How to encrypt a folder with BitLocker and alternatives in Windows

Protecting what you store on your PC isn't optional: it's essential. Windows offers multiple layers of security to prevent unauthorized access to your data, whether your computer is stolen or someone tries to access it from another system. With built-in tools (for example, you can encrypt a folder with BitLocker), you can... Encrypt files, folders, entire drives, and external devices with just a few clicks.

In this guide, you'll find everything you need to encrypt a folder with BitLocker and other alternatives. You'll see which edition of Windows you need, how to check if your computer has a TPM, how to use EFS for individual items, and How to create and properly save the recovery keyI also explain what to do if you don't have a TPM, which algorithm and key length to choose, the possible performance impacts, and what options are available if you're looking for something like a password-protected container/ISO.

What encryption options does Windows offer and how do they differ?

In Windows, three approaches coexist:

• device encryptionIt automatically activates protection if your hardware meets certain requirements and links the recovery key to your Microsoft account after your first sign-in. It's usually available even on Windows Home, but not on all computers.
• BitLocker, Available in Pro, Enterprise, and Education editions, this is full disk encryption for the system drive and other internal or external drives (BitLocker To Go). Its main advantage is that it protects the entire volume end-to-end.
• EFS (Encrypting File System), Designed for individual files and folders, it's linked to your user account, so only the person who encrypts them can open them from that same profile. It's ideal for a handful of sensitive documents, but it doesn't replace BitLocker for comprehensive protection.

How to tell if your device supports device encryption and TPM

To check for 'device encryption' compatibility, go to Start, search for 'System Information', right-click, and open 'Run as administrator'. In 'System Summary', locate the 'Device encryption support' entry. If you see 'Meets prerequisites', you're all set; if you see messages like 'TPM cannot be used', 'WinRE is not configured' or 'PCR7 binding is not supported'You will need to correct those points (activate TPM/Secure Boot, configure WinRE, disconnect external docks or graphics cards when booting, etc.).

To confirm if a TPM is present: Press Windows + X, go to 'Device Manager', and under 'Security devices' look for 'Trusted Platform Module (TPM)' with version 1.2 or later. You can also run 'tpm.msc' with Windows + R. BitLocker works best with TPMBut further down you'll see how to activate it without that chip.

Encrypt files and folders with EFS (Windows Pro/Enterprise/Education)

If you only want to protect a specific folder or a few files, EFS is quick and easy. Right-click on the item, go to 'Properties', and click 'Advanced'. Check 'Encrypt contents to secure data' and confirm. If you encrypt a folder, the system will ask if you want to apply the change only to the folder or also to its subfolders and files. Choose the option that best suits your needs..

Once activated, you'll see a small padlock on the icon. EFS encrypts for the current user; if you copy that file to another PC or try to open it from another account, it won't be readable. Be careful with temporary files (for example, from apps like Word or Photoshop): if the root folder isn't encrypted, crumbs could be left unprotectedThat's why it's recommended to encrypt the entire folder that contains your documents.

Highly recommended: back up your encryption certificate. Windows will prompt you to 'back up your key now'. Follow the certificate export wizard, save the key to a USB drive, and protect it with a strong password. If you reinstall Windows or switch users and didn't export the key, you may lose access..

To decrypt, repeat the process: properties, advanced, Uncheck 'Encrypt content to protect data' And it applies. The behavior in Windows 11 is identical, so the step-by-step process is the same.

Encrypting a folder with BitLocker (Windows Pro/Enterprise/Education)

BitLocker encrypts entire volumes, internal or external. In File Explorer, right-click the drive you want to protect and choose 'Turn on BitLocker'. If the option doesn't appear, your version of Windows doesn't include it. If you receive a warning about a missing TPM, Don't worry, it can be used without TPMIt just requires a policy adjustment that I'll explain right after.

The assistant will ask you how to unlock the drive: with a password or smart card. It's best to use a password with good entropy (uppercase letters, lowercase letters, numbers, and symbols). Then, choose where to save the recovery key: in your Microsoft account, on a USB drive, in a file, or print it. Save to Microsoft account It's very practical (access via onedrive.live.com/recoverykey), but accompany it with an additional offline copy.

In the next step, decide whether to encrypt only the used space or the entire drive. The first option is faster for new drives; for previously used computers, it's better to encrypt the entire drive to protect deleted data that could still be recovered. More security means more initial time..

Finally, choose the encryption mode: 'new' for modern systems or 'compatible' if you're moving the drive between PCs with older versions of Windows. 'Run BitLocker system verification' And it continues. If it's the system drive, the computer will restart and ask for your BitLocker password at startup; if it's a data drive, the encryption will begin in the background and you can continue working.

If you change your mind, in Explorer, right-click on the encrypted drive and go to 'Manage BitLocker' to disable, change the password, regenerate the recovery key, or enable automatic unlocking on that computer. BitLocker does not work without at least one authentication method.

Using BitLocker without TPM: Group Policy and Startup Options

If you don't have a TPM, open the Local Group Policy Editor with 'gpedit.msc' (Windows + R) and navigate to 'Computer Configuration' > 'Administrative Templates' > 'Windows Components' > 'BitLocker Drive Encryption' > 'Operating System Drives'. Open 'Require additional authentication at startup' and set it to 'Enabled'. Check the box next to 'Allow BitLocker without a compatible TPM'. Apply the changes and run 'gpupdate /target:Computer /force' to force its application.

When you start the BitLocker wizard on your system disk, it will offer two methods: 'Insert a USB flash drive' (this will save a .BEK boot key that must be connected at each startup) or 'Enter a password' (preboot PIN/password). If you use USB, change the boot order in your BIOS/UEFI settings so that your computer can boot from the USB drive. Do not attempt to boot from that USB drive.During the process, do not remove the USB drive until everything is finished.

Before encrypting, BitLocker can perform a 'system test' to confirm that you will be able to access the key during startup. If it fails with a boot message, check the boot order and security options (Secure Boot, etc.) and try again.

BitLocker To Go: Protect USB drives and external hard drives

Connect the external device, right-click on the drive in File Explorer, and choose 'Turn on BitLocker'. Set a password and save the recovery key. You can check 'Don't ask again on this PC' to enable automatic unlocking. On other PCs, The password will be requested upon connection before being able to read its contents.

On very old systems (Windows XP/Vista), there is no native support for unlocking, but Microsoft released 'BitLocker To Go Reader' for read-only access on FAT-formatted drives. If you plan on backward compatibility, consider using the 'compatible' encryption mode in the assistant.

Encryption algorithm and strength, and their impact on performance

By default, BitLocker uses XTS-AES with a 128-bit key on internal drives and AES-CBC 128 on external drives. You can increase the encryption to 256 bits or adjust the algorithm in the settings: 'BitLocker Drive Encryption' > 'Choose encryption method and strength…'. Depending on the Windows version, this is divided by drive type (boot, data, removable). XTS-AES is the recommended one for robustness and performance.

With modern CPUs (AES-NI), the impact is usually minimal, but there are cases where performance drops, especially on certain SSDs with Windows 11 Pro when BitLocker is enforced via software on drives with hardware encryption. Up to 45% less performance has been measured in random reads on specific models (for example, the Samsung 990 Pro 4TB). If you notice severe degradation, you can: 1) Disable BitLocker in that volume (sacrificing security) or 2) reinstall and force hardware encryption of the SSD itself if it is reliable (more complex process and dependent on the manufacturer).

Remember that stronger encryption (256 bits) means a slightly higher load, but on current equipment the difference is usually manageable. Prioritize safety if you handle sensitive or regulated data.

Recovery keys: where to store them and how to use them

Always create and save a recovery key when you enable BitLocker. Available options: 'Save to your Microsoft account' (centralized access), 'Save to a USB flash drive', 'Save to a file', or 'Print the key'. The key is a 48-digit code that allows you to unlock your account if you forget your password or if BitLocker detects a boot anomaly on the system unit.

If you encrypt multiple drives, each key will have a unique identifier. The key filename usually includes a GUID that BitLocker will ask for during recovery. To view keys saved to your Microsoft account, visit onedrive.live.com/recoverykey while signed in. Avoid storing keys on the same encrypted drive and keep offline copies.

BitLocker integrates a management console where you can: change the password, add or remove security measures (password, PIN+TPM, smart card), regenerate the recovery key, and disable encryption when you no longer need it.

Password-protected ISOs: reliable alternatives in Windows 11

Windows doesn't offer a native 'password-protected ISO'. Some utilities convert to their own formats (like '.DAA' in PowerISO), which isn't ideal if you need to keep the '.ISO' file. Instead, create a encrypted container with VeraCrypt and mount it on demand: it works as a password-protected 'virtual drive' and is portable.

If you want something lightweight to share, modern archivers allow encryption with AES: create a password-protected '.zip' or '.7z' archive using tools like 7-Zip or WinRAR and select the option to encrypt filenames. For external drives, BitLocker To Go is the recommended method in Windows Pro; in Home, VeraCrypt perfectly fulfills its purpose..

With all of the above, you can decide whether to encrypt a folder with EFS, an entire drive with BitLocker, or create a container with VeraCryptThe key is to choose the method that fits your Windows edition and hardware, keep the recovery key safe, and adjust the algorithm/length according to your priorities. If you take care of those three points, you'll have your data protected without complicating your life..