BitLocker is a Windows Vista security feature that encrypts an entire hard disk (technically, a volume) to protect your data if someone steals your entire computer. Unfortunately, in the event of disk corruption, it can make your computer more difficult to fix and might prevent you from recovering your data–so it’s really important to do nightly backups if you enable BitLocker. Because of this, it’s not right for most people; you only need it if the privacy of your data is really important.

More after the jump

Only the following editions of Windows Vista support BitLocker:

• Enterprise Edition
• Ultimate Edition

If you have a Home or Starter edition, you can’t use it (but you probably don’t want it).

When you start your computer, BitLocker need to verify your computer’s integrity (to make sure the hard disk hasn’t been removed and put into a different computer) and, optionally, your identity (to make sure someone hasn’t stolen your computer). You have the following startup security options:

• TPM Only. Verifies that the hard disk is in your computer and that your system files are intact. This requires that your computer has a TPM chip, which is primarily offered on newer computers.
• PIN. At startup, BitLocker prompts you to enter a PIN to identify yourself before Windows starts. This also requires that your computer has a TPM chip.
• USB key. At startup, BitLocker prompts you to insert a USB flash drive that you have stored a secret key on. Windows won’t start unless you insert the USB key, so if someone steals your computer but not your USB key, they can’t get to your files. Of course, if you lose your USB key, you’re out of luck, too, so you’d better keep a backup. Try keeping the USB key on your keychain so you won’t lose it and a thief isn’t likely to steal both your computer and the USB key. This is the only option available if your computer doesn’t have a TPM.

Follow these steps to get start with BitLocker:

1. Click Start, and then click Control Panel.

2. Click Security.

3. Then, under BitLocker Drive Encryption, click Protect your computer by encrypting data on your disk.

This opens the BitLocker Drive Encryption window. Odds are, you’ll see a couple of different warnings saying you’re not ready to use BitLocker. Don’t freak, we can work around these.

If you see, “The drive configuration is unsuitable for BitLocker Drive Encryption. To use BitLocker, please re-partition your hard drive according to the BitLocker requirements.”, it means you need two partitions (a partition is a smaller section of your hard disk). BitLocker needs a small, 1.5GB “active” partition to store the Windows Boot Manager, which basically decrypts your BitLocker-protected partition so Windows can start. If this isn’t making sense, don’t sweat it–it’s not too late to configure your disk partitions for BitLocker.

If you see, “A TPM was not found. A TPM is required to turn on BitLocker. If your computer has a TPM, then contact the computer manufacturer for BitLocker-compatible BIOS”, it means that either your computer doesn’t have a TPM or it’s not setup. First, check your computer manufacturer’s website for a BIOS update (that’s a good thing anyway). Then, restart your computer and enter the BIOS setup–TPMs are often disabled by default, and you might need to turn it on (I did for my Dell D820). If you don’t see anything about a TPM in your BIOS, you probably don’t have one. Good news: the message lies–a TPM is not required to turn on BitLocker. Read these instructions to enable BitLocker without a TPM.

If you see, “Turn on BitLocker”, your computer is setup properly. Click that to get started, and initialize your TPM if needed. Then, follow these steps:

1. On the Set BitLocker Startup Preferences dialog, select your authentication choice.

2. If you chose to use a USB key, the Save Your Startup Key dialog appears. Select the startup key and then click Save.

3. On the Save The Recovery Password page, choose the destination to save your recovery password. The recovery password is a small text file containing brief instructions, a drive label and password ID, and the 48-digit recovery password. The choices are a USB drive, a local or remote folder, or to print the password. You can repeat this step to save to multiple locations. Keep the recovery passwords safe—anyone with access to the recovery password can bypass BitLocker security. Click Next.

4. On the Encrypt The Volume page, select the Run BitLocker System Check checkbox, and then click Continue. Click Restart Now and after restarting BitLocker will ensure that the computer is fully compatible and ready to be encrypted.

5. BitLocker displays a special screen confirming that the key material was loaded. Now that this has been confirmed, BitLocker will begin encrypting the C: drive after Windows Vista starts and BitLocker will be enabled. You can use your computer while BitLocker encrypts your drive.