Q: How can I speed up the BitLocker Drive Encryption (BDE) volume encryption process in Windows 8?
A: Windows 8 BDE includes two new features—BitLocker pre-provisioning and Used Disk Space Only encryption—that let users encrypt volumes much faster than in previous BDE versions. Here's how each feature works.
Thanks to BitLocker pre-provisioning, administrators can enable BitLocker for a volume and encrypt the volume before the Windows 8 OS is installed. In Windows 7 and Windows Vista, BitLocker can only be enabled after the Windows OS is installed.
During pre-provisioning, Windows 8 generates a random encryption key that BitLocker uses to encrypt the volume before the OS is installed. Microsoft calls the random encryption key a "clear protector" because it's stored on disk in an unprotected way. After Windows is installed, users can then "fully" protect the encryption key for the pre-provisioned volume by activating BitLocker on the volume and selecting a BitLocker unlock method. Protecting this encryption key takes much less time than encrypting an entire volume.
Administrators can enable BitLocker pre-provisioning from the Windows Preinstallation Environment (WinPE) using the Manage-bde command-line utility. WinPE is the lightweight Windows environment used for installing Windows OSs. For example, to pre-provision BitLocker on your F drive, you'd type the following command at a WinPE command prompt:
manage-bde -on f:
(For more information about using Manage-bde from WinPE, see "What You Need to Know When Using Manage-bde from WinPE to Pre-Provision BitLocker Drive Encryption.")
To support pre-provisioning, Microsoft has introduced a new BitLocker status for volumes called BitLocker Waiting for Activation. When a volume is pre-provisioned, this new status (along with a yellow exclamation icon) is displayed in the BitLocker Drive Encryption Control Panel Applet. In Figure 1, the F drive has this new status. The exclamation icon highlights the fact that the encryption key is still unprotected.
Used Disk Space Only Encryption
With the new Used Disk Space Only encryption, BitLocker encrypts only the used space on a BDE protected volume, which makes the encryption process of empty or partially empty volumes much faster. In previous Windows versions, BitLocker has only one encryption option—encrypt everything (i.e., all data and all free space).
Microsoft recommends using Used Disk Space Only encryptionon new PCs and volumes only. Full encryption is the preferred option for volumes that are already in use. This is because the free space on a used volume might still hold retrievable data, so only full encryption can ensure that everything is encrypted.
To enforce the use of either Used Disk Space Only encryptionor Full encryption on domain-joined client machines, administrators can use a new set of Group Policy Object (GPO) settings that are located in the Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption container. A new Enforce drive encryption type setting is available for OS, fixed, and removable data drives. These settings can't be applied to pre-provisioning because GPOs can't be enforced before Windows is installed. If administrators don't configure these GPO settings or if they're set to the default Allow user to choose option, users can select the encryption option when they enable BitLocker protection for a volume from the Windows GUI. They select the option on the Choose how much of your drive to encrypt page of the BitLocker Drive Encryption setup wizard, as Figure 2 shows.
Use Both Features for Fast Encryption
You can combine Used Disk Space Only encryption with BitLocker pre-provisioning. If you use both features, enabling BitLocker on largely empty drives takes only seconds. In addition, you can easily automate the process of enabling BitLocker by using Manage-bde or BitLocker Windows PowerShell cmdlets in Windows deployment processes and programs.
Related: BitLocker Changes in Windows 8