Encryption in Windows 8.1

[Homerboy]

I think I've over-thunk it, and confused myself and now I have some questions about built in encryption within 8.1

If I understand correctly, 8.1 Pro comes with BitLocker

"Standard" Windows 8.1 also includes basic harddrive encryption... correct? I read something about the computer needing to have the correct hardware to support the encryption or something and I guess that is where I got a little "confused"

I'm trying to find a cheap laptop from Dell/HP/Whomever that includes encryption. In the past I'd buy a self-encrypting harddrive, but now with 8.1, I think I am adequately covered?

 

[inachu]

Just make sure you have TPM enabled in the BIOS then bitlocker will work great.

 

[Homerboy]

Just make sure you have TPM enabled in the BIOS then bitlocker will work great.

BitLocker is 8.1 Pro from my understanding -- not "normal" 8.1.
I'm trying to figure out my options for 8.1

 

[smakme7757]

A laptop with a TPM will allow you to use Bitlocker on Windows 8.1 Pro out of the box.

If however you get a laptop without a TPM module you can still use Bitlocker. All that is required is to change a simple Group Policy setting. This won't damage your security, but be sure to pick a strong password:
http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

A few notes:
1. Do keep in mind that Full Drive Encryption (FDE) protects data at rest. Which means that your laptop has to be OFF for it to provide maximum security.

2. If you buy an SSD or Harddrive which supports SED, then you can enable encryption with an ATA drive lock and this will give superior performance than using Bitlocker. It's also independent of a TPM module.
Explanation on how it works: http://jack-brennan.com/intel-320-ssd-hardware-encryption-and-how-to-utilize-it/

3. If you do use Bitlocker and want to use AES 256 (As opposed to AES 128) then you can change the standard algorithm with the following group policy setting: http://www.howtogeek.com/193649/how...56-bit-aes-encryption-instead-of-128-bit-aes/

 

[quikah]

Normal 8.1 comes with "Device Encryption". I am not sure what the difference is ( I think it still uses bitlocker), but it has very specific requirements:

- The system must support connected standby (AKA InstantGo) and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems.
- you must login to the system with a microsoft account (the recovery key will be uploaded to onedrive server). Using a local account only disables encryption (I suggest printing out your recovery key in case something happens to MS servers).

I have no idea how to verify the first point, guess it should be in the literature of whatever device you will buy. Pretty much all new Windows tablets support it AFAIK.

 

[Homerboy]

Normal 8.1 comes with "Device Encryption". I am not sure what the difference is ( I think it still uses bitlocker), but it has very specific requirements:

- The system must support connected standby (AKA InstantGo) and meet the Windows Hardware Certification Kit (HCK) requirements for TPM and SecureBoot on ConnectedStandby systems.
- you must login to the system with a microsoft account (the recovery key will be uploaded to onedrive server). Using a local account only disables encryption (I suggest printing out your recovery key in case something happens to MS servers).

I have no idea how to verify the first point, guess it should be in the literature of whatever device you will buy. Pretty much all new Windows tablets support it AFAIK.

Thanks. This is what I was looking for.

Yeah it seems most/all tablets support it. I'm looking for a (cheap) laptop that supports it out of the box.

 

[BirdDad]

bitlocker encrypts at the file level not the drive level in 8.1. Evidence of this is that when you encrypt a drive it says it is not necessary to encrypt it all it will do it as data is written to the drive.