Tip of the Day: BitLocker ‘Encrypt Used Disk Space Only’

Today’s tip…

Previously, BitLocker encryption has been an ‘all or nothing’.  Either a volume was completely encrypted or it was not.  Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.  Just like it sounds, this option allows us to encrypt only the parts of the volume that are currently in use.  As files are added to the volume, they are encrypted as well.

To the end-user this means a much shorter time for BitLocker to complete the initial encryption process for new volumes.  For volumes that already have data on them, it is recommended that the ‘Encrypt entire drive’ option be used.

There is a GPO, which you can use to enable Used Space Encryption for Windows 8.

Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Operating System Drive\Enforce Drive Encryption type on Operating System Drive:

  • Allow User to Choose
  • Full Encryption
  • Used Space Encryption

This GPO is also available for Fixed Data Drives and Removable Drives.

Manage-bde Command:

  • Manage-bde –protectors –on C: -rp –used
Comments (9)
  1. Michal Zyzak says:

    Is it possible to switch from ‘Encrypt Used Disk Space Only’ to ‘Full Encryption’ programmatically without decrypting and re-encrypting?

  2. Tim says:

    How do you turn this crap off?
    Not everyone is using SCCM (yet)…


    1. Tim says:

      I found my own solution.

    2. This isn’t System Center, it’s a GPO. To turn it off, don’t enable the GPO.

  3. Djanuary says:

    I am not seeing how this will meet compliance when FDE is required. From what I can tell though this will save time during the build there is no way to convert the drive from Used Space Only to Fully Encrypted. So when running reports it will report back
    that it is used space only. I see this as a big issue and in the effort to save time data could be left vulnerable. If there is some option I am not aware of it would be great to know how to convert the drive without decrypting it then re-encrypting it which
    would defeat the purpose of used space only to save time.

  4. Ruadog,

    If you have the time to do a full encryption, then do that.  But this just gives you some flexibility if you need to roll out faster.

  5. ruadog says:

    I fail to understand the usefulness of this option.  If I'm building a new machine in a corporate environment, I can just let the encryption finish before delivering it to the end user. Even as an end user, I'm not using the machine 24/7. Unless you have a multi TB drive, just leave it on overnight and it will finish.  This is a one-time operation so why not just get it done right from the start and not have to worry about the kinds of issues Rob pointed out. By letting it finish before deployment, you also avoid the performance penalty of constantly encrypting as data is added to the drive.

    1. Thomas Anderson says:

      Re: Ruadog
      “By letting it finish before deployment, you also avoid the performance penalty of constantly encrypting as data is added to the drive.”

      I don’t think this is how it works? Even if you have encrypted the entire drive today, you have only encrypted all the data currently exists on the disk today, it should not shorten the time you write a new file to the disk tomorrow. The new file still requires an encryption process (and time) before it writes onto the disk.

      Can anyone clarify?

  6. Rob S says:

    There are some nuances I'd like to clarify for people. If decrypted data was ever on the drive (you're rebuilding a machine and there was no encryption previously on it), then even though it's a "new volume", you should still use "encrypt entire drive", otherwise the plaintext content that used to be one there may still be recoverable. If the computer is brand new, the drive never had data on it, or the drive was previously encrypted, then the Used Space option is terrific.

Comments are closed.

Skip to main content