BitLocker takes days on an empty external disk / Is “Encrypt used disk space only” available on Windows...












12















I have Windows 7 x64 and a brand new USB external 2 TB hard drive. I formatted it and I confirm it's empty.



I enabled BitLocker, and two things happen:





  • It is about to take at least 10 hours or even days:



    Drive F: 0.4% Completed




  • The disk was initially empty (1.81 TB free / 1.81 TB total), but just after enabling BitLocker, it's like the disk is immediately full (5.99 GB free out of 1.81 TB):



    Drive F: with 5,99 GB free of 1,81 TB




No files are present when I open F: though.



Why does BitLocker take hours on a brand new empty disk?





Note: I've found this screenshot for Windows 10 here. Is the option "Encrypt used disk space only" available in Windows 7 for removable devices ("BitLocker To Go")?



enter image description here










share|improve this question

























  • @Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...

    – Basj
    Nov 22 '18 at 14:55






  • 1





    Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster

    – usr-local-ΕΨΗΕΛΩΝ
    Nov 23 '18 at 8:47






  • 1





    @Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.

    – Damon
    Nov 23 '18 at 13:31











  • @Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.

    – Twisty Impersonator
    Nov 23 '18 at 18:49
















12















I have Windows 7 x64 and a brand new USB external 2 TB hard drive. I formatted it and I confirm it's empty.



I enabled BitLocker, and two things happen:





  • It is about to take at least 10 hours or even days:



    Drive F: 0.4% Completed




  • The disk was initially empty (1.81 TB free / 1.81 TB total), but just after enabling BitLocker, it's like the disk is immediately full (5.99 GB free out of 1.81 TB):



    Drive F: with 5,99 GB free of 1,81 TB




No files are present when I open F: though.



Why does BitLocker take hours on a brand new empty disk?





Note: I've found this screenshot for Windows 10 here. Is the option "Encrypt used disk space only" available in Windows 7 for removable devices ("BitLocker To Go")?



enter image description here










share|improve this question

























  • @Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...

    – Basj
    Nov 22 '18 at 14:55






  • 1





    Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster

    – usr-local-ΕΨΗΕΛΩΝ
    Nov 23 '18 at 8:47






  • 1





    @Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.

    – Damon
    Nov 23 '18 at 13:31











  • @Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.

    – Twisty Impersonator
    Nov 23 '18 at 18:49














12












12








12


1






I have Windows 7 x64 and a brand new USB external 2 TB hard drive. I formatted it and I confirm it's empty.



I enabled BitLocker, and two things happen:





  • It is about to take at least 10 hours or even days:



    Drive F: 0.4% Completed




  • The disk was initially empty (1.81 TB free / 1.81 TB total), but just after enabling BitLocker, it's like the disk is immediately full (5.99 GB free out of 1.81 TB):



    Drive F: with 5,99 GB free of 1,81 TB




No files are present when I open F: though.



Why does BitLocker take hours on a brand new empty disk?





Note: I've found this screenshot for Windows 10 here. Is the option "Encrypt used disk space only" available in Windows 7 for removable devices ("BitLocker To Go")?



enter image description here










share|improve this question
















I have Windows 7 x64 and a brand new USB external 2 TB hard drive. I formatted it and I confirm it's empty.



I enabled BitLocker, and two things happen:





  • It is about to take at least 10 hours or even days:



    Drive F: 0.4% Completed




  • The disk was initially empty (1.81 TB free / 1.81 TB total), but just after enabling BitLocker, it's like the disk is immediately full (5.99 GB free out of 1.81 TB):



    Drive F: with 5,99 GB free of 1,81 TB




No files are present when I open F: though.



Why does BitLocker take hours on a brand new empty disk?





Note: I've found this screenshot for Windows 10 here. Is the option "Encrypt used disk space only" available in Windows 7 for removable devices ("BitLocker To Go")?



enter image description here







windows-7 hard-drive external-hard-drive encryption bitlocker






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 22 '18 at 18:12









Twisty Impersonator

18.5k146699




18.5k146699










asked Nov 22 '18 at 14:41









BasjBasj

793629




793629













  • @Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...

    – Basj
    Nov 22 '18 at 14:55






  • 1





    Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster

    – usr-local-ΕΨΗΕΛΩΝ
    Nov 23 '18 at 8:47






  • 1





    @Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.

    – Damon
    Nov 23 '18 at 13:31











  • @Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.

    – Twisty Impersonator
    Nov 23 '18 at 18:49



















  • @Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...

    – Basj
    Nov 22 '18 at 14:55






  • 1





    Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster

    – usr-local-ΕΨΗΕΛΩΝ
    Nov 23 '18 at 8:47






  • 1





    @Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.

    – Damon
    Nov 23 '18 at 13:31











  • @Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.

    – Twisty Impersonator
    Nov 23 '18 at 18:49

















@Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...

– Basj
Nov 22 '18 at 14:55





@Kinnectus New vs old does not matter, of course. But here it's an empty disk, so there is no data to initially encrypt. Here in this topic it is said it should be instantly done...

– Basj
Nov 22 '18 at 14:55




1




1





Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster

– usr-local-ΕΨΗΕΛΩΝ
Nov 23 '18 at 8:47





Make also sure you use the fastest USB port(s) available on your machine. While the answer addresses the need to encrypt the entire drive, 2TB can be done faster

– usr-local-ΕΨΗΕΛΩΝ
Nov 23 '18 at 8:47




1




1





@Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.

– Damon
Nov 23 '18 at 13:31





@Basj: Instantly enabling encryption ("encrypted drive") only works with Windows 8 and above. That's basically just telling the drive which is already encrypting anyway to secure the decryption master key or replace the decryption key password with a different one, whichever. Nothing really changes on the actual disk. Early Bitlocker implementations were unluckily pretty dumb to the point of being unusable. They don't get around encrypting every block in software when the hardware is already doing that anyway.

– Damon
Nov 23 '18 at 13:31













@Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.

– Twisty Impersonator
Nov 23 '18 at 18:49





@Damon this isn't correct on drives that don't support hardware encryption (and I've not seen details on whether this is true for HW encrypted drives). Used space only encryption does exactly that: it reads, encrypts, and writes every block on the volume that's in use. See the quote from Microsoft in my answer for details.

– Twisty Impersonator
Nov 23 '18 at 18:49










4 Answers
4






active

oldest

votes


















16














Is the option "Encrypt used disk space only" available in Windows 7?



Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':




Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.






Why does BitLocker take hours on a brand new empty disk?



Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:




Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?



Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).



In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.



On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.



Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.







share|improve this answer


























  • And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.

    – ratchet freak
    Nov 23 '18 at 10:51



















6














Additional solution:




  • Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.


  • When you're back on Windows 7 Ultimate, you can still read/write the disk



And even better:




  • When you're back on Windows 7 Pro, you can still read/write the disk!


The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!






share|improve this answer



















  • 1





    +1 for investing time to verify this and getting it figured out yourself!

    – gronostaj
    Nov 22 '18 at 22:13











  • Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!

    – Basj
    Nov 22 '18 at 22:46





















2














Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.



BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.






share|improve this answer


























  • Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post you can choose between "encrypt only new data" and "encrypt data which is already on the drive". Where can one modify this BitLocker setting in Windows 7?

    – Basj
    Nov 22 '18 at 15:02













  • See the edited end of the question, do you know where to find this option in Windows 7?

    – Basj
    Nov 22 '18 at 15:13











  • Sorry, I don't know that. It's possible that this feature was introduced later.

    – gronostaj
    Nov 22 '18 at 15:50











  • When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?

    – Basj
    Nov 22 '18 at 16:44






  • 1





    @Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.

    – gronostaj
    Nov 22 '18 at 17:11



















1














Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.






share|improve this answer


























  • What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?

    – Peter Mortensen
    Nov 23 '18 at 19:52











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377591%2fbitlocker-takes-days-on-an-empty-external-disk-is-encrypt-used-disk-space-onl%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























4 Answers
4






active

oldest

votes








4 Answers
4






active

oldest

votes









active

oldest

votes






active

oldest

votes









16














Is the option "Encrypt used disk space only" available in Windows 7?



Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':




Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.






Why does BitLocker take hours on a brand new empty disk?



Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:




Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?



Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).



In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.



On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.



Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.







share|improve this answer


























  • And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.

    – ratchet freak
    Nov 23 '18 at 10:51
















16














Is the option "Encrypt used disk space only" available in Windows 7?



Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':




Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.






Why does BitLocker take hours on a brand new empty disk?



Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:




Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?



Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).



In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.



On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.



Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.







share|improve this answer


























  • And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.

    – ratchet freak
    Nov 23 '18 at 10:51














16












16








16







Is the option "Encrypt used disk space only" available in Windows 7?



Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':




Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.






Why does BitLocker take hours on a brand new empty disk?



Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:




Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?



Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).



In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.



On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.



Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.







share|improve this answer















Is the option "Encrypt used disk space only" available in Windows 7?



Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':




Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.






Why does BitLocker take hours on a brand new empty disk?



Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:




Q: I enabled BitLocker on my volume and – poof! – all my free space is
gone! What’s wrong? More importantly, how do I get it back?



Good news: nothing is wrong and the only thing that you have to do to
get it back is wait. Here’s a high level explanation (some intricate
technical details have been omitted for brevity).



In the IT world “delete” usually means “remove from plain view” rather
than “obliterate out of existence”. Unallocated disk space is prone to
contain interesting data: rotting skeletons of compensation
spreadsheets, “deleted” text files with passwords and credit card
numbers, discarded autosave copies of top secret presentations. Hence,
BitLocker cannot just ignore free space when the volume is being
encrypted.



On the other hand, encrypting (or, to be exact, “reading, encrypting,
and writing back”) free space is a real waste on a typical volume that
is usually less than twenty percent full. As a performance
optimization, BitLocker simply overwrites unallocated space with
noise, thereby avoiding redundant reads. As expected, wiping free
space is about two times faster than encrypting data, but it still
takes considerable time on large volumes.



Now, free space tends to be very fluid. Unallocated chunks of disk
space appear and disappear all over the place, all the time.
Determining whether a given sector needs to be encrypted or wiped at a
particular moment of time is a considerable technical challenge.
BitLocker solves this problem by creating a huge file that takes most
of the available disk space (leaving 6 GB for short-term system needs)
and wiping disk sectors that belong to the file. Everything else
(including ~6 GB of free space not occupied by the wipe file) is
encrypted. When encryption of the volume is paused or completed, the
wipe file is deleted and the amount of available free space reverts to
normal.








share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 22 '18 at 20:59

























answered Nov 22 '18 at 18:03









Twisty ImpersonatorTwisty Impersonator

18.5k146699




18.5k146699













  • And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.

    – ratchet freak
    Nov 23 '18 at 10:51



















  • And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.

    – ratchet freak
    Nov 23 '18 at 10:51

















And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.

– ratchet freak
Nov 23 '18 at 10:51





And the reason why the option is available at all even though it leaks information about disk usage is because SSDs use the free blocks for wear leveling and caching.

– ratchet freak
Nov 23 '18 at 10:51













6














Additional solution:




  • Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.


  • When you're back on Windows 7 Ultimate, you can still read/write the disk



And even better:




  • When you're back on Windows 7 Pro, you can still read/write the disk!


The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!






share|improve this answer



















  • 1





    +1 for investing time to verify this and getting it figured out yourself!

    – gronostaj
    Nov 22 '18 at 22:13











  • Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!

    – Basj
    Nov 22 '18 at 22:46


















6














Additional solution:




  • Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.


  • When you're back on Windows 7 Ultimate, you can still read/write the disk



And even better:




  • When you're back on Windows 7 Pro, you can still read/write the disk!


The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!






share|improve this answer



















  • 1





    +1 for investing time to verify this and getting it figured out yourself!

    – gronostaj
    Nov 22 '18 at 22:13











  • Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!

    – Basj
    Nov 22 '18 at 22:46
















6












6








6







Additional solution:




  • Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.


  • When you're back on Windows 7 Ultimate, you can still read/write the disk



And even better:




  • When you're back on Windows 7 Pro, you can still read/write the disk!


The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!






share|improve this answer













Additional solution:




  • Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.


  • When you're back on Windows 7 Ultimate, you can still read/write the disk



And even better:




  • When you're back on Windows 7 Pro, you can still read/write the disk!


The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 22 '18 at 21:32









BasjBasj

793629




793629








  • 1





    +1 for investing time to verify this and getting it figured out yourself!

    – gronostaj
    Nov 22 '18 at 22:13











  • Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!

    – Basj
    Nov 22 '18 at 22:46
















  • 1





    +1 for investing time to verify this and getting it figured out yourself!

    – gronostaj
    Nov 22 '18 at 22:13











  • Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!

    – Basj
    Nov 22 '18 at 22:46










1




1





+1 for investing time to verify this and getting it figured out yourself!

– gronostaj
Nov 22 '18 at 22:13





+1 for investing time to verify this and getting it figured out yourself!

– gronostaj
Nov 22 '18 at 22:13













Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!

– Basj
Nov 22 '18 at 22:46







Thanks @gronostaj... I spent hours today trying BitLocker + VeraCrypt :) Finally I'll use BitLocker, because if I use VeraCrypt, then I'll be the only one at home to be able to use this external HDD. The UI/UX of VeraCrypt is not possible for a non-power user (many little - only little, but still - drawbacks that would make it difficult to use for my family). It was an interesting test!

– Basj
Nov 22 '18 at 22:46













2














Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.



BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.






share|improve this answer


























  • Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post you can choose between "encrypt only new data" and "encrypt data which is already on the drive". Where can one modify this BitLocker setting in Windows 7?

    – Basj
    Nov 22 '18 at 15:02













  • See the edited end of the question, do you know where to find this option in Windows 7?

    – Basj
    Nov 22 '18 at 15:13











  • Sorry, I don't know that. It's possible that this feature was introduced later.

    – gronostaj
    Nov 22 '18 at 15:50











  • When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?

    – Basj
    Nov 22 '18 at 16:44






  • 1





    @Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.

    – gronostaj
    Nov 22 '18 at 17:11
















2














Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.



BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.






share|improve this answer


























  • Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post you can choose between "encrypt only new data" and "encrypt data which is already on the drive". Where can one modify this BitLocker setting in Windows 7?

    – Basj
    Nov 22 '18 at 15:02













  • See the edited end of the question, do you know where to find this option in Windows 7?

    – Basj
    Nov 22 '18 at 15:13











  • Sorry, I don't know that. It's possible that this feature was introduced later.

    – gronostaj
    Nov 22 '18 at 15:50











  • When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?

    – Basj
    Nov 22 '18 at 16:44






  • 1





    @Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.

    – gronostaj
    Nov 22 '18 at 17:11














2












2








2







Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.



BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.






share|improve this answer















Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.



BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 23 '18 at 19:26









Peter Mortensen

8,376166185




8,376166185










answered Nov 22 '18 at 14:57









gronostajgronostaj

28.4k1471107




28.4k1471107













  • Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post you can choose between "encrypt only new data" and "encrypt data which is already on the drive". Where can one modify this BitLocker setting in Windows 7?

    – Basj
    Nov 22 '18 at 15:02













  • See the edited end of the question, do you know where to find this option in Windows 7?

    – Basj
    Nov 22 '18 at 15:13











  • Sorry, I don't know that. It's possible that this feature was introduced later.

    – gronostaj
    Nov 22 '18 at 15:50











  • When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?

    – Basj
    Nov 22 '18 at 16:44






  • 1





    @Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.

    – gronostaj
    Nov 22 '18 at 17:11



















  • Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post you can choose between "encrypt only new data" and "encrypt data which is already on the drive". Where can one modify this BitLocker setting in Windows 7?

    – Basj
    Nov 22 '18 at 15:02













  • See the edited end of the question, do you know where to find this option in Windows 7?

    – Basj
    Nov 22 '18 at 15:13











  • Sorry, I don't know that. It's possible that this feature was introduced later.

    – gronostaj
    Nov 22 '18 at 15:50











  • When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?

    – Basj
    Nov 22 '18 at 16:44






  • 1





    @Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.

    – gronostaj
    Nov 22 '18 at 17:11

















Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post you can choose between "encrypt only new data" and "encrypt data which is already on the drive". Where can one modify this BitLocker setting in Windows 7?

– Basj
Nov 22 '18 at 15:02







Is it like this by default? People said here in this old topic that it should be instant for an empty partition. Also I see in this post you can choose between "encrypt only new data" and "encrypt data which is already on the drive". Where can one modify this BitLocker setting in Windows 7?

– Basj
Nov 22 '18 at 15:02















See the edited end of the question, do you know where to find this option in Windows 7?

– Basj
Nov 22 '18 at 15:13





See the edited end of the question, do you know where to find this option in Windows 7?

– Basj
Nov 22 '18 at 15:13













Sorry, I don't know that. It's possible that this feature was introduced later.

– gronostaj
Nov 22 '18 at 15:50





Sorry, I don't know that. It's possible that this feature was introduced later.

– gronostaj
Nov 22 '18 at 15:50













When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?

– Basj
Nov 22 '18 at 16:44





When you use BitLocker yourself @gronostaj, is it useful to have 24hrs+ of work to initialize an empty new external USB hard drive?

– Basj
Nov 22 '18 at 16:44




1




1





@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.

– gronostaj
Nov 22 '18 at 17:11





@Basj I don't use Bitlocker, but I have some experience with similar solutions for Linux. Whether it's useful or not depends on your risk model. Having a fully encrypted drive will make it impossible to discern which areas of disk are unused. If you don't care about attackers knowing that, then you can save time by skipping full formatting.

– gronostaj
Nov 22 '18 at 17:11











1














Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.






share|improve this answer


























  • What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?

    – Peter Mortensen
    Nov 23 '18 at 19:52
















1














Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.






share|improve this answer


























  • What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?

    – Peter Mortensen
    Nov 23 '18 at 19:52














1












1








1







Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.






share|improve this answer















Since Windows 7 BitLocker will encrypt the whole disk, it has to read and write to the entire volume. This can take much longer on an external disk due to bandwidth limits on some interfaces like USB1/2. Also external storage devices (non-SSD) tend to be slower spinning disks to help with reliability since external storage is moved more often.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 23 '18 at 19:49









Peter Mortensen

8,376166185




8,376166185










answered Nov 23 '18 at 8:56









Secured2kSecured2k

111




111













  • What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?

    – Peter Mortensen
    Nov 23 '18 at 19:52



















  • What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?

    – Peter Mortensen
    Nov 23 '18 at 19:52

















What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?

– Peter Mortensen
Nov 23 '18 at 19:52





What do you mean by "...to help with reliability since external storage is moved more often"? Can you elaborate (by editing your answer, not responding here in comments (if appropriate))?

– Peter Mortensen
Nov 23 '18 at 19:52


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1377591%2fbitlocker-takes-days-on-an-empty-external-disk-is-encrypt-used-disk-space-onl%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?