Disk encryption: BitLocker versus the best alternatives

  • BitLocker integrates disk encryption with TPM, UEFI, and secure boot to protect Windows computers against theft and system tampering.
  • The impact on performance, especially on SSDs and Windows 11, requires evaluating whether to enable BitLocker based on the hardware and the use of the computer.
  • Alternatives such as VeraCrypt, FileVault, LUKS or third-party tools cover home, advanced and corporate scenarios beyond Windows.
  • Proper management of recovery keys and centralized policies is crucial in companies to avoid data loss and mass outages.
Joaquin Romero

16 minutes

Encrypt disks with BitLocker

The amount of sensitive data that we accumulate on computers, laptops and USB drives It hasn't stopped growing: work reports, legal documents, financial information, medical records, copies of ID cards… All of that is usually on disks that anyone could read if they steal the computer or gain physical access to the device. And real-life examples abound: laptop thefts with tens of thousands of patient records, USB sticks lost with data from half the municipality or companies that end up leaking data because they don't have protected disks.

The good news is that disk encryption is now a basic, mature and relatively simple security measure to apply. In Windows, BitLocker is the best-known native option, but it's neither the only one nor always the best for every scenario. Let's take a detailed look at how it works, what it offers in terms of security, performance, and management, and how it compares to alternatives like VeraCrypt, FileVault, enterprise solutions (Symantec, ESET, ZENworks, Kaspersky), and other file and container encryption tools.

What is disk encryption and why does it matter so much?

El full disk encryption (FDE) It consists of protecting all the contents of a drive (system, data, or external disks) so that, if someone steals the device or connects it to another computer, the data remains unreadable without the correct password. It is especially useful for laptops, external hard drives and USB flash drives, which are the ones that are most easily lost or stolen.

When we activate an FDE system, the disk remains fully encrypted while the device is off or lockedOnly after successful authentication (password, PIN, token, TPM, etc.) are the keys loaded into memory, allowing the system to read and write data normally. However, once unlocked, the encryption... It does not protect you against malware, spyware, or intruders who already have an open session.For that, you also need antivirus, antimalware, and good practices.

In addition to the FDE, there is the file-level encryption (FLE or FBE)This method encrypts only specific files or folders. This approach is useful when encrypting an entire disk isn't cost-effective, or when we want to Use different passwords or keys for different sets of sensitive files (for example, legal documentation separate from personal files). The drawback is key management: it's more flexible, but also easier to get confused and lose control.

How does BitLocker work in Windows?

BitLocker It is the disk encryption solution included in the professional, enterprise, and education editions of Windows (Windows 10/11 Pro, Enterprise, Education). It allows you to encrypt the operating system drive, internal data disks, and removable drives (BitLocker To Go) primarily using the XTS-AES algorithm.

Encrypt disks with BitLocker
Related article:
BitLocker with hardware acceleration: what improvements does it offer

Once a drive is encrypted with BitLocker, the contents remain completely obfuscated without the encryption key or recovery keyWhen the system starts or the disk is connected, the expected authentication process is carried out; once that point is over, the system works "as if nothing happened": you read, write and run programs normally, while the encryption and decryption is done in real time in the background.

BitLocker may store a recovery key This serves as a last resort if the password is lost or if something changes on the computer (for example, BIOS/UEFI, TPM, or Secure Boot modifications) and it enters recovery mode. In home environments, this key is usually save to your Microsoft account, while in organizations it is stored in Active Directory or services like Microsoft Endpoint Manager for centralized management.

BitLocker integration with TPM, UEFI, and Secure Boot

Part of BitLocker's strength comes from its integration with the TPM (Trusted Platform Module), UEFI and Secure BootThese elements work together to ensure that encryption keys are protected even against advanced attacks with physical access to the equipment.

  • TPMIt's a dedicated chip, soldered onto the motherboard, designed for secure cryptographic operations and key storage. BitLocker "seals" the encryption key in the TPM, associated with a set of integrity measurements (PCR). If someone tries modify the firmware, the boot manager, or certain critical filesThe measurements don't match and the TPM refuses to release the key, causing the device to enter recovery mode.
  • UEFI + Secure BootIt replaces the classic BIOS with a more advanced boot environment. With Secure Boot enabled, only the following will run: Firmware, bootloaders, and signed and trusted componentsBitLocker measures (PCR, among other things) secure boot components to detect unauthorized changes, preventing bootkits or rootkits from sneaking into the boot chain to steal keys.
  • Reboot attack mitigation (MOR bit)Before loading the keys into memory, BitLocker leverages TCG recommendations to minimize the risk of attacks that They take advantage of RAM memory remanence. after a sudden restart or shutdown.

In summary, BitLocker is designed so that, even if someone Open the computer, change disks, manipulate the UEFI, or try booting an alternative OS., cannot trick the TPM into releasing the encryption key associated with that original trusted environment.

BitLocker authentication methods and security policies

Encrypt disks with BitLocker

BitLocker supports several authentication methods to unlock the system drive on TPM-compatible devices:

  • TPM OnlyThe most convenient scenario: the user doesn't enter anything additional. If the TPM validation and boot environment are successful, Windows starts, and then only the usual Windows password needs to be entered. It's convenient, but less robust against attacks with physical accessbecause there is no second factor.
  • TPM + boot key (USB)Part of the key is stored on a USB drive configured as the "boot key". Without this USB drive, It is not possible to decipher the uniteven if the attacker has the entire team.
  • TPM + PINIn addition to the TPM, the user must enter a PIN during the pre-boot phase. The TPM has protections against brute forceTherefore, the number of PIN attempts is limited. This mode represents a significant leap forward in security compared to physical access.
  • TPM + USB + PINMultifactor combination: TPM, physical device, and knowledge (PIN). It is the option more resistant to targeted attacks, very interesting for critical workstations.

On devices without a TPM (or in certain configurations), BitLocker also allows the Authentication with password onlyespecially for data drives and external devices. Even so, The ideal option in modern equipment is to use TPM and add an additional factor (PIN or USB).

To improve usability in businesses with many PIN-protected devices, Microsoft offers Network UnlockIn networks configured with WDS, devices with BitLocker and TPM+PIN can unlock automatically upon booting within the corporate network without the user having to type the PIN, reducing inconvenience without sacrificing too much security.

Protection against physical attacks and DMA in BitLocker

BitLocker addresses a wide range of physical attack vectors, and combining its configuration with Windows policies allows Strengthen or relax security according to the risk profile.

Among the threats considered, the following stand out: DMA attacks (through ports that allow direct access to memory, such as Thunderbolt), the memory retention, bootkits/rootkits, the attempt to deceive the boot manager, or the exploitation of paging files, memory dumps, and hibernation.

  • DMA portsWindows includes policies for block new DMA devices while the equipment is lockedThis greatly complicates attacks that attempt to access RAM while the system is unlocked but unsupervised. It is recommended to enable the "Disable new DMA devices when this device is locked" policy in demanding environments.
  • Memory remanence and suspensionBy default, Windows uses the mode suspension (S3)In this mode, the contents of the memory are preserved and the user does not have to re-authenticate with BitLocker upon resuming. For high-security systems, this is... It is preferable to force the use of hibernation (S4) and disable classic sleep states using power policies; when hibernating, the disk locks again and, when resuming, a PIN or startup key is required.
  • Bootkits and rootkits: It is recommended to use Secure Boot enabled, BIOS/UEFI password And, where possible, technologies like Intel Boot Guard or AMD Hardware Verified Boot, which further strengthen the boot chain. BitLocker cryptographically verifies that the operating system to be booted is the intended one; even if an attacker modifies the BCD to add another OS, You will not get the BitLocker key because PCR tests and certain records (such as PCR11) will not match.
  • Paging files and dumps: when encrypting the system drive, BitLocker It automatically protects the pagefile, memory dumps, and hibernation file.Furthermore, it prevents the page file from being moved to unencrypted volumes, reducing the exposure of sensitive data that might be dumped there.

Depending on the type of attacker we want to defend against, we can adjust the settings: for a unskilled attacker with limited physical accessThe "TPM only" mode is usually sufficient; for a An attacker with time, resources, and the ability to weld or use forensic toolsA profile with TPM+PIN, without sleep, only hibernation or shutdown when the equipment is not under control, is much more suitable.

Availability, Windows versions, and device encryption

Not all Windows users have full access to BitLocker. Full functionality can be found in [link to BitLocker documentation]. Windows 10/11 Pro, Enterprise and Education...for encrypting the system drive, internal data drives, and removable devices. However, Windows Home does not include full BitLocker.

Many modern laptops with Windows 10/11 Home have a feature called “Device encryption”This function, if the hardware allows it (TPM, UEFI, Secure Boot, etc.), The device is automatically encrypted during initial setupThis typically involves associating the keys with a Microsoft account. It doesn't offer the same advanced options as BitLocker (e.g., pre-boot authentication) but provides a basic layer of security in case of theft.

To find out if your device supports device encryption, you can run msinfo32 and check the “Device Encryption Support” section to see if all the requirements are listed as “Meet”. If not, you will likely need a Pro edition or higher and configure BitLocker manually, or resort to third-party solutions.

BitLocker and performance: impact on SSDs and Windows 11

Encryption doesn't come free: it requires constant cryptographic operations to read and write data, and that inevitably consumes resources. On modern computers with CPUs that support AES hardware accelerationThe impact is usually moderate, but independent tests indicate that there may be noticeable performance losses, especially on fast SSDs.

Tests gathered by specialized media indicate that, with BitLocker enabled, some SSDs see reductions of up to 40-50% in sequential read/write speedsThis is most visible in high-end NVMe driveswhere the bottleneck shifts from the drive to the processor that encrypts/decrypts the data. In traditional HDDs, the impact exists, but the drive itself is already much slower, so the relative loss is less noticeable.

In the context of Windows 11, and especially with the 24H2 branch, there has been quite a bit of noise about performance drops on SSDs encrypted with BitLockerMicrosoft has been introducing updates to optimize this behaviorHowever, many users continue to report clear penalties. Those who prioritize maximum performance for gaming, video editing, or very intensive I/O loads You can consider disabling encryption or using it only on specific data disks, always assessing the risk of data exposure.

BitLocker that activates "by itself" and problems with recovery keys

A more common scenario than it seems is that of users who, after Change the boot configuration in BIOS/UEFI (for example, from Legacy to UEFI) or reinstall Windows, they find that an external disk has appeared as “encrypted with BitLocker” without them remembering having activated itIn some cases, this is because the device had encryption enabled or a policy was activated during an update.

The big problem arises when No recovery key availableNeither in the Microsoft account, nor on printed copies, nor in Active Directory. BitLocker is designed precisely so that, without that key, the encryption is practically unbreakable. There is no No magic command, key generator script, or secret Microsoft tool that allows data recovery without the correct key.

In other words: if a disk appears encrypted with BitLocker and it does not exist valid recovery key, password, or known unlock methodThe information is lost. Any service or program that promises to break encryption by brute force in a reasonable time is a bad idea. It's not credible.Unless the original password was absurdly weak. That's why it's crucial, as soon as BitLocker is activated, save recovery key in several secure locations (Microsoft account, saved physical printout, corporate password manager, etc.).

BitLocker alternatives for home and advanced users

While BitLocker is convenient and integrated into Windows, it's not the only way to protect your data. Other solutions exist. free and paid, open source and proprietary, which cover everything from the encryption of entire disks to the encryption of individual files or virtual containers.

VeraCrypt: the open and ultra-flexible alternative

VeraCrypt It is one of the spiritual successors of TrueCrypt and, for many, the best open alternative to BitLockerIt is available on Windows, macOS, and Linux and allows:

  • Encrypt system drives, data disks, and removable drives, similar to BitLocker.
  • Create encrypted volumes and containers which are mounted as virtual drives, where only what is stored inside is protected.
  • Setup hidden volumes and hidden operating systems, offering plausibility of denial if someone forces the surrender of a password.
  • Choose between multiple encryption and hashing algorithms, with highly adjustable parameters.

Its main advantage is that it is It is open source and has passed numerous security audits.This is reassuring for users who are paranoid or distrustful of Microsoft's closed-source code. The downside is that its interface can be... not very friendly Initially, it's not as easy to integrate with corporate management tools like BitLocker. Even so, for personal use or small technical teams, it's a very powerful option.

Encrypt files and folders with VeraCrypt
Related article:
How to encrypt files and folders with VeraCrypt step by step

Simple file encryption and encrypted compression tools

If you don't need FDE, but protect a few specific files or foldersThere are lighter and more straightforward programs than BitLocker or VeraCrypt, such as Modern alternatives to WinRAR and 7-Zip:

  • AES Crypt: integrates an option in the context menu to encrypt/decrypt a file with a AES-256 encryption simply by entering a password. Available for Windows and Linux, it is extremely easy to use. users who want something "right-click and go".
  • Password-protected compression programs (WinRAR, 7-Zip, WinZip, PeaZip…)They allow you to create password-protected compressed files. What they actually do is encrypt the contents of the compressed fileIt's not the most robust solution, nor the best for large volumes of data, but it's very useful for send encrypted files by email or upload them to the cloud without too many complications.
  • cryptomatorDesigned for those who use the cloud extensively (OneDrive, Dropbox, Google Drive, etc.). It creates a folder linked to the service where all files are stored. They encrypt locally using AES-256 before uploading. In the cloud, only obfuscated names and content are visible, and they are decrypted in the Cryptomator client with your password.
  • File Lock PEA, Easy File Locker, AxCrypt, Folder Guard, MyLockboxEach with its own approach (strong encryption, file hiding, cloud integration, access control to folders or applications…), they offer additional options when you want more granular control than with simple disk encryption.

In the segment of users who are very concerned about security or have advanced knowledge, GnuPG (GPG) It stands out as a universal cryptographic engine. Although it is managed from the command line by default, it offers highly versatile encryption and signing of data and communicationsAnd with frontends like GPG4Win, it can be used on Windows with a more user-friendly interface.

Native encryption on macOS, Linux, and other platforms

It's not all about Windows. Other systems also have built-in and quite mature disk encryption options that compete head-to-head with BitLocker:

  • FileVault 2 (macOS)Included since OS X 10.7, it encrypts the Mac boot volume using XTS-AES-128 with 256-bit keyIt requires credentials from an authorized account or the recovery keywhich can be stored in iCloud for easier recovery. Additionally, Time Machine backups can inherit or supplement this encryption.
  • LUKS (Linux): de facto standard in the Linux world for full disk encryption (often combined with dm-crypt). It allows you to encrypt partitions, entire disks, or logical volumes, and integrates well with boot managers like GRUB.
  • EncFS + FUSEIt creates encrypted file systems in user space, mountable on Linux, BSD, macOS, Windows, and even Android via FUSE. It's convenient for creating portable encrypted directories with active community support on GitHub.

There are also hybrid solutions such as LibreCrypt for Windows (with partial support on Linux), which offers transparent disk encryption and easy-to-use container creation, and supports smart cards and tokens for authentication.

Business solutions: beyond BitLocker

In medium and large corporate environments, where it is needed centralized management of encryption policies, keys, and statesCommercial tools that extend or replace BitLocker are often used.

  • ESET Full Disk Encryption (part of ESET Protect Elite): allows encryption hard drives, portable drives, and emails with AES-256 and integrates with management consoles to manage keys, states and policies, both in local and cloud deployments.
  • Symantec Encryption (Broadcom): offers full disk encryption with TPM integration, pre-boot authentication, removable media encryption, and emailIt features multiple recovery methods, smart card support, SSO, and file-level encryption capabilities for end-to-end protection.
  • ZENworks Full Disk Encryption (Micro Focus / OpenText)Designed for organizations that want manage AES-256 centrallyIt allows pre-boot authentication with username/password or smart card, remote policies, and a console for manage keys and unlocks without the need for local intervention.
  • Kaspersky Endpoint Security – Disk Encryption and BitLockerKaspersky offers its own disk encryption with Authentication Agent (with SSO options, agent accounts, token and smart card support, etc.) and also the ability to Manage BitLocker from Kaspersky Security Center, including master key recovery, encryption policies, and authentication modes.

In solutions like Kaspersky's, it is possible to choose between Kaspersky Disk Encryption and BitLocker Drive EncryptionAdjusting parameters such as: encrypting all disks or leaving them unchanged, encrypting only used space, using or not using hardware encryption, defining which accounts are created in the authentication agent, requiring a PIN or password, configuring SSO, and much more. The important thing in these cases is that The central console stores and manages the master keys properly. to avoid mass lockouts if users forget their passwords.

Ultimately, organizations must evaluate for themselves, through pilot tests, which solution best fits their needs. infrastructure, compliance policies, and tolerance for supplier blockingBitLocker is usually a solid choice for Windows fleets, but it doesn't always cover all cross-platform scenarios.

Given all these options, the ideal tool depends heavily on the scenario: for Windows Pro users, BitLocker is usually the best choice. The most direct and transparent way to protect a laptop or external hard driveFor those seeking absolute control and transparency of the code, VeraCrypt and other open solutions provide added peace of mind; in companies, enterprise encryption suites facilitate the Managing thousands of devices and recovery keys without going crazy.

Privacy in Windows 11
Related article:
Privacy in Windows 11 without breaking key services

In any case, what is clear is that leaving a disk full of sensitive data unencrypted today is simply giving too many advantages to anyone who manages to get their hands on it. Share this information and help other users learn about the topic.