This content is part of the Buyer's Guide: Full-disk encryption (FDE) tools: A buyer's guide
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Microsoft BitLocker: Full disk encryption software overview

Expert Karen Scarfone examines the features of BitLocker, Microsoft's native full disk encryption software for Windows laptops, desktops and servers.

This is part of a series on the top full disk encryption products and tools in the market. For more, check out our FDE product roundup.

Microsoft BitLocker is full disk encryption software that is provided with particular versions of Windows and Windows Server. Full disk encryption (FDE) refers to the automatic encryption of the entire hard drive of a desktop, laptop or server so when the system is off, an attacker cannot access sensitive data from the drive. When the system is powered on, the user has to successfully authenticate in order to decrypt the hard drive.

Platform support

Microsoft BitLocker is supported by the following versions of Windows: Windows 10 Enterprise and Pro, Windows 8 and 8.1 Professional and Enterprise, Windows 7 Ultimate and Enterprise, Windows Vista Ultimate and Enterprise, and Windows Server 2008 and later.

Encryption and authentication support

Microsoft BitLocker uses the Advanced Encryption Standard (AES) encryption algorithm with either 128-bit or 256-bit keys. It is generally recommended to use 256-bit keys because of their superior strength.

Organizations that rely on 128-bit keys may need to convert those systems to 256-bit keys in the future, which requires re-encrypting the entire hard drive and inconveniencing users. The use of 256-bit keys with BitLocker is encouraged.

Although BitLocker has not been Federal Information Processing Standard (FIPS) 140-2-certified, the cryptographic modules it uses have been. This is a common practice, and the certification of the modules, not BitLocker, is what really matters.

FIPS 140-2 certification means the cryptographic modules were tested to confirm the meeting of specified cryptographic requirements. This does not mean the cryptographic modules are vulnerability-free, but rather that no common vulnerabilities were detected during testing.

Authentication options are rather limited when using BitLocker. The feature is intended to be used with a Trusted Platform Module (TPM), and authentication can be achieved through specifying a PIN or storing a key on a flash drive, which the user would then need to insert in order to boot the system. If a TPM is not available, BitLocker can still be used, but the use of a flash drive for authentication becomes mandatory.

A common practice when using BitLocker is to additionally deploy a third-party FDE product -- such as Dell Data Protection | Encryption, McAfee Complete Data Protection or Sophos SafeGuard Enterprise Encryption -- that can manage the BitLocker configuration. These third-party products add a variety of authentication options, which can improve both the security and the usability of BitLocker authentication.


BitLocker is primarily intended for local management. Some aspects of the FDE feature can be configured and controlled through Group Policy, but overall it is geared for local management.

An example is the key recovery option for users. There is a recovery password, but it is 48 digits long and it is only available locally, such as saved to a file or printed out. If the user fails to record this recovery password, or loses the recording of the password, there may not be any way to recover access to the user's system.

As mentioned above, there are third-party commercial products available that can add centralized management capabilities, authentication options and other features onto a Microsoft BitLocker deployment. These products typically support BitLocker and Apple FileVault 2 management, meaning systems using either FDE solution can be managed from a single console.

Microsoft Bitlocker for small business

BitLocker is conveniently built into various versions of Windows, but it is primarily intended for local management. That makes BitLocker a viable option for individuals and small enterprises that do not rely on centralized management.

There are significant usability concerns with requiring users to carry a flash drive and securely store a 48-digit recovery password, however. Most organizations will find that BitLocker is a much better technology when paired with a third-party commercial product that offers BitLocker management features, such as centralized management and key recovery, not to mention a range of single-factor and multifactor authentication options.

Next Steps

Get more reviews of other full disk encryption products featured in this series: McAfee Complete Data Protection, Symantec Endpoint Encryption, Sophos SafeGuard, Dell Data Protection | Encryption, Check Point Full Disk Encryption, DiskCryptor and Apple FileVault 2.

Learn about the MDOP 2014 suite, including new BitLocker Group Policy settings.

Windows 8 tools and terminology to know for Windows troubleshooting, security, and Windows XP migration.

This was last published in April 2015

Dig Deeper on Disk and file encryption tools

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use BitLocker to protect enterprise data? Why or why not?
In an enterprise that runs Windows using BitLocker for software-based full disk encryption has its advantages. The challenge is finding the right management solution. Ideally one that is easy to implement and maintain, and is designed for specifically that job, not an afterthought to some other encryption solution's management.
Truly like Bitlocker! The main issue I have with it is that it is just accessible in the endeavor variant of Windows 7. Windows 8 and up then again, its accessible with star. Simple to empower, particularly with a TPM. You can even design Bitlocker to store recuperation keys into Active Directory! It's really smooth.
I'm seeing more and more of my clients using it. It's much-improved since Windows 8 and, especially, the MBAM system you can use to centrally manage it.

I'm not convinced it's ready for large enterprise deployments - what's where solutions like WinMagic and Symantec Endpoint Protection/PGP come into play.
@Kevin, I'm curious to understand how you see BitLocker not scaling into enterprise deployments? Am I right to assume you're referring to MBAM management of BitLocker encryption? In which case, I tend to agree. Either of the 3rd party encryption+some BitLocker functionality added solutions you mention or a dedicated BitLocker management solution like BitTruster will offer a more robust experience.
FDE now stands for Full DRIVE Encryption, since both HDD and SSD are accommodated. The standard FDE option of using Self-Encrypting Drives (SED) is not mentioned in this FDE series. SEDs are standardized by the Trusted Computing Group and build by every major drive manufacturer; and, are superior to software-based encryption in every measure.

BitLocker supports eDrive, which means that a hardware-based SED provides the encryption component for BitLocker.
We’ve looked at using Bitlocker to encrypt the drives on our Windows machines. Although it does support both HDD and SDD, we found that running Bitlocker on machines with a standard HDD could either cause issue during the encryption process, which resulted on aborting the encryption, or simply took too long to complete. In the end, we recommended that the user take their laptop to the service desk if they had a HDD.
As an aside, be sure to safely store your recovery key ID somewhere where you can find it when you need it. Otherwise, you’ll have one heck of a time getting into your data.