There’s a brand new, safer option to encrypt information in Windows 11, however it’s solely an possibility for constructing safe purposes, not a alternative for BitLocker.
Windows 10 already has two flavours of encryption — BitLocker and Windows Device Encryption — and as of the 22H2 launch, Windows 11 Enterprise and Education provides Personal Data Encryption.
BitLocker and Device Encryption are successfully the identical full disk encryption expertise, however there are administration instruments for BitLocker (which is simply accessible in Windows Pro, Enterprise and Education) that permit admins management whether or not a number of drives on a system are encrypted, in addition to backing up and recovering the keys. Device Encryption is included in Windows Home and encrypts all of the drives on the PC, with no choice to exclude secondary drives. The title is completely different as a result of calling it BitLocker would make individuals assume they had been getting the identical administration instruments and choices.
Personal Data Encryption doesn’t substitute both of them as a result of it doesn’t encrypt an entire drive; as an alternative, it protects particular person information and folders utilizing 256-bit AES-CBC encryption keys which are protected by Windows Hello for Business, however solely by means of purposes which are constructed to make use of it.
Jump to:
File encryption in Windows
You may already encrypt a number of information in Windows by:
- Selecting them in File Explorer.
- Right-clicking and selecting Properties.
- Clicking the Advanced button within the Attributes part of the General tab.
- Checking the ‘Encrypt contents to secure data’ checkbox.
That makes use of the Encrypting File System constructed into Windows, however it has a number of drawbacks.
Complications from encrypting through EFS
EFS dates again to Windows 2000, lengthy earlier than TPMs had been widespread in PCs, so it doesn’t use {hardware} safety to guard the encryption keys. They’re saved in Windows, and an attacker may probably extract them — or they may simply attempt to hack into your Windows account.
Files encrypted with EFS may also be accessed solely by the person account that encrypted them. That’s seamless: As quickly as you log in with that person account you’ll be able to entry encrypted information with out doing something additional, however should you log in with a unique account, you’ll be able to’t open them in any respect.
PDE makes use of Windows Hello for safer keys
BitLocker unlocks the encrypted drive as quickly as you boot Windows: PDE solely unlocks encrypted information when the person logs in — and logs in utilizing Windows Hello.
By utilizing Windows Hello for Business, Personal Data Encryption places the encryption keys into safe {hardware} the place they’re solely launched once you authenticate both biometrically or with a PIN, which can also be protected by {hardware} safety and in contrast to a password, doesn’t roam to different units you employ that account with.
That’s safer, but additionally extra clear for customers — though you do need to get used to not seeing Personal Data Encryption-protected information should you determine to register to your account utilizing your password as an alternative.
Turning on Personal Data Encryption
There are some limitations for utilizing Personal Data Encryption. The PC needs to be joined to Azure AD and never be a hybrid machine (i.e., one which’s joined to your group’s Active Directory but additionally registered with Azure AD). Remote Desktop connections aren’t supported, you’ll be able to’t see Personal Data Encryption-protected information by means of a community share, and you may’t use a FIDO key as an alternative of Windows Hello for Business or computerized restart sign-on to Windows.
To be sure the Personal Data Encryption keys aren’t unintentionally uncovered, you’ll want to disable hibernation, crash dumps and Windows Error Reporting: You can try this by means of the identical MDM resolution you employ to allow Personal Data Encryption (whether or not that’s Intune or by means of Group Policy with a CSP).
You also can determine whether or not you need encrypted information to be accessible when Windows is locked or not. If you select degree two safety, encrypted information might be accessible for one minute after the Windows lock display seems however then the decryption keys might be discarded. You don’t have to make use of OneDrive for it, however you’ll want to just be sure you have backups in case the Personal Data Encryption keys are misplaced.
Unlike EFS, when you’ve enabled Personal Data Encryption, you don’t encrypt information by means of File Explorer: In truth, there’s no person interface for Personal Data Encryption in any respect. That’s as a result of it’s managed by means of APIs that builders use in purposes; the primary to allow PDA is the built-in Mail app, which might encrypt each electronic mail messages and attachments.
PDE is a associate to BitLocker
Again, Personal Data Encryption doesn’t substitute BitLocker: It’s designed for use alongside it for information that organizations determine want the additional safety.
If you will have a line of enterprise software that handles significantly delicate data, you should utilize the PDE APIs to ensure the information can solely be accessed by staff who’re imagined to have entry and solely on managed units which are Azure AD joined. You need that to be set by your compliance insurance policies, somewhat than to present particular person staff a software for encrypting information — which might be utilized by malicious insiders to cover knowledge they shouldn’t have on their units and is likely to be attempting to take exterior the group.
Unlike information which are protected by instruments like Azure Information Protection or Purview Information Protection the place sensitivity labels and encryption are enforced on information completely, customers can decrypt information protected with Personal Data Encryption manually in File Explorer. Here’s how:
- Right-click on the file.
- Choose Properties.
- Click the Advanced button on the General tab — the identical place you apply EFS encryption.
- Uncheck the choice Encrypt contents to safe knowledge.
Remember, you’ll be able to’t encrypt the file once more the identical means; that may solely be accomplished by an software.
If you will have lots of encrypted information, you should utilize the CIPHER command to decrypt a number of information in a folder. You can solely try this once you’ve logged in with Windows Hello for Business and have already got entry. This will not be a safety flaw, as a result of should you had entry, you would simply copy and paste the contents of the file elsewhere anyway.
The Personal Data Encryption title is somewhat complicated: It’s private as a result of it’s tied to the way in which an individual logs in with Windows Hello for Business, however it’s not one thing a person can select to make use of and it’s not for safeguarding private information. Instead, it’s one other constructing block for making Windows a safer option to deal with data — however solely as soon as there are extra purposes that make use of it.