David Huerta

Senior Digital Security Trainer

Last updated

This piece is a part of a series of guides about encryption for media makers; take a look at the full collection. We recommend you review our introduction to encryption piece for pro-tips and a technical glossary before proceeding with the step-by-step instructions below.

Bitlocker To Go not the tool you're looking for? We have guides for VeraCrypt and Disk Utility, too.

Table of Contents

What is BitLocker To Go? How can I use it?

BitLocker To Go is part of the larger BitLocker suite of encryption tools, available in Windows 10 Pro, Enterprise, and Education as well as Windows 8 Pro and Enterprise. It is not available on Windows 10 home edition, which is unfortunately the version most Windows computers ship with. However, it is possible to pay for an upgrade to a version that does support it, like Windows 10 Pro. Although BitLocker itself can be used for encrypting your computer's entire hard drive, you can also use the BitLocker To Go feature to encrypt separate external drives with a strong passphrase, which we’ll cover in this guide.

So you want to protect the data on your external hard drive, and other storage devices…

Let’s imagine that we are starting work on a feature-length documentary film. We will be capturing footage for the next couple of years for the project. Some of this footage contains first person interviews with sensitive sources. We want to take extreme care to make multiple copies, or backups, of this integral footage. Likewise, we want to protect our source with added technical safeguards placed on the backup hard drives.

Your solution? Creating encrypted external storage for medium to long-term storage

During every stage of a film project, there remains unused footage, cuts, and other material that requires safekeeping. For some film teams, the risk of confiscation of storage devices is extremely likely while shooting in the field. When we encrypt storage media, we are protecting the data it will hold, erecting barriers that make it difficult and costly for unwanted third parties to access.

Note: BitLocker To Go does not feature the ability to create encrypted file containers for protecting files stored in cloud services. We recommend checking out our guide on VeraCrypt to learn how to do that.

Encrypting external storage devices with BitLocker To Go

Step-by-step workflow:

Encrypting an external drive with Bitlocker To Go requires a one-time process to convert a regular drive into an encrypted one. To begin that process:

Navigate to BitLocker Drive Encryption: Windows System > Control Panel > System and Security > BitLocker Drive Encryption or just search for “Manage Bitlocker” in Windows Settings.

Plug in a USB drive you’d like to use to store encrypted footage on. Similar to BitLocker’s full-disk encryption feature, BitLocker To Go will keep and automatically encrypt existing files on the drive without the need to start from a blank drive. In this example, we’ll be using a 32GB Micro Center USB drive, but other USB drives of all shapes and sizes will work too.

Note: If Windows is having trouble recognizing the drive you plugged in or doesn’t recognize the drive’s full capacity, it may not be formatted in a way that Windows can use. If that’s the case, format the drive with a file format Windows can read (such as NTFS) before continuing. Formatting a drive will permanently delete any files it contains, so make sure to copy out any file you want to keep, then copy those files back in once the drive is formatted.

Additional note: Even after being freshly formatted, Windows may still have trouble using your external drive, and may ask you to repair it first. If prompted, go ahead and run the repair process. Normally, this doesn’t delete existing files on the external drive, but just in case, it may be worth copying those files out, then copying them back in once the repair process finishes.

In the BitLocker Drive Encryption window you’ll find a “Removable Drives - BitLocker To Go” section which should list all connected external drives. Find the one you want to encrypt and click on it.

After clicking on the drive you want to encrypt, click “Turn on BitLocker.”

BitLocker offers different options for securing your encrypted drive. You can use a password, or you can use a supported smartcard, which will let you use a physical security key you plug in to your computer’s USB port (with an additional PIN you have to memorize) to unlock your external drive.

For this guide, we’ll be using a password for securing this external drive. As with any password, we recommend making it long, unique (not used for anything else) and random. Check our guide on choosing strong passwords or let a password manager do the heavy lifting for you.

Check “Use a password to unlock the drive,” type in the password you want to use, then click “Next.”

BitLocker To Go requires at least one recovery option in case you forget your password. This is a special decryption key that’s unique to the drive you're encrypting. Each option has its own unique caveats to consider:

  • Save to your Microsoft account: Only choose this if you are not worried about a court order or other legal mechanism compelling Microsoft to unlock your drive and access your footage. Barring this concern, this approach has the advantage of safeguarding your recovery key from being taken by anyone with physical access to your recovery file or paper recovery key printout.
  • Save to a file: Saving your recovery key gives you the ability to save the recovery key in a text file on your computer — if your computer is reasonably protected from malware and preferably also has its internal drive protected with full disk encryption, which can also be done with BitLocker. Keep in mind, however, not to save the file someplace a cloud service like Microsoft’s OneDrive or Dropbox would sync it to the cloud.
  • Print the recovery key: Printing your recovery key on paper simplifies the protection of your recovery key to protecting a piece of unhackable technology: paper. That being said, papers get lost and damaged, so consider investing in a safe to keep sensitive physical documents in. For this guide, we’ll be going with this option.

Click “Print the recovery key”, use the Print dialog to send it to your printer, then click Next.

Next, you’ll be prompted to choose whether to encrypt just currently used space on your drive, or opt to encrypt the entire drive. The latter is a much slower process, potentially taking a few hours depending on the size of the drive. However, we recommend it since unused space may still have bits of files that were previously on the drive which can be extracted out through forensics software in the event your external drive is lost or seized.

Select “Encrypt entire drive” then click Next.

BitLocker To Go offers two encryption modes: “New” or “Compatible.”

The new mode offers a somewhat more secure mode for encryption, however, it only works with Windows 10 computers that include the Windows update that enables the new mode. If your team can afford to have their computers upgraded to use the latest Windows 10, it’s a good option.

The compatible mode does not include some of the extra protection as the new mode, but will allow you to use your encrypted drive on older versions of Windows that support BitLocker To Go, such as Windows 8. This makes it easy to have encrypted drives shared across different computers with a mix of Windows versions, so we’ll be choosing this option in this guide.

Select “Compatible” then click “Next.”

We have one final step before encryption begins. We need to make sure we’re ready to start a process that could take anywhere from several minutes to a few hours. Because this process can be time- and power-intensive, we recommend anyone doing this on a laptop plug it into a power source before continuing.

Click “Start encrypting” to begin the process of encrypting your external drive.

While the drive is being encrypted, it’s safe to use your computer to do other things, like checking email and streaming movies, so long as the drive is still plugged in.

If you plan on stepping away from your computer and need to close its lid (if it’s a laptop), or remove the drive to continue the encryption process elsewhere, be sure to click “Pause” before doing so, then once you’re ready to continue, plug the drive back in, unlock it with the password you set, and let it continue.

Once the drive is done encrypting, you can click “Close.”

After that final step, your new encrypted drive is ready to go! Just as you would with any external drive, eject it in Windows before physically unplugging it.

Accessing files on your encrypted drive

Once your drive has been encrypted, it’s ready to be accessed with your password. After plugging it in, you may see a “Location is not available” error.

This is due to Windows, a product of Microsoft, trying to use an external drive as a regular, unencrypted drive instead of treating it as a drive encrypted by BitLocker To Go, a product of Microsoft.

At the same time this superfluous error is showing up at the center of the screen directly in front of you, a prompt to unlock the drive will quietly appear in a corner of your screen. Type in the password you set up earlier and you should now be able to access the drive’s files.

Note: If the unlock drive prompt disappears before you get a chance to type in your password, you can bring it back by opening a File Explorer window and clicking on the “USB Drive” entry with a locked drive icon.

What if I forget my encrypted drive’s password?

A password manager will help you make sure you can safely look up sensitive passwords, like the one for your encrypted drive, without having to remember them. However, if you don’t use a password manager or forgot your password, you’ll need to find the recovery key you made for the drive when you set it up. Where it is depends on how you stored it, but this guide assumes you printed it. First, find the piece of paper containing the recovery key.

Once you find it, select your encrypted drive in any Explorer window. The prompt to unlock it will appear.

Click “More options.”

Click “Enter recovery key.”

Before entering the 48-digit recovery key, check to make sure the 8-character “Key ID” in the prompt matches the one on your paper copy. Although it’s not explained in the prompt, the “Key ID” is the first 8 characters of the 32-character “Identifier” code in the printout. If these numbers do not match, this printout might have been for a different encrypted drive, and you may need to keep looking for the correct one.

Enter the key and click “Unlock” to access the drive.

Once the drive is unlocked, right-click on the drive in the navigation bar of an Explorer window, and click on “Change BitLocker password.”

Since we’re resetting a forgotten or lost password, we won’t set up a new password in this prompt, but instead will choose the “Reset a forgotten password” option.

Click “Reset a forgotten password.”

You can ignore Microsoft’s 90s-era advice on passwords — which makes no mention of length, uniqueness, or randomness — and instead opt for a password created and stored by a password manager, or a long, unique and random passphrase. Next time you connect your encrypted drive, you’ll be able to unlock your drive with your new passphrase.

Although passwords for BitLocker To Go entail a lot of management to securely create and store, it can be done with the right strategies — including some where smartcards obviate the need for passwords altogether! If this is something your newsroom would like guidance on, contact our training team to learn more about how we can help.

Donate to support press freedom

Your support is more important than ever.