BitLocker is a tool built into Windows that lets you encrypt an entire hard drive for enhanced security. Here’s how to set it up.
BitLocker是Windows内置的工具,可用于加密整个硬盘驱动器以增强安全性。 设置方法如下。
When TrueCrypt controversially closed up shop, they recommended their users transition away from TrueCrypt to using BitLocker or Veracrypt. BitLocker has been around in Windows long enough to be considered mature, and is an encryption product generally well-regarded by security pros. In this article, we’re going to talk about how you can set it up on your PC.
当TrueCrypt有争议的关闭商店时,他们建议用户从TrueCrypt过渡到使用BitLocker或Veracrypt 。 BitLocker在Windows中已经存在足够长的时间了,可以认为它已经成熟,并且是安全专业人员普遍认可的加密产品。 在本文中,我们将讨论如何在PC上进行设置。
Note: BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 8 or 10, or the Ultimate version of Windows 7. However, starting with Windows 8.1, the Home and Pro editions of Windows include a “Device Encryption” feature (a feature also included in Windows 10) that works similarly. We recommend Device Encryption if your computer supports it, BitLocker for Pro users who can’t use Device Encryption, and VeraCrypt for people using a Home version of Windows where Device Encryption won’t work.
注意:BitLocker驱动器加密和BitLocker To Go需要Windows 8或10的专业版或企业版,或Windows 7的旗舰版。但是,从Windows 8.1开始,Windows的Home和Pro版本包括“设备加密”功能。 (Windows 10中也包含的功能)的工作原理类似。 如果您的计算机支持设备加密,则建议使用设备加密;对于不能使用设备加密的Pro用户,请使用BitLocker;对于使用无法使用设备加密的Windows Home版本的用户,建议使用VeraCrypt 。
加密整个驱动器还是创建加密的容器? (Encrypt an Entire Drive or Create an Encrypted Container?)
Many guides out there talk about creating a BitLocker container that works much like the kind of encrypted container you can create with products like TrueCrypt or Veracrypt. It’s a bit of a misnomer, but you can achieve a similar effect. BitLocker works by encrypting entire drives. That could be your system drive, a different physical drive, or a virtual hard drive (VHD) that exists as a file and is mounted in Windows.
那里的许多指南都谈到创建BitLocker容器,该容器的工作方式与可以使用TrueCrypt或Veracrypt之类的产品创建的加密容器一样。 这有点用词不当,但是您可以实现类似的效果。 BitLocker通过加密整个驱动器来工作。 可能是系统驱动器,其他物理驱动器或文件形式存在并安装在Windows中的虚拟硬盘(VHD)。
The difference is largely semantic. In other encryption products, you usually create an encrypted container, and then mount it as a drive in Windows when you need to use it. With BitLocker, you create a virtual hard drive, and then encrypt it. If you’d like to use a container rather than, say, encrypt your existing system or storage drive, check out our guide to creating an encrypted container file with BitLocker.
区别主要是语义上的。 在其他加密产品中,通常创建一个加密的容器,然后在需要使用时将其作为驱动器安装在Windows中。 使用BitLocker,您可以创建一个虚拟硬盘驱动器,然后对其进行加密。 如果您想使用容器而不是对现有系统或存储驱动器进行加密,请查阅我们的指南,以使用BitLocker创建加密的容器文件。
For this article, we’re going to concentrate on enabling BitLocker for an existing physical drive.
对于本文,我们将集中精力为现有物理驱动器启用BitLocker。
如何使用BitLocker加密驱动器 (How to Encrypt a Drive with BitLocker)
To use BitLocker for a drive, all you really have to do is enable it, choose an unlock method—password, PIN, and so on—and then set a few other options. Before we get into that, however, you should know that using BitLocker’s full-disk encryption on a system drive generally requires a computer with a Trusted Platform Module (TPM) on your PC’s motherboard. This chip generates and store the encryption keys that BitLocker uses. If your PC doesn’t have a TPM, you can use Group Policy to enable using BitLocker without a TPM. It’s a bit less secure, but still more secure than not using encryption at all.
要将BitLocker用于驱动器,您真正要做的就是启用它,选择一种解锁方法(密码,PIN等),然后设置其他一些选项。 但是,在进行此讨论之前,您应该知道,在系统驱动器上使用BitLocker的全盘加密通常需要一台计算机,该计算机在您的PC主板上具有可信平台模块(TPM)。 该芯片生成并存储BitLocker使用的加密密钥。 如果您的PC没有TPM,则可以使用组策略来启用不带TPM的BitLocker 。 它的安全性较差,但比根本不使用加密的安全性更高。
You can encrypt a non-system drive or removable drive without TPM and without having to enable the Group Policy setting.
您可以在没有TPM且无需启用组策略设置的情况下加密非系统驱动器或可移动驱动器。
On that note, you should also know that there are two types of BitLocker drive encryption you can enable:
关于这一点,您还应该知道可以启用两种类型的BitLocker驱动器加密:
BitLocker Drive Encryption: Sometimes referred to just as BitLocker, this is a “full-disk encryption” feature that encrypts an entire drive. When your PC boots, the Windows boot loader loads from the System Reserved partition, and the boot loader prompts you for your unlock method—for example, a password. BitLocker then decrypts the drive and loads Windows. The encryption is otherwise transparent—your files appear like they normally would on an unencrypted system, but they’re stored on the disk in an encrypted form. You can also encrypt other drives than just the system drive.
BitLocker驱动器加密:有时也称为BitLocker,这是对整个驱动器进行加密的“全盘加密”功能。 当您的PC引导时,Windows引导加载程序将从System Reserved分区加载,并且引导加载程序提示您输入解锁方法(例如,密码)。 然后,BitLocker解密驱动器并加载Windows。 否则,加密是透明的-您的文件看起来像在未加密的系统上通常一样,但是以加密形式存储在磁盘上。 您还可以加密除系统驱动器以外的其他驱动器。
BitLocker To Go: You can encrypt external drives—such as USB flash drives and external hard drives—with BitLocker To Go. You’ll be prompted for your unlock method—for example, a password—when you connect the drive to your computer. If someone doesn’t have the unlock method, they can’t access the files on the drive.
BitLocker To Go :您可以使用BitLocker To Go加密外部驱动器,例如USB闪存驱动器和外部硬盘驱动器。 将驱动器连接到计算机时,系统会提示您输入解锁方法(例如,密码)。 如果某人没有解锁方法,则他们将无法访问驱动器上的文件。
In Windows 7 through 10, you really don’t have to worry about making the selection yourself. Windows handles things behind the scenes, and the interface you’ll use to enable BitLocker doesn’t look any different. If you end up unlocking an encrypted drive on Windows XP or Vista, you’ll see the BitLocker to Go branding, so we figured you should at least know about it.
在Windows 7到10中,您实际上不必担心自己进行选择。 Windows处理幕后事务,用于启用BitLocker的界面看起来没有什么不同。 如果最终在Windows XP或Vista上解锁了加密的驱动器,则会看到BitLocker to Go商标,因此我们认为您至少应该了解这一点。
So, with that out of the way, let’s go over how this actually works.
因此,顺便说一句,让我们回顾一下它的实际工作原理。
第一步:为驱动器启用BitLocker (Step One: Enable BitLocker for a Drive)
The easiest way to enable BitLocker for a drive is to right-click the drive in a File Explorer window, and then choose the “Turn on BitLocker” command. If you don’t see this option on your context menu, then you likely don’t have a Pro or Enterprise edition of Windows and you’ll need to seek another encryption solution.
为驱动器启用BitLocker的最简单方法是在“文件资源管理器”窗口中右键单击该驱动器,然后选择“打开BitLocker”命令。 如果您在上下文菜单中没有看到此选项,则可能没有Windows的Pro或Enterprise版本,您将需要寻求其他加密解决方案。
It’s just that simple. The wizard that pops up walks you through selecting several options, which we’ve broken down into the sections that follow.
就这么简单。 弹出的向导将引导您选择几个选项,我们将其细分为以下各节。
第二步:选择一种解锁方法 (Step Two: Choose an Unlock Method)
The first screen you’ll see in the “BitLocker Drive Encryption” wizard lets you choose how to unlock your drive. You can select several different ways of unlocking the drive.
您将在“ BitLocker驱动器加密”向导中看到的第一个屏幕让您选择如何解锁驱动器。 您可以选择几种不同的方式来解锁驱动器。
If you’re encrypting your system drive on a computer that doesn’t have a TPM, you can unlock the drive with a password or a USB drive that functions as a key. Select your unlock method and follow the instructions for that method (enter a password or plug in your USB drive).
如果要在没有TPM的计算机上加密系统驱动器,则可以使用密码或用作密钥的USB驱动器来解锁驱动器。 选择解锁方法,然后按照该方法的说明进行操作(输入密码或插入USB驱动器)。
If your computer does have a TPM, you’ll see additional options for unlocking your system drive. For example, you can configure automatic unlocking at startup (where your computer grabs the encryption keys from the TPM and automatically decrypts the drive). You could also use a PIN instead of a password, or even choose biometric options like a fingerprint.
如果您的计算机确实有TPM,则将看到用于解锁系统驱动器的其他选项。 例如,您可以配置启动时自动解锁(您的计算机从TPM获取加密密钥并自动解密驱动器)。 您也可以使用PIN代替密码,甚至可以选择指纹等生物识别选项。
If you’re encrypting a non-system drive or removable drive, you’ll see only two options (whether you have a TPM or not). You can unlock the drive with a password or a smart card (or both).
如果您要加密非系统驱动器或可移动驱动器,则只会看到两个选项(是否有TPM)。 您可以使用密码或智能卡(或同时使用两者)解锁驱动器。
第三步:备份恢复密钥 (Step Three: Back Up Your Recovery Key)
BitLocker provides you with a recovery key that you can use to access your encrypted files should you ever lose your main key—for example, if you forget your password or if the PC with TPM dies and you have to access the drive from another system.
BitLocker为您提供了一个恢复密钥,如果您丢失了主密钥,则可以使用该密钥来访问加密的文件,例如,如果您忘记了密码或具有TPM的PC死了,并且必须从另一个系统访问驱动器。
You can save the key to your Microsoft account, a USB drive, a file, or even print it. These options are the same whether you’re encrypting a system or non-system drive.
您可以将密钥保存到您的Microsoft帐户,USB驱动器,文件,甚至进行打印。 无论您要加密系统驱动器还是非系统驱动器,这些选项都是相同的。
If you back up the recovery key to your Microsoft account, you can access the key later at https://onedrive.live.com/recoverykey. If you use another recovery method, be sure to keep this key safe—if someone gains access to it, they could decrypt your drive and bypass encryption.
如果将恢复密钥备份到您的Microsoft帐户,则可以稍后在https://onedrive.live.com/recoverykey上访问该密钥。 如果您使用其他恢复方法,请确保妥善保存此密钥-如果有人可以访问它,则他们可以解密您的驱动器并绕过加密。
You can also back up your recovery key multiple ways if you want. Just click each option you want to use in turn, and then follow the directions. When you’re done saving your recovery keys, click “Next” to move on.
您还可以根据需要以多种方式备份恢复密钥。 只需依次单击要使用的每个选项,然后按照说明进行操作。 保存完恢复密钥后,请单击“下一步”继续。
Note: If you’re encrypting a USB or other removable drive, you won’t have the option of saving your recovery key to a USB drive. You can use any of the other three options.
注意:如果您要加密USB或其他可移动驱动器,则无法选择将恢复密钥保存到USB驱动器。 您可以使用其他三个选项中的任何一个。
第四步:加密和解锁驱动器 (Step Four: Encrypt and Unlock the Drive)
BitLocker automatically encrypts new files as you add them, but you must choose what happens with the files currently on your drive. You can encrypt the entire drive—including the free space—or just encrypt the used disk files to speed up the process. These options are also the same whether you’re encrypting a system or non-system drive.
添加新文件时,BitLocker会自动对其进行加密,但是您必须选择驱动器上当前文件的处理方式。 您可以加密整个驱动器(包括可用空间),也可以仅加密使用的磁盘文件以加快处理速度。 无论您要加密系统驱动器还是非系统驱动器,这些选项都相同。
If you’re setting up BitLocker on a new PC, encrypt the used disk space only—it’s much faster. If you’re setting BitLocker up on a PC you’ve been using for a while, you should encrypt the entire drive to ensure no one can recover deleted files.
如果要在新PC上设置BitLocker,则仅加密使用的磁盘空间-速度要快得多。 如果您在已经使用了一段时间的PC上设置BitLocker,则应加密整个驱动器,以确保没有人可以恢复已删除的文件。
When you’ve made your selection, click the “Next” button.
做出选择后,单击“下一步”按钮。
第五步:选择加密模式(仅Windows 10) (Step Five: Choose an Encryption Mode (Windows 10 Only))
If you’re using Windows 10, you’ll see an additional screen letting you choose an encryption method. If you’re using Windows 7 or 8, skip ahead to the next step.
如果您使用的是Windows 10,则会看到一个额外的屏幕,供您选择加密方法。 如果您使用的是Windows 7或8,请跳到下一步。
Windows 10 introduced a new encryption method named XTS-AES. It provides enhanced integrity and performance over the AES used in Windows 7 and 8. If you know the drive you’re encrypting is only going to be used on Windows 10 PCs, go ahead and choose the “New encryption mode” option. If you think you might need to use the drive with an older version of Windows at some point (especially important if it’s a removable drive), choose the “Compatible mode” option.
Windows 10引入了一种名为XTS-AES的新加密方法。 与Windows 7和8中使用的AES相比,它提供了增强的完整性和性能。如果您知道要加密的驱动器仅在Windows 10 PC上使用,请继续并选择“新加密模式”选项。 如果您认为某个时候可能需要将该驱动器与旧版本的Windows一起使用(如果是可移动驱动器,则尤其重要),请选择“兼容模式”选项。
Whichever option you choose (and again, these are the same for system and non-system drives), go ahead and click the “Next” button when you’re done, and on the next screen, click the “Start Encrypting” button.
无论选择哪个选项(同样,系统驱动器和非系统驱动器都是相同的),请继续并在完成后单击“下一步”按钮,然后在下一个屏幕上单击“开始加密”按钮。
第六步:完成 (Step Six: Finishing Up)
The encryption process can take anywhere from seconds to minutes or even longer, depending on the size of the drive, the amount of data you’re encrypting, and whether you chose to encrypt free space.
加密过程可能需要几秒钟到几分钟甚至更长的时间,具体取决于驱动器的大小,要加密的数据量以及是否选择加密可用空间。
If you’re encrypting your system drive, you’ll be prompted to run a BitLocker system check and restart your system. Make sure the option is selected, click the “Continue” button, and then restart your PC when asked. After the PC boots back up for the first time, Windows encrypts the drive.
如果要加密系统驱动器,系统将提示您运行BitLocker系统检查并重新启动系统。 确保选择了该选项,单击“继续”按钮,然后在出现提示时重新启动PC。 PC首次启动后,Windows会加密驱动器。
If you’re encrypting a non-system or removable drive, Windows does not need to restart and encryption begins immediately.
如果您要加密非系统驱动器或可移动驱动器,则Windows不需要重新启动,加密会立即开始。
Whatever type of drive you’re encrypting, you can check the BitLocker Drive Encryption icon in the system tray to see its progress, and you can continue using your computer while drives are being encrypted—it will just perform more slowly.
无论您要加密哪种类型的驱动器,都可以检查系统托盘中的BitLocker驱动器加密图标以查看其进度,并且可以在加密驱动器的同时继续使用计算机-它的运行速度会更慢。
解锁驱动器 (Unlocking Your Drive)
If your system drive is encrypted, unlocking it depends on the method you chose (and whether your PC has a TPM). If you do have a TPM and elected to have the drive unlocked automatically, you won’t notice anything different—you’ll just boot straight into Windows like always. If you chose another unlock method, Windows prompts you to unlock the drive (by typing your password, connecting your USB drive, or whatever).
如果您的系统驱动器是加密的,则对其进行解锁取决于您选择的方法(以及您的PC是否具有TPM)。 如果您确实有TPM并选择了自动解锁驱动器,则不会发现任何不同-您将像往常一样直接启动进入Windows。 如果您选择了另一种解锁方法,Windows会提示您解锁驱动器(通过输入密码,连接USB驱动器或其他方法)。
And if you’ve lost (or forgotten) your unlock method, press Escape on the prompt screen to enter your recovery key.
并且,如果您丢失(或忘记了)解锁方法,请在提示屏幕上按Escape输入恢复密钥。
If you’ve encrypted a non-system or removable drive, Windows prompts you to unlock the drive when you first access it after starting Windows (or when you connect it to your PC if it’s a removable drive). Type your password or insert your smart card, and the drive should unlock so you can use it.
如果您已经加密了非系统驱动器或可移动驱动器,则在启动Windows后首次访问该驱动器时(或者如果它是可移动驱动器,则将其连接到PC上),Windows会提示您解锁该驱动器。 输入密码或插入智能卡,驱动器将解锁,以便您可以使用它。
In File Explorer, encrypted drives show a gold lock on the icon (on the left). That lock changes to gray and appears unlocked when you unlock the drive (on the right).
在“文件资源管理器”中,加密的驱动器在图标(左侧)上显示金锁。 当您解锁驱动器时(右侧),该锁定将变为灰色并显示为未锁定。
You can manage a locked drive—change the password, turn off BitLocker, back up your recovery key, or perform other actions—from the BitLocker control panel window. Right-click any encrypted drive, and then select “Manage BitLocker” to go directly to that page.
您可以从BitLocker控制面板窗口中管理锁定的驱动器-更改密码,关闭BitLocker,备份恢复密钥或执行其他操作。 右键单击任何加密的驱动器,然后选择“管理BitLocker”以直接转到该页面。
Like all encryption, BitLocker does add some overhead. Microsoft’s official BitLocker FAQ says that “Generally it imposes a single-digit percentage performance overhead.” If encryption is important to you because you have sensitive data—for example, a laptop full of business documents—the enhanced security is well worth the performance trade-off.
与所有加密一样,BitLocker确实会增加一些开销。 微软官方的BitLocker常见问题解答说:“通常,它会带来百分之几的性能开销。” 如果加密对您很重要,因为您拥有敏感数据(例如,装有业务文档的笔记本电脑),那么增强的安全性就值得在性能上进行权衡。
翻译自: https://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/
