What does BitLocker actually encrypt and when?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I need full disk encryption for business laptop computers running a current version of Windows 10 Pro. The computers have an NVMe SSD drive from Samsung and an Intel Core i5-8000 CPU.



From some web research today, there are currently only two options available: Microsoft BitLocker and VeraCrypt. I am fully aware of the state of open and closed source and the security implications that come with that.



After reading some information about BitLocker, which I had never used before, I have the impression that starting with Windows 10 BitLocker only encrypts newly written data on the disk but not everything that already exists, for performance reasons. (That documentation says I have a choice, but I don't. They didn't ask me what I want after activating it.) I have used TrueCrypt system encryption in the past and know that existing data encryption is a visible task that takes a few hours. I cannot observe such behaviour with BitLocker. No noticeable background CPU or disk activity.



Activating BitLocker is really easy. Click a button, save the recovery key somewhere safe, done. The same process with VeraCrypt made me abandon the idea. I needed to actually create a fully working recovery device, even for testing purposes on a throw-away system.



I've also read that VeraCrypt currently has a design flaw that makes some NVMe SSDs extremely slow with system encryption. I can't verify it because the setup is too complicated. At least after activating BitLocker, I can't see a significant change in disk performance. Also the VeraCrypt team has insufficient resources to fix that "complicated bug". Additionally, Windows 10 upgrades can't operate with VeraCrypt in place, which makes frequent full-disk de- and encryptions necessary. I hope BitLocker works better here.



So I'm almost settled on using BitLocker. But I need to understand what it does. Unfortunately, there is almost no information about it online. Most consists of blog posts that give an overview but no concise in-depth information. So I'm asking here.



After activating BitLocker on a single-drive system, what happens to existing data? What happens to new data? What does it mean to "suspend BitLocker"? (Not the same as permanently deactivating it and thereby decrypting all data on disk.) How can I check the encryption status or force the encryption of all existing data? (I don't mean unused space, I don't care about that, and it's required for SSDs, see TRIM.) Is there some more detailed data and actions about BitLocker other than "suspend" and "decrypt"?



And maybe on a side note, how does BitLocker relate to EFS (encrypted file system)? If only newly written files are encrypted, EFS seems to have a very similar effect. But I know how to operate EFS, it's much more understandable.










share|improve this question

























    up vote
    2
    down vote

    favorite












    I need full disk encryption for business laptop computers running a current version of Windows 10 Pro. The computers have an NVMe SSD drive from Samsung and an Intel Core i5-8000 CPU.



    From some web research today, there are currently only two options available: Microsoft BitLocker and VeraCrypt. I am fully aware of the state of open and closed source and the security implications that come with that.



    After reading some information about BitLocker, which I had never used before, I have the impression that starting with Windows 10 BitLocker only encrypts newly written data on the disk but not everything that already exists, for performance reasons. (That documentation says I have a choice, but I don't. They didn't ask me what I want after activating it.) I have used TrueCrypt system encryption in the past and know that existing data encryption is a visible task that takes a few hours. I cannot observe such behaviour with BitLocker. No noticeable background CPU or disk activity.



    Activating BitLocker is really easy. Click a button, save the recovery key somewhere safe, done. The same process with VeraCrypt made me abandon the idea. I needed to actually create a fully working recovery device, even for testing purposes on a throw-away system.



    I've also read that VeraCrypt currently has a design flaw that makes some NVMe SSDs extremely slow with system encryption. I can't verify it because the setup is too complicated. At least after activating BitLocker, I can't see a significant change in disk performance. Also the VeraCrypt team has insufficient resources to fix that "complicated bug". Additionally, Windows 10 upgrades can't operate with VeraCrypt in place, which makes frequent full-disk de- and encryptions necessary. I hope BitLocker works better here.



    So I'm almost settled on using BitLocker. But I need to understand what it does. Unfortunately, there is almost no information about it online. Most consists of blog posts that give an overview but no concise in-depth information. So I'm asking here.



    After activating BitLocker on a single-drive system, what happens to existing data? What happens to new data? What does it mean to "suspend BitLocker"? (Not the same as permanently deactivating it and thereby decrypting all data on disk.) How can I check the encryption status or force the encryption of all existing data? (I don't mean unused space, I don't care about that, and it's required for SSDs, see TRIM.) Is there some more detailed data and actions about BitLocker other than "suspend" and "decrypt"?



    And maybe on a side note, how does BitLocker relate to EFS (encrypted file system)? If only newly written files are encrypted, EFS seems to have a very similar effect. But I know how to operate EFS, it's much more understandable.










    share|improve this question























      up vote
      2
      down vote

      favorite









      up vote
      2
      down vote

      favorite











      I need full disk encryption for business laptop computers running a current version of Windows 10 Pro. The computers have an NVMe SSD drive from Samsung and an Intel Core i5-8000 CPU.



      From some web research today, there are currently only two options available: Microsoft BitLocker and VeraCrypt. I am fully aware of the state of open and closed source and the security implications that come with that.



      After reading some information about BitLocker, which I had never used before, I have the impression that starting with Windows 10 BitLocker only encrypts newly written data on the disk but not everything that already exists, for performance reasons. (That documentation says I have a choice, but I don't. They didn't ask me what I want after activating it.) I have used TrueCrypt system encryption in the past and know that existing data encryption is a visible task that takes a few hours. I cannot observe such behaviour with BitLocker. No noticeable background CPU or disk activity.



      Activating BitLocker is really easy. Click a button, save the recovery key somewhere safe, done. The same process with VeraCrypt made me abandon the idea. I needed to actually create a fully working recovery device, even for testing purposes on a throw-away system.



      I've also read that VeraCrypt currently has a design flaw that makes some NVMe SSDs extremely slow with system encryption. I can't verify it because the setup is too complicated. At least after activating BitLocker, I can't see a significant change in disk performance. Also the VeraCrypt team has insufficient resources to fix that "complicated bug". Additionally, Windows 10 upgrades can't operate with VeraCrypt in place, which makes frequent full-disk de- and encryptions necessary. I hope BitLocker works better here.



      So I'm almost settled on using BitLocker. But I need to understand what it does. Unfortunately, there is almost no information about it online. Most consists of blog posts that give an overview but no concise in-depth information. So I'm asking here.



      After activating BitLocker on a single-drive system, what happens to existing data? What happens to new data? What does it mean to "suspend BitLocker"? (Not the same as permanently deactivating it and thereby decrypting all data on disk.) How can I check the encryption status or force the encryption of all existing data? (I don't mean unused space, I don't care about that, and it's required for SSDs, see TRIM.) Is there some more detailed data and actions about BitLocker other than "suspend" and "decrypt"?



      And maybe on a side note, how does BitLocker relate to EFS (encrypted file system)? If only newly written files are encrypted, EFS seems to have a very similar effect. But I know how to operate EFS, it's much more understandable.










      share|improve this question













      I need full disk encryption for business laptop computers running a current version of Windows 10 Pro. The computers have an NVMe SSD drive from Samsung and an Intel Core i5-8000 CPU.



      From some web research today, there are currently only two options available: Microsoft BitLocker and VeraCrypt. I am fully aware of the state of open and closed source and the security implications that come with that.



      After reading some information about BitLocker, which I had never used before, I have the impression that starting with Windows 10 BitLocker only encrypts newly written data on the disk but not everything that already exists, for performance reasons. (That documentation says I have a choice, but I don't. They didn't ask me what I want after activating it.) I have used TrueCrypt system encryption in the past and know that existing data encryption is a visible task that takes a few hours. I cannot observe such behaviour with BitLocker. No noticeable background CPU or disk activity.



      Activating BitLocker is really easy. Click a button, save the recovery key somewhere safe, done. The same process with VeraCrypt made me abandon the idea. I needed to actually create a fully working recovery device, even for testing purposes on a throw-away system.



      I've also read that VeraCrypt currently has a design flaw that makes some NVMe SSDs extremely slow with system encryption. I can't verify it because the setup is too complicated. At least after activating BitLocker, I can't see a significant change in disk performance. Also the VeraCrypt team has insufficient resources to fix that "complicated bug". Additionally, Windows 10 upgrades can't operate with VeraCrypt in place, which makes frequent full-disk de- and encryptions necessary. I hope BitLocker works better here.



      So I'm almost settled on using BitLocker. But I need to understand what it does. Unfortunately, there is almost no information about it online. Most consists of blog posts that give an overview but no concise in-depth information. So I'm asking here.



      After activating BitLocker on a single-drive system, what happens to existing data? What happens to new data? What does it mean to "suspend BitLocker"? (Not the same as permanently deactivating it and thereby decrypting all data on disk.) How can I check the encryption status or force the encryption of all existing data? (I don't mean unused space, I don't care about that, and it's required for SSDs, see TRIM.) Is there some more detailed data and actions about BitLocker other than "suspend" and "decrypt"?



      And maybe on a side note, how does BitLocker relate to EFS (encrypted file system)? If only newly written files are encrypted, EFS seems to have a very similar effect. But I know how to operate EFS, it's much more understandable.







      windows-10 ssd encryption bitlocker






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 1 hour ago









      ygoe

      62011227




      62011227




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote













          Activating BitLocker will start a background process which encrypts all existing data. (On HDDs this traditionally is a long process as it needs to read and rewrite every partition sector – on self-encrypting disks it can be instant.) So when it is said that only newly written data is encrypted, that refers to the state immediately after BitLocker activation and is no longer true once the background encryption task finishes. The status of this process can be seen in the same BitLocker control panel window, and paused if necessary.



          The Microsoft article needs to be read carefully: it actually talks about encrypting only used areas of the disk. They merely advertise this as having the biggest impact on fresh systems, where you don't have any data yet besides the base OS (and therefore all data will be "newly written"). That is, Windows 10 will encrypt all your existing files after activation – it simply won't waste time encrypting disk sectors which don't contain anything yet. (You can opt out of this optimization via Group Policy.)



          (The article also points out a downside: areas which previously held deleted files will also be skipped as "unused". So if encrypting a well-used system, do a free-space wipe using a tool, and then let Windows run TRIM if you have an SSD, all before activating BitLocker. Or use the Group Policy to disable this behavior.)



          In the same article, too, there is a mention of recent Windows versions supporting self-encrypting SSDs using the OPAL standard. So the reason why you don't see any background I/O may be because the SSD was internally encrypted from day one, and BitLocker recognized this and only took over the SSD-level key management instead of duplicating the encryption effort at OS level. That is, the SSD no longer unlocks itself on power-on but requires Windows do to so. This can be disabled via Group Policy, if you prefer the OS to handle encryption regardless.



          Suspending BitLocker causes a plaintext copy of the 'master' key to be written directly to disk. (Usually this master key is first encrypted with your password or with a TPM.) While suspended, this allows the disk to be unlocked on its own – clearly an insecure state, but it allows Windows Update to reprogram the TPM to match the upgraded OS, for example. Resuming BitLocker simply wipes this plain key from disk.



          BitLocker is not related to EFS – the latter works at file level, associating keys to Windows user accounts (allowing fine-grained configuration but making it impossible to encrypt the OS's own files), while the former works at whole-disk level. They can be used together, although BitLocker mostly makes EFS redundant.






          share|improve this answer






















            Your Answer







            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "3"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            convertImagesToLinks: true,
            noModals: false,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













             

            draft saved


            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1358495%2fwhat-does-bitlocker-actually-encrypt-and-when%23new-answer', 'question_page');

            );

            Post as a guest






























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes








            up vote
            3
            down vote













            Activating BitLocker will start a background process which encrypts all existing data. (On HDDs this traditionally is a long process as it needs to read and rewrite every partition sector – on self-encrypting disks it can be instant.) So when it is said that only newly written data is encrypted, that refers to the state immediately after BitLocker activation and is no longer true once the background encryption task finishes. The status of this process can be seen in the same BitLocker control panel window, and paused if necessary.



            The Microsoft article needs to be read carefully: it actually talks about encrypting only used areas of the disk. They merely advertise this as having the biggest impact on fresh systems, where you don't have any data yet besides the base OS (and therefore all data will be "newly written"). That is, Windows 10 will encrypt all your existing files after activation – it simply won't waste time encrypting disk sectors which don't contain anything yet. (You can opt out of this optimization via Group Policy.)



            (The article also points out a downside: areas which previously held deleted files will also be skipped as "unused". So if encrypting a well-used system, do a free-space wipe using a tool, and then let Windows run TRIM if you have an SSD, all before activating BitLocker. Or use the Group Policy to disable this behavior.)



            In the same article, too, there is a mention of recent Windows versions supporting self-encrypting SSDs using the OPAL standard. So the reason why you don't see any background I/O may be because the SSD was internally encrypted from day one, and BitLocker recognized this and only took over the SSD-level key management instead of duplicating the encryption effort at OS level. That is, the SSD no longer unlocks itself on power-on but requires Windows do to so. This can be disabled via Group Policy, if you prefer the OS to handle encryption regardless.



            Suspending BitLocker causes a plaintext copy of the 'master' key to be written directly to disk. (Usually this master key is first encrypted with your password or with a TPM.) While suspended, this allows the disk to be unlocked on its own – clearly an insecure state, but it allows Windows Update to reprogram the TPM to match the upgraded OS, for example. Resuming BitLocker simply wipes this plain key from disk.



            BitLocker is not related to EFS – the latter works at file level, associating keys to Windows user accounts (allowing fine-grained configuration but making it impossible to encrypt the OS's own files), while the former works at whole-disk level. They can be used together, although BitLocker mostly makes EFS redundant.






            share|improve this answer


























              up vote
              3
              down vote













              Activating BitLocker will start a background process which encrypts all existing data. (On HDDs this traditionally is a long process as it needs to read and rewrite every partition sector – on self-encrypting disks it can be instant.) So when it is said that only newly written data is encrypted, that refers to the state immediately after BitLocker activation and is no longer true once the background encryption task finishes. The status of this process can be seen in the same BitLocker control panel window, and paused if necessary.



              The Microsoft article needs to be read carefully: it actually talks about encrypting only used areas of the disk. They merely advertise this as having the biggest impact on fresh systems, where you don't have any data yet besides the base OS (and therefore all data will be "newly written"). That is, Windows 10 will encrypt all your existing files after activation – it simply won't waste time encrypting disk sectors which don't contain anything yet. (You can opt out of this optimization via Group Policy.)



              (The article also points out a downside: areas which previously held deleted files will also be skipped as "unused". So if encrypting a well-used system, do a free-space wipe using a tool, and then let Windows run TRIM if you have an SSD, all before activating BitLocker. Or use the Group Policy to disable this behavior.)



              In the same article, too, there is a mention of recent Windows versions supporting self-encrypting SSDs using the OPAL standard. So the reason why you don't see any background I/O may be because the SSD was internally encrypted from day one, and BitLocker recognized this and only took over the SSD-level key management instead of duplicating the encryption effort at OS level. That is, the SSD no longer unlocks itself on power-on but requires Windows do to so. This can be disabled via Group Policy, if you prefer the OS to handle encryption regardless.



              Suspending BitLocker causes a plaintext copy of the 'master' key to be written directly to disk. (Usually this master key is first encrypted with your password or with a TPM.) While suspended, this allows the disk to be unlocked on its own – clearly an insecure state, but it allows Windows Update to reprogram the TPM to match the upgraded OS, for example. Resuming BitLocker simply wipes this plain key from disk.



              BitLocker is not related to EFS – the latter works at file level, associating keys to Windows user accounts (allowing fine-grained configuration but making it impossible to encrypt the OS's own files), while the former works at whole-disk level. They can be used together, although BitLocker mostly makes EFS redundant.






              share|improve this answer
























                up vote
                3
                down vote










                up vote
                3
                down vote









                Activating BitLocker will start a background process which encrypts all existing data. (On HDDs this traditionally is a long process as it needs to read and rewrite every partition sector – on self-encrypting disks it can be instant.) So when it is said that only newly written data is encrypted, that refers to the state immediately after BitLocker activation and is no longer true once the background encryption task finishes. The status of this process can be seen in the same BitLocker control panel window, and paused if necessary.



                The Microsoft article needs to be read carefully: it actually talks about encrypting only used areas of the disk. They merely advertise this as having the biggest impact on fresh systems, where you don't have any data yet besides the base OS (and therefore all data will be "newly written"). That is, Windows 10 will encrypt all your existing files after activation – it simply won't waste time encrypting disk sectors which don't contain anything yet. (You can opt out of this optimization via Group Policy.)



                (The article also points out a downside: areas which previously held deleted files will also be skipped as "unused". So if encrypting a well-used system, do a free-space wipe using a tool, and then let Windows run TRIM if you have an SSD, all before activating BitLocker. Or use the Group Policy to disable this behavior.)



                In the same article, too, there is a mention of recent Windows versions supporting self-encrypting SSDs using the OPAL standard. So the reason why you don't see any background I/O may be because the SSD was internally encrypted from day one, and BitLocker recognized this and only took over the SSD-level key management instead of duplicating the encryption effort at OS level. That is, the SSD no longer unlocks itself on power-on but requires Windows do to so. This can be disabled via Group Policy, if you prefer the OS to handle encryption regardless.



                Suspending BitLocker causes a plaintext copy of the 'master' key to be written directly to disk. (Usually this master key is first encrypted with your password or with a TPM.) While suspended, this allows the disk to be unlocked on its own – clearly an insecure state, but it allows Windows Update to reprogram the TPM to match the upgraded OS, for example. Resuming BitLocker simply wipes this plain key from disk.



                BitLocker is not related to EFS – the latter works at file level, associating keys to Windows user accounts (allowing fine-grained configuration but making it impossible to encrypt the OS's own files), while the former works at whole-disk level. They can be used together, although BitLocker mostly makes EFS redundant.






                share|improve this answer














                Activating BitLocker will start a background process which encrypts all existing data. (On HDDs this traditionally is a long process as it needs to read and rewrite every partition sector – on self-encrypting disks it can be instant.) So when it is said that only newly written data is encrypted, that refers to the state immediately after BitLocker activation and is no longer true once the background encryption task finishes. The status of this process can be seen in the same BitLocker control panel window, and paused if necessary.



                The Microsoft article needs to be read carefully: it actually talks about encrypting only used areas of the disk. They merely advertise this as having the biggest impact on fresh systems, where you don't have any data yet besides the base OS (and therefore all data will be "newly written"). That is, Windows 10 will encrypt all your existing files after activation – it simply won't waste time encrypting disk sectors which don't contain anything yet. (You can opt out of this optimization via Group Policy.)



                (The article also points out a downside: areas which previously held deleted files will also be skipped as "unused". So if encrypting a well-used system, do a free-space wipe using a tool, and then let Windows run TRIM if you have an SSD, all before activating BitLocker. Or use the Group Policy to disable this behavior.)



                In the same article, too, there is a mention of recent Windows versions supporting self-encrypting SSDs using the OPAL standard. So the reason why you don't see any background I/O may be because the SSD was internally encrypted from day one, and BitLocker recognized this and only took over the SSD-level key management instead of duplicating the encryption effort at OS level. That is, the SSD no longer unlocks itself on power-on but requires Windows do to so. This can be disabled via Group Policy, if you prefer the OS to handle encryption regardless.



                Suspending BitLocker causes a plaintext copy of the 'master' key to be written directly to disk. (Usually this master key is first encrypted with your password or with a TPM.) While suspended, this allows the disk to be unlocked on its own – clearly an insecure state, but it allows Windows Update to reprogram the TPM to match the upgraded OS, for example. Resuming BitLocker simply wipes this plain key from disk.



                BitLocker is not related to EFS – the latter works at file level, associating keys to Windows user accounts (allowing fine-grained configuration but making it impossible to encrypt the OS's own files), while the former works at whole-disk level. They can be used together, although BitLocker mostly makes EFS redundant.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited 21 mins ago

























                answered 53 mins ago









                grawity

                216k32437505




                216k32437505



























                     

                    draft saved


                    draft discarded















































                     


                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1358495%2fwhat-does-bitlocker-actually-encrypt-and-when%23new-answer', 'question_page');

                    );

                    Post as a guest













































































                    Comments

                    Popular posts from this blog

                    What does second last employer means? [closed]

                    Installing NextGIS Connect into QGIS 3?

                    One-line joke