如何在Windows上設定BitLocker加密
BitLocker is a tool built into Windows that lets you encrypt an entire hard drive for enhanced security. Here’s how to set it up.
BitLocker是Windows內建的工具,可用於加密整個硬碟驅動器以增強安全性。 設定方法如下。
When TrueCrypt controversially closed up shop, they recommended their users transition away from TrueCrypt to using BitLocker or
當TrueCrypt有爭議的關閉商店時,他們建議使用者從TrueCrypt過渡到使用BitLocker或Veracrypt 。 BitLocker在Windows中已經存在足夠長的時間了,可以認為它已經成熟,並且是安全專業人員普遍認可的
Note: BitLocker Drive Encryption and BitLocker To Go require a Professional or Enterprise edition of Windows 8 or 10, or the Ultimate version of Windows 7. However, starting with Windows 8.1, the Home and Pro editions of Windows include a “Device Encryption” feature(a feature also included in Windows 10) that works similarly. We recommend Device Encryption if your computer supports it, BitLocker for Pro users who can’t use Device Encryption, and
注意:BitLocker驅動器加密和BitLocker To Go需要Windows 8或10的專業版或企業版,或Windows 7的旗艦版。但是,從Windows 8.1開始,Windows的Home和Pro版本包括“裝置加密”功能。 (Windows 10中也包含的功能)的工作原理類似。 如果您的計算機支援裝置加密,則建議使用裝置加密;對於不能使用裝置加密的Pro使用者,請使用BitLocker;對於使用無法使用裝置加密的Windows Home版本的使用者,建議使用VeraCrypt 。
加密整個驅動器還是建立加密的容器? (Encrypt an Entire Drive or Create an Encrypted Container?)
Many guides out there talk about creating a BitLocker container that works much like the kind of encrypted container you can create with products like TrueCrypt or Veracrypt. It’s a bit of a misnomer, but you can achieve a similar effect. BitLocker works by encrypting entire drives. That could be your system drive, a different physical drive, or a virtual hard drive (VHD) that exists as a file and is mounted in Windows.
那裡的許多指南都談到建立BitLocker容器,該容器的工作方式與可以使用TrueCrypt或Veracrypt之類的產品建立的加密容器一樣。 這有點用詞不當,但是您可以實現類似的效果。 BitLocker通過加密整個驅動器來工作。 可能是系統驅動器,其他物理驅動器或檔案形式存在並安裝在Windows中的虛擬硬碟(VHD)。
The difference is largely semantic. In other encryption products, you usually create an encrypted container, and then mount it as a drive in Windows when you need to use it. With BitLocker, you create a virtual hard drive, and then encrypt it. If you’d like to use a container rather than, say, encrypt your existing system or storage drive, check out our guide to creating an encrypted container file with BitLocker.
區別主要是語義上的。 在其他加密產品中,通常建立一個加密的容器,然後在需要使用時將其作為驅動器安裝在Windows中。 使用BitLocker,您可以建立一個虛擬硬碟驅動器,然後對其進行加密。 如果您想使用容器而不是對現有系統或儲存驅動器進行加密,請查閱我們的指南,以使用BitLocker建立加密的容器檔案。
For this article, we’re going to concentrate on enabling BitLocker for an existing physical drive.
對於本文,我們將集中精力為現有物理驅動器啟用BitLocker。
如何使用BitLocker加密驅動器 (How to Encrypt a Drive with BitLocker)
To use BitLocker for a drive, all you really have to do is enable it, choose an unlock method—password, PIN, and so on—and then set a few other options. Before we get into that, however, you should know that using BitLocker’s full-disk encryption on a system drive generally requires a computer with a Trusted Platform Module (TPM) on your PC’s motherboard. This chip generates and store the encryption keys that BitLocker uses. If your PC doesn’t have a TPM, you can use Group Policy to enable using BitLocker without a TPM. It’s a bit less secure, but still more secure than not using encryption at all.
要將BitLocker用於驅動器,您真正要做的就是啟用它,選擇一種解鎖方法(密碼,PIN等),然後設定其他一些選項。 但是,在進行此討論之前,您應該知道,在系統驅動器上使用BitLocker的全盤加密通常需要一臺計算機,該計算機在您的PC主機板上具有可信平臺模組(TPM)。 該晶片生成並存儲BitLocker使用的加密金鑰。 如果您的PC沒有TPM,則可以使用組策略來啟用不帶TPM的BitLocker 。 它的安全性較差,但比根本不使用加密的安全性更高。
You can encrypt a non-system drive or removable drive without TPM and without having to enable the Group Policy setting.
您可以在沒有TPM且無需啟用組策略設定的情況下加密非系統驅動器或可移動驅動器。
On that note, you should also know that there are two types of BitLocker drive encryption you can enable:
關於這一點,您還應該知道可以啟用兩種型別的BitLocker驅動器加密:
BitLocker Drive Encryption: Sometimes referred to just as BitLocker, this is a “full-disk encryption” feature that encrypts an entire drive. When your PC boots, the Windows boot loader loads from the System Reserved partition, and the boot loader prompts you for your unlock method—for example, a password. BitLocker then decrypts the drive and loads Windows. The encryption is otherwise transparent—your files appear like they normally would on an unencrypted system, but they’re stored on the disk in an encrypted form. You can also encrypt other drives than just the system drive.
BitLocker驅動器加密:有時也稱為BitLocker,這是對整個驅動器進行加密的“全盤加密”功能。 當您的PC引導時,Windows引導載入程式將從System Reserved分割槽載入,並且引導載入程式提示您輸入解鎖方法(例如,密碼)。 然後,BitLocker解密驅動器並載入Windows。 否則,加密是透明的-您的檔案看起來像在未加密的系統上通常一樣,但是以加密形式儲存在磁碟上。 您還可以加密除系統驅動器以外的其他驅動器。
BitLocker To Go: You can encrypt external drives—such as USB flash drives and external hard drives—with BitLocker To Go. You’ll be prompted for your unlock method—for example, a password—when you connect the drive to your computer. If someone doesn’t have the unlock method, they can’t access the files on the drive.
BitLocker To Go :您可以使用BitLocker To Go加密外部驅動器,例如USB快閃記憶體驅動器和外部硬碟驅動器。 將驅動器連線到計算機時,系統會提示您輸入解鎖方法(例如,密碼)。 如果某人沒有解鎖方法,則他們將無法訪問驅動器上的檔案。
In Windows 7 through 10, you really don’t have to worry about making the selection yourself. Windows handles things behind the scenes, and the interface you’ll use to enable BitLocker doesn’t look any different. If you end up unlocking an encrypted drive on Windows XP or Vista, you’ll see the BitLocker to Go branding, so we figured you should at least know about it.
在Windows 7到10中,您實際上不必擔心自己進行選擇。 Windows處理幕後事務,用於啟用BitLocker的介面看起來沒有什麼不同。 如果最終在Windows XP或Vista上解鎖了加密的驅動器,則會看到BitLocker to Go商標,因此我們認為您至少應該瞭解這一點。
So, with that out of the way, let’s go over how this actually works.
因此,順便說一句,讓我們回顧一下它的實際工作原理。
第一步:為驅動器啟用BitLocker (Step One: Enable BitLocker for a Drive)
The easiest way to enable BitLocker for a drive is to right-click the drive in a File Explorer window, and then choose the “Turn on BitLocker” command. If you don’t see this option on your context menu, then you likely don’t have a Pro or Enterprise edition of Windows and you’ll need to seek another encryption solution.
為驅動器啟用BitLocker的最簡單方法是在“檔案資源管理器”視窗中右鍵單擊該驅動器,然後選擇“開啟BitLocker”命令。 如果您在上下文選單中沒有看到此選項,則可能沒有Windows的Pro或Enterprise版本,您將需要尋求其他加密解決方案。
It’s just that simple. The wizard that pops up walks you through selecting several options, which we’ve broken down into the sections that follow.
就這麼簡單。 彈出的嚮導將引導您選擇幾個選項,我們將其細分為以下各節。
第二步:選擇一種解鎖方法 (Step Two: Choose an Unlock Method)
The first screen you’ll see in the “BitLocker Drive Encryption” wizard lets you choose how to unlock your drive. You can select several different ways of unlocking the drive.
您將在“ BitLocker驅動器加密”嚮導中看到的第一個螢幕讓您選擇如何解鎖驅動器。 您可以選擇幾種不同的方式來解鎖驅動器。
If you’re encrypting your system drive on a computer thatdoesn’t have a TPM, you can unlock the drive with a password or a USB drive that functions as a key. Select your unlock method and follow the instructions for that method (enter a password or plug in your USB drive).
如果要在沒有TPM的計算機上加密系統驅動器,則可以使用密碼或用作金鑰的USB驅動器來解鎖驅動器。 選擇解鎖方法,然後按照該方法的說明進行操作(輸入密碼或插入USB驅動器)。
If your computer does have a TPM, you’ll see additional options for unlocking your system drive. For example, you can configure automatic unlocking at startup (where your computer grabs the encryption keys from the TPM and automatically decrypts the drive). You could alsouse a PIN instead of a password, or even choose biometric options like a fingerprint.
如果您的計算機確實有TPM,則將看到用於解鎖系統驅動器的其他選項。 例如,您可以配置啟動時自動解鎖(您的計算機從TPM獲取加密金鑰並自動解密驅動器)。 您也可以使用PIN代替密碼,甚至可以選擇指紋等生物識別選項。
If you’re encrypting a non-system drive or removable drive, you’ll see only two options (whether you have a TPM or not). You can unlock the drive with a password or a smart card (or both).
如果您要加密非系統驅動器或可移動驅動器,則只會看到兩個選項(是否有TPM)。 您可以使用密碼或智慧卡(或同時使用兩者)解鎖驅動器。
第三步:備份恢復金鑰 (Step Three: Back Up Your Recovery Key)
BitLocker provides you with a recovery key that you can use to access your encrypted files should you ever lose your main key—for example, if you forget your password or if the PC with TPM dies and you have to access the drive from another system.
BitLocker為您提供了一個恢復金鑰,如果您丟失了主金鑰,則可以使用該金鑰來訪問加密的檔案,例如,如果您忘記了密碼或具有TPM的PC死了,並且必須從另一個系統訪問驅動器。
You can save the key to your Microsoft account, a USB drive, a file, or even print it. These options are the same whether you’re encrypting a system or non-system drive.
您可以將金鑰儲存到您的Microsoft帳戶,USB驅動器,檔案,甚至進行列印。 無論您要加密系統驅動器還是非系統驅動器,這些選項都是相同的。
If you back up the recovery key to your Microsoft account, you can access the key later at https://onedrive.live.com/recoverykey. If you use another recovery method, be sure to keep this key safe—if someone gains access to it, they could decrypt your drive and bypass encryption.
如果將恢復金鑰備份到您的Microsoft帳戶,則可以稍後在https://onedrive.live.com/recoverykey上訪問該金鑰。 如果您使用其他恢復方法,請確保妥善儲存此金鑰-如果有人可以訪問它,則他們可以解密您的驅動器並繞過加密。
You can also back up your recovery key multiple ways if you want. Just click each option you want to use in turn, and then follow the directions. When you’re done saving your recovery keys, click “Next” to move on.
您還可以根據需要以多種方式備份恢復金鑰。 只需依次單擊要使用的每個選項,然後按照說明進行操作。 儲存完恢復金鑰後,請單擊“下一步”繼續。
Note: If you’re encrypting a USB or other removable drive, you won’t have the option of saving your recovery key to a USB drive. You can use any of the other three options.
注意:如果您要加密USB或其他可移動驅動器,則無法選擇將恢復金鑰儲存到USB驅動器。 您可以使用其他三個選項中的任何一個。
第四步:加密和解鎖驅動器 (Step Four: Encrypt and Unlock the Drive)
BitLocker automatically encrypts new files as you add them, but you must choose what happens with the files currently on your drive. You can encrypt the entire drive—including the free space—or just encrypt the used disk files to speed up the process. These options are also the same whetheryou’re encrypting a system or non-system drive.
新增新檔案時,BitLocker會自動對其進行加密,但是您必須選擇驅動器上當前檔案的處理方式。 您可以加密整個驅動器(包括可用空間),也可以僅加密使用的磁碟檔案以加快處理速度。 無論您要加密系統驅動器還是非系統驅動器,這些選項都相同。
If you’re setting up BitLocker on a new PC, encrypt the used disk space only—it’s much faster. If you’re setting BitLocker up on a PC you’ve been using for a while, you should encrypt the entire drive to ensure no one can recover deleted files.
如果要在新PC上設定BitLocker,則僅加密使用的磁碟空間-速度要快得多。 如果您在已經使用了一段時間的PC上設定BitLocker,則應加密整個驅動器,以確保沒有人可以恢復已刪除的檔案。
When you’ve made your selection, click the “Next” button.
做出選擇後,單擊“下一步”按鈕。
第五步:選擇加密模式(僅Windows 10) (Step Five: Choose an Encryption Mode (Windows 10 Only))
If you’re using Windows 10, you’ll see an additional screen letting you choose an encryption method. If you’re using Windows 7 or 8, skip ahead to the next step.
如果您使用的是Windows 10,則會看到一個額外的螢幕,供您選擇加密方法。 如果您使用的是Windows 7或8,請跳到下一步。
Windows 10 introduced a new encryption method named XTS-AES. It provides enhanced integrity and performance over the AES used in Windows 7 and 8. If you know the drive you’re encrypting is only going to be used on Windows 10 PCs, go ahead and choose the “New encryption mode” option. If you think you might need to use the drive with an older version of Windows at some point (especially important if it’s a removable drive), choose the “Compatible mode” option.
Windows 10引入了一種名為XTS-AES的新加密方法。 與Windows 7和8中使用的AES相比,它提供了增強的完整性和效能。如果您知道要加密的驅動器僅在Windows 10 PC上使用,請繼續並選擇“新加密模式”選項。 如果您認為某個時候可能需要將該驅動器與舊版本的Windows一起使用(如果是可移動驅動器,則尤其重要),請選擇“相容模式”選項。
Whichever option you choose (and again, these are the same for system and non-system drives), go ahead and click the “Next” button when you’re done, and on the next screen, click the “Start Encrypting” button.
無論選擇哪個選項(同樣,系統驅動器和非系統驅動器都是相同的),請繼續並在完成後單擊“下一步”按鈕,然後在下一個螢幕上單擊“開始加密”按鈕。
第六步:完成 (Step Six: Finishing Up)
The encryption process can take anywhere from seconds to minutes or even longer, depending on the size of the drive, the amount of data you’re encrypting, and whether you chose to encrypt free space.
加密過程可能需要幾秒鐘到幾分鐘甚至更長的時間,具體取決於驅動器的大小,要加密的資料量以及是否選擇加密可用空間。
If you’re encrypting your system drive, you’ll be prompted to run a BitLocker system check and restart your system. Make sure the option is selected, click the “Continue” button, and then restart your PC when asked.After the PC boots back up for the first time, Windows encrypts the drive.
如果要加密系統驅動器,系統將提示您執行BitLocker系統檢查並重新啟動系統。 確保選擇了該選項,單擊“繼續”按鈕,然後在出現提示時重新啟動PC。 PC首次啟動後,Windows會加密驅動器。
If you’re encrypting a non-system or removable drive, Windows does not need to restart and encryption begins immediately.
如果您要加密非系統驅動器或可移動驅動器,則Windows不需要重新啟動,加密會立即開始。
Whatever type of drive you’re encrypting, you can check the BitLocker Drive Encryption icon in the system tray to see its progress, and you can continue using your computer while drives are being encrypted—it will just perform more slowly.
無論您要加密哪種型別的驅動器,都可以檢查系統托盤中的BitLocker驅動器加密圖示以檢視其進度,並且可以在加密驅動器的同時繼續使用計算機-它的執行速度會更慢。
解鎖驅動器 (Unlocking Your Drive)
If your system drive is encrypted, unlocking it depends on the method you chose (and whether your PC has a TPM). If you do have a TPM and elected to have the drive unlocked automatically, you won’t notice anything different—you’ll just boot straight into Windows like always. If you chose another unlock method, Windows prompts you to unlock the drive (by typing your password, connecting your USB drive, or whatever).
如果您的系統驅動器是加密的,則對其進行解鎖取決於您選擇的方法(以及您的PC是否具有TPM)。 如果您確實有TPM並選擇了自動解鎖驅動器,則不會發現任何不同-您將像往常一樣直接啟動進入Windows。 如果您選擇了另一種解鎖方法,Windows會提示您解鎖驅動器(通過輸入密碼,連線USB驅動器或其他方法)。
And if you’ve lost (or forgotten) your unlock method, press Escape on the prompt screen to enter your recovery key.
並且,如果您丟失(或忘記了)解鎖方法,請在提示螢幕上按Escape輸入恢復金鑰。
If you’ve encrypted a non-system or removable drive, Windows prompts you to unlock the drive when you first access it after starting Windows (or when you connect it to your PC if it’s a removable drive). Type your password or insert your smart card, and the drive should unlock so you can use it.
如果您已經加密了非系統驅動器或可移動驅動器,則在啟動Windows後首次訪問該驅動器時(或者如果它是可移動驅動器,則將其連線到PC上),Windows會提示您解鎖該驅動器。 輸入密碼或插入智慧卡,驅動器將解鎖,以便您可以使用它。
In File Explorer, encrypted drives show a gold lock on the icon (on the left). That lock changes to gray and appears unlocked when you unlock the drive (on the right).
在“檔案資源管理器”中,加密的驅動器在圖示(左側)上顯示金鎖。 當您解鎖驅動器時(右側),該鎖定將變為灰色並顯示為未鎖定。
You can manage a locked drive—change the password, turn off BitLocker, back up your recovery key, or perform other actions—from the BitLocker control panel window. Right-click any encrypted drive, and then select “Manage BitLocker” to go directly to that page.
您可以從BitLocker控制面板視窗中管理鎖定的驅動器-更改密碼,關閉BitLocker,備份恢復金鑰或執行其他操作。 右鍵單擊任何加密的驅動器,然後選擇“管理BitLocker”以直接轉到該頁面。
Like all encryption, BitLocker does add some overhead. Microsoft’s official BitLocker FAQ says that “Generally it imposes a single-digit percentage performance overhead.” If encryption is important to you because you have sensitive data—for example, a laptop full of business documents—the enhanced security is well worth the performance trade-off.
與所有加密一樣,BitLocker確實會增加一些開銷。 微軟官方的BitLocker常見問題解答說:“通常,它會帶來百分之幾的效能開銷。” 如果加密對您很重要,因為您擁有敏感資料(例如,裝有業務文件的膝上型電腦),那麼增強的安全性就值得在效能上進行權衡。
翻譯自: https://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/