Encrypt Your Devices
Improve the physical security of your stored data
What is device encryption?
When you enable device encryption, you tell your computer to add a layer of protection to the files and data stored inside. It's really just a clever sort of scrambling of files for anyone besides you that tries to view them. This type of encryption is sometimes called Full Disk Encryption (or FDE) or encryption at rest.
Why encrypt my device?
Device encryption can help you in a few ways. First, it can protect your files if your device is ever lost or stolen. It can also help protect your data when your device is left unattended in a public or shared place. And it can make disposing of, recycling, or gifting your old device a bit safer down the line.
In all cases, it stores the actual data in the computer in a scrambled way, so it's harder for anyone accessing that computer (besides those authorized) to get to that data. It's not perfect, but it's another layer that can make you harder to hack!
- Encryption can make your files unrecoverable if you forget your password. There isn't a regular “password reset” for an encrypted device. So, most good device encryption tools allow you to create a recovery key, so you have something to help you in addition to your computer password.
- You should have good backups before starting with device encryption. This can help you if something goes wrong during the initial encryption step or if you ever lose your password and recovery key. Check out our guide on how to easily set that up.
Device encryption provides the best protection when a computer is shut down. When the desktop or laptop is on, much of your data is in a sort of unencrypted state. But shutting it down can provide an easy way to lock it down, so to speak. A good practice here is to shut down your computer when you'll be leaving it unattended or while traveling with it.
macOS device encryption
On macOS, device encryption is called FileVault and this is super simple to enable.
- Start by making sure you are using a strong and unique password to log in to your Mac. This password is also used to access your encrypted device once you turn on encryption. If this isn't a good password, it could be easy for someone to break the encryption and access your files.
- Follow Apple's quick and easy guide to turn FileVault on (but not before reading the important note in the next step).
- We recommend choosing the “Create a recovery key…” option when prompted for how you'd like to reset your password if you forget it, rather than choosing the iCloud storage option.
- When you see the generated recovery key, make sure to store it somewhere safe. You could opt to store this in your Password Manager or even store it somewhere safely on paper. This can be used to unlock your computer instead of your password.
Windows device encryption
On Windows, device encryption can be referred to by different names, and some versions of Windows don't include it at all. We'll walk through the various possibilities and guide you in finding the one that applies to your laptop or desktop.
Your option should be one of the following:
- Device encryption
- A 3rd party tool
Let's find the one that applies to your system.
On newer Windows 10 and 11 systems with newer hardware, you may be able to simply find and enable Device encryption. Take a look at the steps Microsoft lists here for your version of Windows (10 or 11). You may find a simple “on” switch or find out that it isn't available on your system. If you find the switch, you should be able to turn it on there.
If you found that Device encryption was not available in the previous step, you'll now need to determine if you can use BitLocker, Microsoft's other full disk encryption option for Windows.
If you are using Windows 10 or 11 Home edition, you will not be able to use BitLocker. If you are using an edition such as Pro or Enterprise, you should be able to use BitLocker. You can check your edition of Windows 10 or 11 following these steps.
If you determine that you have the Home edition, you can opt to upgrade Windows to the Pro edition for a fee. See Microsoft's guide here if you'd like to do the paid upgrade. Then come back and follow the BitLocker step below.
If you determine that you have Windows 10 or 11 Pro or Enterprise (and Step 1 didn't work for you), you can now attempt to enable BitLocker. Take a look at the steps Microsoft lists here for your version of Windows (10 or 11). Follow the steps under “Turn on standard BitLocker encryption.”
Once you have successfully enabled Windows Device encryption or BitLocker, be sure to back up your recovery key somewhere safe. See here to learn how to find your recovery key. Then you could opt to store this in your Password Manager or even store it somewhere safely on paper.
You can learn more about Windows encryption options and see Microsoft's advice in determining what is available to you here.
Mobile device encryption
Modern iOS and Android devices encrypt your internal storage by default. So, you shouldn't have to do anything to enable encryption on your phones or tablets.
Just be sure to set a strong and unique password on your mobile device. Since the password is the key to “unlocking” the encrypted device, it'll need to be good for the best protection.
If you happen to have an older pre-2015 Android device that can't run newer versions of Android OS, you may need to enable it manually. Take a look at this guide for more info on setting that up.