Personal data encryption in Windows 11

2023-02-09 20:04

Windows 10 already has two flavours of encryption - BitLocker and Windows Device Encryption - and as of the 22H2 release, Windows 11 Enterprise and Education adds Personal Data Encryption.

Personal Data Encryption doesn't replace either of them because it doesn't encrypt a whole drive; instead, it protects individual files and folders using 256-bit AES-CBC encryption keys that are protected by Windows Hello for Business, but only through applications that are built to use it.

By using Windows Hello for Business, Personal Data Encryption puts the encryption keys into secure hardware where they're only released when you authenticate either biometrically or with a PIN, which is also protected by hardware security and unlike a password, doesn't roam to other devices you use that account with.

To make sure the Personal Data Encryption keys aren't accidentally exposed, you will want to disable hibernation, crash dumps and Windows Error Reporting: You can do that through the same MDM solution you use to enable Personal Data Encryption.

Unlike EFS, once you've enabled Personal Data Encryption, you don't encrypt files through File Explorer: In fact, there's no user interface for Personal Data Encryption at all.

The Personal Data Encryption name is rather confusing: It's personal because it's tied to the way a person logs in with Windows Hello for Business, but it's not something an individual can choose to use and it's not for protecting personal files.

News URL

https://www.techrepublic.com/article/personal-data-encryption-windows/

#encryption #personaldata #windows