Application Programmer (Infrastructure and OA support) at a government with 11-50 employees
Real User
May 14, 2021
Microsoft Bitlocker comes free with Windows but it lacks a full-fledged GUI, i.e. those users without command-line experience will find it difficult to use. Also, the recovery key files are to be kept as plain text as unencrypted (not safe).
However, because of simplicity, the disk encryption and decryption processes are comparatively straightforward and hassleless if you know how to do it.
To enable remote connection upon booting a Bitlocker client, a network control server (Microsoft option) has to be set up for the purpose, while it then requires all clients to have UEFI DHCP functionality, i.e. MBR-booted clients cannot be connected. As to the speed of disk encryption/decryption, Bitlocker is among the best options available in the market with the process taking less than an hour or so for a common NVMe 512GB SSD.
Sr. Solutions Sales Executive - Commercial/Charity/Healthcare/SMB Individual Contributor at Hypertec Direct
Real User
May 13, 2021
The main Pro (vs other encryption products) is that BitLocker is native to the Microsoft operating system in Windows Pro & Enterprise. It isn't something that stands on top of the OS. It also will encrypt the entire drive. Some other products only encrypt specific files/folders.
Any encryption product will cause some level of drag on the operating system. It has been noticed that BitLocker has less of a drag than some other products depending on how encryption is deployed or employed. I recommend doing a proof of concept to be sure encryption does not affect your systems negatively.
If you just need to encrypt files or folders then other products may be a better fit. But first, you need to be able to answer, "So why do you want to encrypt your devices?"... If you don't have a compelling reason to encrypt your devices, maybe you shouldn't.
One of the major reasons to encrypt endpoint devices is regulatory reasons. I would recommend BitLocker for any healthcare, financial services, high security work, government work etc., especially on their mobile devices or desktop devices in unsecure areas. With regulatory issues you need to have management tools that will show you and the auditors that a specific device was "in fact encrypted" when it was lost or stolen. If you use BitLocker without a management tool then you cannot unencrypt if a user looses the key, and you cannot prove it was encrypted if lost or stolen. Keeping a spreadsheet of keys is a big No-No since it can also be stolen or compromised.
That being said there are a few different ways to manage Bit Locker and I think that is where there may be some room to look at other products. Management tools for BitLocker also encrypt your keys on the management server so they cannot be compromised.
Management tools:
1: Configuration Manager. If you are a full Microsoft shop and have invested in Software Assurance in your desktop operating system, have an Enterprise Agreement, Microsoft 365 or other agreement with Software Assurance then Configuration Manager may already be available to you. If so, use Microsoft to manage BitLocker: https://techcommunity.microsof...
2: Sophos. Sophos has a management tool for BitLocker.
3: TrendMicro. Trend manages BitLocker in some of their solutions.
I am sure I am missing some others, and there may be other products that tout to be better, but be sure to ask yourself, "So why do you want to encrypt your devices?"
Out of the box, Bitlocker doesn’t meet FIPS 140-2 which is really the federal standard you should meet for encryption. You can set it up to meet FIPS 140-2, however, even at that, it only achieves FIPS 140-2 Level 1. You should look for products that meet Level 2 as a minimum.
I would also suggest doing a simple Google search for BitLocker hack. It’s quite amazing, and includes handy how to videos.
Beyond that, there are BitLocker issues around boot sector corruption, password sync that create a lot of administrative overhead.
Also, you need to consider centralized management of a Bitlocker environment that allows for key management as well as audit trails for proof of encryption.
Let me help with that. BitLocker can render your data and your drive is immediately inaccessible with only one tiny disc error. With a regular drive, such errors can be recovered and data can be retrieved.
If you have a BitLocker drive, it's "Adios, data!". I tried BitLocker 3 times on cloned backups over the years. Every. Single. Time. I would, within days, get a BSOD upon entering the password. This thing is bad. Really bad. If you just need certain things encrypted, VeraCrypt is FAR more reliable.
Microsoft BitLocker provides full-disk encryption, integrating seamlessly with Windows security features for enhanced data protection. Its deployment across diverse hardware ensures secure encryption, making it a reliable choice for businesses prioritizing data security.BitLocker offers robust disk encryption capabilities, appealing to organizations needing secure data protection. While it integrates well with System Center Configuration Manager and uses TPM for added security, areas like...
Microsoft Bitlocker comes free with Windows but it lacks a full-fledged GUI, i.e. those users without command-line experience will find it difficult to use. Also, the recovery key files are to be kept as plain text as unencrypted (not safe).
However, because of simplicity, the disk encryption and decryption processes are comparatively straightforward and hassleless if you know how to do it.
To enable remote connection upon booting a Bitlocker client, a network control server (Microsoft option) has to be set up for the purpose, while it then requires all clients to have UEFI DHCP functionality, i.e. MBR-booted clients cannot be connected. As to the speed of disk encryption/decryption, Bitlocker is among the best options available in the market with the process taking less than an hour or so for a common NVMe 512GB SSD.
The main Pro (vs other encryption products) is that BitLocker is native to the Microsoft operating system in Windows Pro & Enterprise. It isn't something that stands on top of the OS. It also will encrypt the entire drive. Some other products only encrypt specific files/folders.
Any encryption product will cause some level of drag on the operating system. It has been noticed that BitLocker has less of a drag than some other products depending on how encryption is deployed or employed. I recommend doing a proof of concept to be sure encryption does not affect your systems negatively.
If you just need to encrypt files or folders then other products may be a better fit. But first, you need to be able to answer, "So why do you want to encrypt your devices?"... If you don't have a compelling reason to encrypt your devices, maybe you shouldn't.
One of the major reasons to encrypt endpoint devices is regulatory reasons. I would recommend BitLocker for any healthcare, financial services, high security work, government work etc., especially on their mobile devices or desktop devices in unsecure areas. With regulatory issues you need to have management tools that will show you and the auditors that a specific device was "in fact encrypted" when it was lost or stolen. If you use BitLocker without a management tool then you cannot unencrypt if a user looses the key, and you cannot prove it was encrypted if lost or stolen. Keeping a spreadsheet of keys is a big No-No since it can also be stolen or compromised.
That being said there are a few different ways to manage Bit Locker and I think that is where there may be some room to look at other products. Management tools for BitLocker also encrypt your keys on the management server so they cannot be compromised.
Management tools:
1: Configuration Manager. If you are a full Microsoft shop and have invested in Software Assurance in your desktop operating system, have an Enterprise Agreement, Microsoft 365 or other agreement with Software Assurance then Configuration Manager may already be available to you. If so, use Microsoft to manage BitLocker: https://techcommunity.microsof...
Protect data & Infrastructure Microsoft doc: https://docs.microsoft.com/en-...
2: Sophos. Sophos has a management tool for BitLocker.
3: TrendMicro. Trend manages BitLocker in some of their solutions.
I am sure I am missing some others, and there may be other products that tout to be better, but be sure to ask yourself, "So why do you want to encrypt your devices?"
Out of the box, Bitlocker doesn’t meet FIPS 140-2 which is really the federal standard you should meet for encryption. You can set it up to meet FIPS 140-2, however, even at that, it only achieves FIPS 140-2 Level 1. You should look for products that meet Level 2 as a minimum.
I would also suggest doing a simple Google search for BitLocker hack. It’s quite amazing, and includes handy how to videos.
Beyond that, there are BitLocker issues around boot sector corruption, password sync that create a lot of administrative overhead.
Also, you need to consider centralized management of a Bitlocker environment that allows for key management as well as audit trails for proof of encryption.
I see the answers have no 'cons'.
Let me help with that. BitLocker can render your data and your drive is immediately inaccessible with only one tiny disc error. With a regular drive, such errors can be recovered and data can be retrieved.
If you have a BitLocker drive, it's "Adios, data!". I tried BitLocker 3 times on cloned backups over the years. Every. Single. Time. I would, within days, get a BSOD upon entering the password. This thing is bad. Really bad. If you just need certain things encrypted, VeraCrypt is FAR more reliable.
Hello @Usman Rasool, @Blanca Flores and @Jos-Katengwa,
Can you please assist @EwoudSpreeuwenberg?