Implementing Whole Disk Encryption with BitLocker and FileVault

Due in part to ethical issues raised by the rise of social networks and several high-profile data breaches, how businesses handle customer personally-identifiable information (PII) is a topic of intense discussion in government and in the community. Every state in the U.S. has laws regulating the handling of customer PII. Many of these laws require businesses to notify state regulators and their customers in the event that the company suffers a loss or theft of user PII. As an early-stage startup, the reputational damage (not to mention the financial impact) of having your PII lost or stolen can easily cause your business to fail.

While most businesses leverage cloud services for tools that handle PII, such as payment systems, marketing and CRM, and custom SaaS software, there are many cases where even a startup may have customer PII on local machines such as user laptops. Exporting a report of sales leads to a local spreadsheet is something founders do frequently, and they might not realize that this counts as PII. Even a cached copy of your email contains some level of PII.

By virtue of being both portable and valuable, laptops are always at risk of being lost or stolen. Most laws require a company that loses a laptop or has one stolen to report it as a data breach of PII unless the laptop is configured with whole-disk encryption. In this Recipe we'll walk through configuring whole-disk encryption on both major laptop operating systems, Windows (BitLocker) and Apple (FileVault). We'll also set up Apple and Android devices to use their built-in encryption tools.

To implement BitLocker in Windows 10, open the Control Panel and select System and Security. Now select BitLocker Drive Encryption. Under Operating System Drive select Turn on BitLocker.

You'll be prompted for where to save the recovery key. If this machine is for your personal use you can save it to your Microsoft account if you have one, but if this machine is going to be used by another member of your startup you should save it to a file and store it somewhere securely, such as a central password vault.

Click Next to continue. If you are prompted for how much of the drive to encrypt, select the option marked used disk space only. Click Next. You may be prompted to decide which encryption mode to use. Unless you are encrypting a removable drive such as an SD Card, select New encryption mode. Click Next.

If you are prompted to run a compatibility check, click the option to enable this and click Continue, then click Restart. When your computer boots you'll be prompted to enter your BitLocker recovery key, after which the computer will load as normal. It may still take several hours for BitLocker to encrypt the drive. When it's finished, accessing the BitLocker menu in the control panel will show the drive with a label reading BitLocker on.

Let's implement FileVault on an Apple computer running OSX. The menu items and screenshots shown in this recipe are from OS X Big Sur. Depending on the operating system your machine uses, your process may be slightly different. You will also need to be using an account with administrative privileges to perform this action.

Open System Preferences and select Security & Privacy. FileVault is a tab in this screen, so select it.

Select Turn On FileVault (you may need to unlock the button by clicking the lock icon in the lower left and entering your admin password).

As with other operating systems, once whole-disk encryption is enabled you'll need a method to unlock it. OS X gives you two options for this; a recovery key and an associated iCloud account. If this is a machine for personal use it's fine to select iCloud, but if this machine is going to be used by another member of your startup you should select recovery key. Record the key and who will be using the laptop somewhere safe, such as a secure note in your organization's password vault.

The act of adding a passcode on your phone also enables whole-disk encryption. To set a passcode, on your phone go to Settings → Face ID & Passcode (if your phone does not have Face ID this menu will say Touch ID instead). Press Turn Passcode On. You will have the option to set a numeric or alphanumeric passcode. We recommend setting an alphanumeric passcode for stronger security. You may need to re-enter your passcode to confirm. Once whole-disk encryption is in place, at the bottom of this screen you will see a message indicating Data protection is enabled.

Android devices higher than version 6 are required to ship with encryption enabled, but you need to set a passcode on the device to take advantage of it. The instructions for doing so and the types of passcodes supported vary widely by manufacturer, so check with your device's documentation to see what options are available.