Skip to content
Security, Simplified
Device Security Beginner 5 min read

Full Disk Encryption: BitLocker & FileVault Guide for SMBs

Learn how to protect business data on laptops with BitLocker (Windows) and FileVault (Mac). Step-by-step guidance for enabling full disk encryption and managing recovery keys.

Why Device Encryption Matters

A lost or stolen laptop represents one of the most common—and preventable—data breach scenarios for small businesses.

Consider this: your sales manager leaves their laptop in a rideshare. Someone finds it. Even if the laptop has a strong login password, that protection is surprisingly easy to bypass. An attacker can remove the hard drive, connect it to another computer, and read every file directly—client lists, contracts, financial records, employee data. All exposed.

Full disk encryption changes this equation entirely. When encryption is enabled, a stolen device becomes nothing more than expensive hardware. The data remains unreadable without the encryption key.

How Full Disk Encryption Works

Full disk encryption (FDE) automatically scrambles every file on your hard drive using strong cryptographic algorithms. To anyone without the decryption key, the data appears as meaningless noise.

When you log in with your password, the operating system decrypts data on the fly as you access it. This happens transparently—you won’t notice any difference in day-to-day use.

What FDE Protects Against

  • Physical theft: A stolen laptop yields no usable data
  • Device loss: Lost devices don’t become data breaches
  • Improper disposal: Even if you forget to wipe a drive before disposal, the data remains encrypted

What FDE Does Not Protect Against

  • Malware on a running system: Once you’re logged in, encryption is transparent to all software
  • Shoulder surfing or credential theft: If someone obtains your password, they can decrypt the drive
  • Remote access attacks: FDE protects data at rest, not data in transit

For these threats, you’ll need complementary controls such as endpoint detection and response and strong access controls.

Enabling BitLocker on Windows

BitLocker is Microsoft’s built-in encryption solution for Windows. It’s included with Windows 10/11 Pro, Enterprise, and Education editions—the versions typically used in business environments.

Note: Windows Home editions do not include BitLocker. If your business laptops run Windows Home, consider upgrading to Pro or using a third-party encryption solution.

Step-by-Step: Enable BitLocker

  1. Open the Start menu and search for “Manage BitLocker”
  2. Click Turn on BitLocker next to your main drive (usually C:)
  3. Choose how to unlock the drive at startup—password or USB key (password is most common)
  4. Save your recovery key (see critical guidance below)
  5. Choose Encrypt entire drive for existing devices, or Encrypt used space only for new devices
  6. Select New encryption mode (XTS-AES) for fixed drives
  7. Run the BitLocker system check and restart when prompted

Encryption runs in the background and typically completes within a few hours, depending on drive size.

Managing BitLocker with Microsoft Entra ID (Azure AD)

For businesses using Microsoft 365 Business Premium or Enterprise plans, BitLocker recovery keys can be automatically backed up to Microsoft Entra ID. This provides centralised key management and ensures IT administrators can recover encrypted devices without relying on individual users to store keys safely.

To enable this:

  1. Ensure devices are enrolled in Microsoft Entra ID (joined or registered)
  2. Configure BitLocker policy through Microsoft Intune or Group Policy
  3. Recovery keys will automatically upload to the Entra admin centre

This approach is strongly recommended for any business managing more than a handful of devices.

Enabling FileVault on Mac

FileVault is Apple’s built-in encryption for macOS. Modern Macs with Apple Silicon (M1/M2/M3 chips) or the T2 security chip encrypt data by default at the hardware level, but enabling FileVault adds an additional layer of protection.

Step-by-Step: Enable FileVault

  1. Open System Settings (or System Preferences on older macOS versions)
  2. Navigate to Privacy & Security
  3. Scroll to FileVault and click Turn On
  4. Choose whether to allow your iCloud account to unlock the disk, or create a recovery key
  5. Save your recovery key (see critical guidance below)
  6. Encryption begins immediately and runs in the background

On Apple Silicon Macs, encryption is nearly instantaneous since the hardware already encrypts data. FileVault essentially adds a software layer that ties decryption to your login credentials.

Managing FileVault in Business Environments

For Mac fleets, Apple Business Manager combined with a mobile device management (MDM) solution such as Jamf or Mosyle can:

  • Automatically enable FileVault during device setup
  • Escrow recovery keys to your MDM console
  • Enforce encryption policies across all managed devices

Recovery Keys: The Critical Safeguard

When you enable encryption, the system generates a recovery key—a long alphanumeric string that can unlock your drive if you forget your password or experience a hardware failure.

This key is your only backup. Treat it accordingly.

Recovery Key Best Practices

DoDon’t
Store the key in your password managerSave it in a file on the encrypted drive
Keep a printed copy in a physical safeEmail it to yourself
Back up to your MDM or Entra ID (for managed devices)Store it where others can easily access it

Warning: If you lose both your password and recovery key, your data is permanently inaccessible. There is no backdoor. Microsoft and Apple cannot recover your data. This is a feature, not a limitation—it’s what makes encryption trustworthy.

Verifying Encryption Status

Windows

Open Command Prompt as Administrator and run:

manage-bde -status

Look for Percentage Encrypted: 100% and Protection Status: Protection On.

macOS

Open Terminal and run:

fdesetup status

The output will show whether FileVault is enabled and whether encryption is complete.

Alternatively, check System Settings > Privacy & Security > FileVault for a graphical status display.

Encryption and Compliance

Full disk encryption directly supports compliance with several frameworks relevant to Australian SMBs:

  • Privacy Act 1988 / Australian Privacy Principles: The OAIC considers encryption a reasonable step to secure personal information
  • Essential Eight: Encryption is recommended under the “Regular Backups” and broader data protection strategies
  • Cyber insurance: Many policies require or incentivise device encryption

While encryption alone doesn’t guarantee compliance, its absence in the event of a breach significantly increases regulatory and legal risk.

Next Steps

  1. Audit your fleet: Identify which devices currently have encryption enabled
  2. Standardise on Pro/Enterprise editions: Ensure all Windows business devices can run BitLocker
  3. Implement centralised key management: Use Intune, Entra ID, or an MDM solution to escrow recovery keys
  4. Document your policy: Include encryption requirements in your employee offboarding and device provisioning procedures
  5. Test recovery: Periodically verify that you can actually recover a device using escrowed keys

Device encryption is one of the highest-impact, lowest-effort security controls available. For the cost of a few configuration changes, you eliminate an entire category of data breach risk.