powered off) | Yes — contents are ciphertext; unreadable without credentials/recovery key |
| Drive pulled and connected to another PC | Yes — same; carrying it away is pointless |
| Someone uses/peeks at your already-logged-in PC | No (that's strong login + auto-lock) |
| Malware infection / phishing | No (needs separate defenses) |
How it works (briefly)
The key is held by the TPM (the PC's security chip), tied to hardware integrity and released at boot. For more strength, require a PIN at startup.
The biggest pitfall: keeping the recovery key
With BitLocker, the real trouble is rarely "it gets broken" — it's locking yourself out.
Lose the recovery key and your own data never opens again
A TPM change, a motherboard swap, or a firmware update can make BitLocker ask for the 48-digit recovery key. If you didn't save it, you — the rightful owner — are locked out of your data. The rule: store it OUTSIDE the encrypted PC. Saving it only inside the same PC means you can't reach it during a lockout.
How to enable it
Check your edition
Enable it and save the recovery key OUTSIDE the PC
For more strength, require a PIN
Use BitLocker To Go for external/USB drives
This site's view: the 'floor' for any device that leaves the building
Disk encryption is the floor — the obvious baseline — for any device you take outside. A laptop is full of "leak-and-it-cascades" material: saved passwords, SSH keys, work files. Without encryption, a theft means the drive is pulled and all of it read. Turn on BitLocker (or FileVault on a Mac) and keep the recovery key outside the PC — those two steps shrink a loss or theft to "you only lost the hardware." But encryption is a "powered-off" defense, so always pair it with a strong login and auto-lock.
Read next
- On the go: Securing a laptop you carry around
- Inventory: Security inventory (auditing the PC that holds your keys)
- Storage: How to choose a password manager
FAQ
QWhat does BitLocker protect against?
Data at rest — when the PC is powered off or the drive is physically removed. Steal the laptop, or pull just the disk, and without your credentials or recovery key the contents stay encrypted and unreadable. It does not protect a PC that's already logged in and in use (that's where a strong login and auto-lock come in).
QWhat's the one thing to be careful about?
Storing the recovery key (a 48-digit number). BitLocker ties the key to hardware state, so a TPM change or motherboard swap can prompt for the recovery key. Lose it and you — the legitimate owner — get locked out of your own data. Keep it OUTSIDE the encrypted PC: a Microsoft account, printed, or another safe place.
QDoes Windows Home have it?
BitLocker proper is for Windows Pro/Enterprise/Education. Windows Home has a lighter 'Device encryption' that turns on automatically on supported hardware — same idea (encrypting data at rest). The macOS equivalent is FileVault.