How To Encrypt Computer/Laptop Drives | Unlock With USB | Bitlocker Method

With this tutorial, you will be able to encrypt your PC so no

one will be able to access it if your Key-USB is not plugged in.

This way if my friends from the LSPD come over and take your PC it will be

useless for them. They will not be able to boot it nor will the be able to read any

files from you hard drive / ssd. Combined with network protection (VPN/Proxy)

this will be the most secure setup you can have.

This tutorial is not by me! I am reposting it from a different website to help you guys out!

Step One: Enable BitLocker (If You Haven’t Already)


This, obviously, requires BitLocker drive encryption, which means it only works on Professional and Enterprise editions of Windows.

Before you can follow any of the steps below, you’ll need to enable BitLocker encryption on your system drive from the Control Panel.

If you go out of your way to enable BitLocker on a PC without a TPM, you can choose to create a USB startup key as part of the setup process.

This will be used instead of the TPM. The below steps are only necessary when enabling BitLocker on computers with TPMs, which most modern computers have.

If you have a Home version of Windows, you won’t be able to use BitLocker. You may have the Device Encryption feature instead,

but this works differently from BitLocker and doesn’t allow you to provide a startup key.

Step Two: Enable the Startup Key in Group Policy Editor
Once you’ve enabled BitLocker, you’ll need to enable the startup key requirement in Windows’ group policy.

To open the Group Policy Editor, press Windows+R on your

keyboard, type “gpedit.msc” into the Run dialog, and press Enter.

Head to Computer Configuration > Administrative Templates > Windows

Components > BitLocker Drive Encryption > Operating System Drives in the Group Policy window.

Double-click the “Require Additional Authentication at startup” option in the right pane.


Select “Enabled” at the top of the window here. Then, click the box under “Configure

TPM Startup Key” and select the “Require Startup Key With TPM” option. Click “OK” to save your changes.

Step Three: Configure a Startup Key for Your Drive

You can now use the manage-bde command to configure a USB drive for your BitLocker-encrypted drive.

First, insert a USB drive into your computer. Note the drive letter of the USB drive–D: in the screenshot below. Windows will save a small .bek file to the drive, and that’s how it will become your startup key.


Next, launch a Command Prompt window as Administrator. On Windows 10 or 8, right-click the Start button and select “Command Prompt (Admin)”. On Windows 7, find the “Command Prompt” shortcut in the Start menu, right-click it, and select “Run as Administrator”

Run the following command. The below command works on your C: drive, so if you want to require a startup key for another drive, enter its drive letter instead of c: . You’ll also need to enter the drive letter of the connected USB drive you want to use as a startup key instead of x: .

manage-bde -protectors -add c: -TPMAndStartupKey x:


The key will be saved to the USB drive as a hidden file with the .bek file extension. You can see it if you show hidden files.


You’ll be asked to insert the USB drive the next time you boot your computer. Be careful with the key–someone that copies the key from your USB drive can use that copy to unlock your BitLocker-encrypted drive.


To double-check whether the TPMAndStartupKey protector was added properly, you can run the following command:

manage-bde -status 

(The “Numerical Password” key protector displayed here is your recovery key.)


I also recommend to write down the decryption key so whenever you loose your USB you have a backup. Keep that piece of paper extremely hidden and do not share the location with anyone!