Bellator Cyber Guard
Learn: Data Protection

Device & drive encryption guide

Encryption is the single most effective way to protect data on lost or stolen devices. Learn how to enable full-disk encryption on Windows and Mac, and why compliance frameworks like IRS Publication 4557 require it.

Get Encryption HelpAll Resources

The Basics

What is device encryption?

Device encryption converts all data on a hard drive into unreadable ciphertext using a mathematical algorithm and an encryption key. Without the correct key, the data is completely inaccessible, even if someone removes the hard drive and connects it to another computer.

Think of encryption as a lockbox for your entire hard drive. When you log in with your password, the system uses your credentials to unlock the encryption key, and data is decrypted on the fly as you use it. When the device is off or locked, the data remains scrambled and unreadable.

Modern encryption algorithms like AES-256 are considered unbreakable with current technology. Even the world's fastest supercomputers would take billions of years to crack a properly encrypted drive by brute force. This means that if your encrypted laptop is stolen, the thief gets the hardware but none of your data.

70M+

laptops lost or stolen yearly

Encryption ensures lost devices do not become data breaches.

AES-256

industry standard

The same encryption standard used by governments and militaries worldwide.

0%

performance impact

Modern hardware encryption has virtually no impact on system speed.

Encryption Methods

Types of encryption explained

Different encryption approaches serve different purposes. Understanding the differences helps you choose the right protection for your situation.

Full-Disk Encryption (FDE)

Encrypts the entire hard drive, including the operating system, applications, and all files. Data is automatically encrypted when written and decrypted when read by an authorized user.

  • Protects all data automatically
  • No user action required after setup
  • Meets most compliance requirements

Best for

Laptops, desktops, and any device that could be lost or stolen.

File-Level Encryption

Encrypts individual files or folders rather than the entire drive. Users choose which specific files to protect with a password or key.

  • Granular control over what is encrypted
  • Can encrypt files before sharing
  • Lower performance impact

Best for

Sensitive documents shared via email or cloud storage.

Hardware-Based Encryption

Uses a dedicated chip (TPM or self-encrypting drive) to handle encryption operations. The encryption key never leaves the hardware, making it resistant to software attacks.

  • Faster than software encryption
  • Keys stored in tamper-resistant hardware
  • No CPU overhead

Best for

High-security environments and enterprise deployments.

Windows

How to enable BitLocker on Windows

BitLocker is Microsoft's built-in full-disk encryption tool available on Windows 10/11 Pro, Enterprise, and Education editions.

1

Check TPM Availability

Open Device Manager and expand "Security devices." Look for "Trusted Platform Module" version 1.2 or higher. Most modern PCs include a TPM chip. If yours does not, BitLocker can still work using a USB startup key.

2

Open BitLocker Settings

Go to Settings > Privacy & Security > Device encryption, or search "BitLocker" in the Start menu and select "Manage BitLocker." Windows 11 Pro, Enterprise, and Education editions include BitLocker. Windows 11 Home includes Device Encryption if a TPM is present.

3

Turn On BitLocker

Click "Turn on BitLocker" for your operating system drive. Windows will check that your system meets the requirements. If prompted, choose how to unlock your drive at startup (TPM is recommended for seamless operation).

4

Save Your Recovery Key

Choose where to back up your recovery key: Microsoft account, USB flash drive, a file, or print it. Store this key securely and separately from the encrypted device. Without it, you will permanently lose access to your data if the TPM fails.

5

Choose Encryption Mode

Select "Encrypt entire drive" for maximum security (recommended for drives already in use). Choose "New encryption mode (XTS-AES)" for fixed drives, or "Compatible mode" for removable drives that may be used on older Windows versions.

6

Start Encryption

Click "Start encrypting." The initial encryption may take several hours depending on drive size. You can continue using your computer during this process. Do not shut down or lose power until encryption completes.

macOS

How to enable FileVault on Mac

FileVault is Apple's built-in full-disk encryption for macOS. On newer Apple Silicon Macs, encryption is enabled by default.

1

Open System Settings

Click the Apple menu and choose "System Settings" (macOS Ventura and later) or "System Preferences" (older versions). Navigate to "Privacy & Security." On Apple Silicon Macs (M1 and later), FileVault is enabled by default when you set a login password.

2

Enable FileVault

Scroll down to the FileVault section and click "Turn On." You will be prompted to authenticate with your administrator password. If you have multiple user accounts, you must choose which users can unlock the disk.

3

Choose Recovery Method

Select whether to use your iCloud account or create a recovery key to unlock the disk if you forget your password. If you choose a recovery key, write it down and store it in a secure location separate from the Mac.

4

Encryption Begins

FileVault encrypts the startup volume using XTS-AES-128 encryption with a 256-bit key. On modern Macs with SSDs, encryption typically completes within an hour. You can continue working during this process. Older Macs with spinning hard drives may take significantly longer.

Compliance

IRS encryption requirements for tax professionals

IRS Publication 4557 and the FTC Safeguards Rule mandate encryption for all tax preparers who handle taxpayer data. Non-compliance can result in penalties, loss of PTIN privileges, and liability in the event of a breach.

  • All taxpayer data must be encrypted at rest on any device used for tax preparation
  • Full-disk encryption is required on laptops and portable devices per IRS Publication 4557
  • Removable media (USB drives, external hard drives) containing taxpayer data must be encrypted
  • Email containing taxpayer information must use encryption in transit
  • Backup media must be encrypted whether stored on-site or off-site
  • Encryption keys and recovery keys must be stored securely and separately from the encrypted devices
  • A documented encryption policy must be included in your Written Information Security Plan (WISP)
  • Annual review of encryption practices is required as part of your security program

Need help setting up encryption?

Our team can enable and verify encryption across all of your devices, configure recovery key management, and ensure you meet compliance requirements.

Schedule Free Consultation