The cmdlet specifies an encryption algorithm and the PIN saved in the $SecureString variable. The second command enables BitLocker encryption for the BitLocker volume that has the drive letter C. The first command uses the ConvertTo-SecureString cmdlet to create a secure string that contains a PIN and saves that string in the $SecureString variable.įor more information about the ConvertTo-SecureString cmdlet, type Get-Help ConvertTo-SecureString. This example enables BitLocker for a specified drive using the TPM and a PIN for key protector. PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector Examples Example 1: Enable BitLocker PS C:\> $SecureString = ConvertTo-SecureString "1234" -AsPlainText -Force This procedure ensures that you have a recovery option.įor an overview of BitLocker, see BitLocker Drive Encryption Overview on TechNet.
#Enabling bitlocker password#
It is common practice to add a recovery password to an operating system volume by using the Add-BitLockerKeyProtector cmdlet, and then save the recovery password by using the Backup-BitLockerKeyProtector cmdlet, and then enable BitLocker for the drive. This option can significant reduce encryption time. If you use the UsedSpaceOnly parameter, it only encrypts the used space in the disk. If you use the cmdlet on a drive that has encryption paused, it resumes encryption on the volume.īy default, this cmdlet encrypts the entire drive. If you use the Enable-BitLocker cmdlet on an encrypted volume or on a volume that with encryption in process, it takes no action. This cmdlet stores the name of the file that contains the key in the KeyFileName field of the KeyProtector field in the BitLocker volume object. If you use startup key or recovery key as part of your key protector, provide a path to store the key. The cmdlet stores the password as the RecoveryPassword field of the KeyProtector attribute of the BitLocker volume object. If you choose recovery password as your key protector but do not specify a 48-digit recovery password, this cmdlet creates a random 48-digit recovery password. This cmdlet returns a BitLocker volume object. You can use secure strings in a script and still maintain confidentiality of passwords. You can use the ConvertTo-SecureString cmdlet to create a secure string. You can specify only one of these methods or combinations when you enable encryption, but you can use the Add-BitLockerKeyProtector cmdlet to add other protectors.įor a password or PIN key protector, specify a secure string. TPM and Personal Identification Number (PIN).īitLocker uses a combination of the TPM and a user-supplied PIN.Ī PIN is four to twenty digits or, if you allow enhanced PINs, is four to twenty letters, symbols, spaces, or numbers.īitLocker uses a combination of the TPM, a user-supplied PIN, and input from of a USB memory device that contains an external key.īitLocker uses a combination of the TPM and input from of a USB memory device.īitLocker uses input from of a USB memory device that contains the external key.īitLocker uses a recovery key stored as a specified file.Īctive Directory Domain Services (AD DS) account. In general, TPM-based protectors can only be associated to an operating system volume. If you select this key protector, users can access the encrypted drive as long as it is connected to the system board that hosts the TPM and system boot integrity is intact.
You can use one of the following methods or combinations of methods for a key protector:īitLocker uses the computer's TPM to protect the encryption key. When a user accesses a BitLocker encrypted drive, such as when starting a computer, BitLocker requests the relevant key protector.įor example, the user can enter a PIN or provide a USB drive that contains a key.īitLocker decrypts the encryption key and uses it to read data from the drive. You can specify a volume by drive letter or by specifying a BitLocker volume object.įor the encryption method, you can choose either Advanced Encryption Standard (AES) algorithms AES-128 or AES-256, or you can use hardware encryption if it is supported by the disk hardware.īitLocker uses a key protector to encrypt the volume encryption key. When you enable encryption, you must specify a volume and an encryption method for that volume. The Enable-BitLocker cmdlet enables BitLocker Drive Encryption for a volume. Enables BitLocker Drive Encryption for a volume.
0 kommentar(er)
