How to encrypt your Windows laptop

Check for Encryption Software

Windows computers (laptops and desktops) are most commonly encrypted by BitLocker (the native Windows encryption software), Check Point Endpoint Security (a third-party encryption software by Check Point) or PGP Desktop (a third-party encryption software by Symantec).

First, check which application is on your device by clicking on the Start Menu in the bottom-left corner of your screen, and searching for the application names.

Once you have located the application, follow the steps in the appropriate document (pdf) below to find out if your computer is encrypted:

Already encrypted? Skip to Step 5.

IT Security Requirements

To use your personal device for University business, it must meet all requirements and standards of both the University and the UCLA Health Sciences. Devices must meet five major requirements to be acceptable for University business usage (not comprehensive).

Note: Please read all UCLA Health Sciences policies to ensure your device meets all the requirements.

Before Encryption

Before attempting to encrypt your computer, please read and follow these best practices to prepare for encryption.

Device Requirements

  1. Administrative rights
    • You must have administrative rights to your computer (using an administrative account) to initiate encryption.
  2. AC power adapter
    • Your computer must be on AC power (plugged in to a wall outlet) during encryption.
  3. Active network connection
    • Your computer must have an active network (Internet) connection to store recovery keys.
  4. Supported Operating System and Hardware
    • Operating System: Windows 7 Enterprise/Ultimate, Windows 8/8.1 Professional/Enterprise, or Windows 10 Professional/Enterprise.
    • Hardware: The Trusted Platform Module (TPM) version 1.2 or higher must be installed and enabled (turned on).

Device Preparation

  1. Back up files
    • Back up your files before encrypting your computer. Files may be lost or damaged in the event of encryption failure.
  2. Check hard drive
    • Check your disk for errors and repair errors to ensure your hard drive is healthy enough for encryption.
  3. Update software/applications
  4. Clean up viruses and malware
    • Scan your computer with anti-virus/anti-malware software and clean up any threats. Sophos Anti-Virus is recommended.

Use BitLocker to encrypt the startup disk on your Windows laptop

BitLocker helps prevent unauthorized access to documents and other important data stored on your startup disk.

1. Ensure System has a TPM Chip

Enter the BIOS of the system to verify the presence of a Trusted Platform Module (TPM) chip. This is usually done by hitting F2 during the bootup logo screen (specific key may vary across manufacturers and models). For a list of BIOS hotkeys for most major laptop manufacturers, please see this list.

The TPM chip stores the authentication key for the encrypted drive. While Bitlocker will work on a system that does not have a TPM chip, on Windows 7 (only) this will require the user to insert a USB flash drive into the computer in order to unlock the drive whenever it is started.

Locating the section of the BIOS that shows and allows configuration of the TPM chip will vary by system. The following screen shot shows the BIOS location on a Dell Latitude D630 laptop. For other systems, TPM settings are generally found under the "Security" tab in the BIOS.

Instructions for computers without TPM Chip (pdf)

2. Activate the TPM Chip

Before telling the system to start encryption, it will be necessary to activate the TPM chip. This is a two-step process. First, ensure the TPM Security setting is “On”. If it is not, enable the check box and click "Apply."

Changing this value will require a reboot. Save/Exit the BIOS setting screen, then re-enter the BIOS for the next step.

3. Activate the TPM Module

Next, go to the TPM Activation settings and activate the TPM Module.

Changing this value will require a reboot. Save/Exit the BIOS setting screen, then reenter the BIOS for the next step.

4. Verify System Boot Order

Another important setting to verify is the boot order of the system. If the system is set to attempt to boot from a USB device before the internal HDD, attempting to verify a saved recovery key will fail, and the encryption process will have to be restarted (which will generate a new recovery key, which will again need to be saved).

Once BIOS settings are properly set, (should not require another restart), allow Windows to start.

5. Start Bitlocker Encryption

Log on to Windows using an account with administrator privileges on the computer. Go to Start > Control Panel > System and Security > Bitlocker Drive Encryption.

Click "Turn on Bitlocker".

Windows will check your computer's configuration to make sure it is compatible with Bitlocker (this will fail if the TPM was not previously activated). Then it will initialize the TPM module. Before beginning to encrypt the drive, you will be given the opportunity to save the recovery key. Three options are available for saving the key: saving to USB flash drive, saving to a file, and printing the key. Any and all options may be selected.

Before choosing whether you want to save a local copy of the key, or how to do it, you should consider how you intend to safeguard the key. If it is stored on the drive you are about to encrypt, you will not be able to use it to recover the drive unless it is copied elsewhere, since it will be inaccessible from that drive in a recovery scenario. If it is to be stored on a USB flash drive or printed, the key should be hidden away in a safe location. It should NOT be kept with the system that it recovers. Doing this would be like keeping a key inside the keyway of the lock. It would effectively invalidate the protection to the encrypted drive. Once you have secured a local copy of the key, click the Next button to proceed.

You will see the following screens as Windows begins the process.

If you saved the recovery key to a USB flash drive, the drive will contain files such as the following. You do not need the key to use your computer. It is only necessary if your hard drive is moved to another system.

Now, you are ready to start the encryption process. As an added safeguard, you are given the option to verify the integrity of a recovery key if you stored one on a USB flash drive. Check the box on the “Are you ready to encrypt this drive?” screen if you would like to do this. If you did not verify that the HDD will boot before a USB attached device, then this may not work, and will require restarting the process, including generating a new recovery key.

If you decided to verify the recovery key, you will need to reboot with the USB flash drive inserted in the computer. The verification does not take long.

After you reboot, you will see a message originating in the system tray area of the screen (typically the lower right) indicating encryption is in progress. You can verify this by going to the system tray and clicking on the icon. You will see a window like this.

Encryption will take place in the background and the system can be used while this is taking place. There will be a slight degradation in performance, but may not be that noticeable depending on the activities you perform.

The system may take up to eight hours or more to encrypt. Factors which affect this time are size of the hard disk, speed of the CPU, and whether it is being used while encryption is taking place. If the system is shut down encryption will resume after it is restarted. Be sure to check the system tray to ensure encryption is running after a restart. Once the hard disk is encrypted, success can be verified by going to Control Panel, System and Security, Bitlocker Drive Encryption. This screen will indicate that Bitlocker is turned on for the hard drive.

Once this process is completed, your hard drive will be encrypted and your data only visible after a valid Windows login. If your computer is lost or stolen, your data will remain protected. Please note that, although your hard drive is now encrypted, your system backups will not be encrypted. If you back up a system containing sensitive information, you must secure and protect your backup media to prevent exposure of your data.

After your device has been encrypted, you must register it here .

Register your Device

It is your responsibility to ensure your device is verifiably encrypted. To validate that your computer is encrypted, you must register your computer in the UCLA Health Sciences IT Organization inventory.

To register your device in the inventory, please click on the link below. Before registering your device, please read all disclaimers and instructions. You must have a UCLA Logon to register a device.