Turn On BitLocker for Removable Data Drives in Windows 10

Turn On or Off BitLocker for Removable Data Drives in Windows 10 (BitLocker To Go)

For extra protection, Windows 10 allows enabling BitLocker for removable data drives. Also known as 'BitLocker To Go', this feature includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. It supports protection with a smartcard or password.

BitLocker was first introduced in Windows Vista and still exists in Windows 10. It was implemented exclusively for Windows and has no official support in alternative operating systems. BitLocker can utilize your PC's Trusted Platform Module (TPM) to store its encryption key secrets. In modern versions of Windows such as Windows 8.1 and Windows 10, BitLocker supports hardware-accelerated encryption if certain requirements are met (the drive has to support it, Secure Boot must be on and many other requirements). Without hardware encryption, BitLocker switches to software-based encryption so there is a dip in your drive's performance. BitLocker in Windows 10 supports a number of encryption methods, and supports changing a cipher strength.

Note: In Windows 10, BitLocker Drive Encryption is only available in the Pro, Enterprise, and Education editions. BitLocker can encrypt the system drive (the drive Windows is installed on), internal hard drives. The BitLocker To Go feature allows protecting files stored on a removable drives, such as a USB flash drive.

There are a number of methods you can use to turn on or off BitLocker for a removable drive.

To Turn On BitLocker for a Removable Data Drive in Windows 10,

1. Configure the encryption method for BitLocker if required.
2. Open File Explorer to the This PC folder.
3. Right-click on the drive and select Turn on Bitlocker from the context menu.
4. Alternatively, click on Manage tab under Drive Tools in the Ribbon, then click on the Turn on BitLocker command.
5. Finally, you can open Control Panel\System and Security\BitLocker Drive Encryption. On the right, find your removable drive, and click on the link Turn on Bitlocker.
6. In the next dialog, choose a smart card or provide a password to encrypt the drive contents.
7. Choose how to backup the encryption key. For example, you can print it.
8. Select how much of your drive space to encrypt. For new drives, you can choose 'used disk space only'. For drives that already contain files, choose Encrypt entire drive.
9. Specify which encryption mode to use.
   • New encryption mode (XTS-AES 128-bit) is supported on Windows 10.
   • Compatible mode (AES-CBC 128-bit) is supported on Windows Vista, Windows 7 and Windows 8/8.1.
10. Click on Start encrypting.

You are done. The removable data drive will be encrypted. This could take a long time to finish depending on the size of the removable drive and its capacity.

To Turn Off BitLocker for a Removable Drive in Windows 10

1. Connect your removable drive to the computer.
2. Open File Explorer to the This PC folder.
3. Right-click on the drive and select Manage BitLocker from the context menu.
4. Alternatively, click on Manage tab under Drive Tools in the Ribbon, then click on the Manage BitLocker command.
5. Finally, you can open Control Panel\System and Security\BitLocker Drive Encryption.
6. On the right side of the Drive Encryption Dialog, find your removable drive, and click on the link Turn off Bitlocker.
7. Click on the Turn off BitLocker to confirm the operation.

You are done. BitLocker will decrypting the drive contents.

Also, you can disable BitLocker for a removable drive from Command Prompt or PowerShell.

To Turn Off BitLocker for a Removable Drive from the Command Line

1. Open a new command prompt as Administrator.
2. Type and run the following command: manage-bde -off <drive letter>:.
3. Substitute <drive letter> with the actual drive letter of the drive you want to decrypt. For example: manage-bde -off D:.
4. Alternatively, open PowerShell as Administrator.
5. Type and run the following command: Disable-BitLocker -MountPoint "<drive letter>:".
6. Substitute <drive letter> with the actual drive letter of the drive you want to decrypt. For example: Disable-BitLocker -MountPoint "D:".

You are done!

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options: