What does BitLocker actually encrypt and when?

windows-10 ssd encryption bitlocker

Activating BitLocker will start a background process which encrypts all existing data. (On HDDs this traditionally is a long process as it needs to read and rewrite every partition sector – on self-encrypting disks it can be instant.) So when it is said that only newly written data is encrypted, that refers to the state immediately after BitLocker activation and is no longer true once the background encryption task finishes. The status of this process can be seen in the same BitLocker control panel window, and paused if necessary.

The Microsoft article needs to be read carefully: it actually talks about encrypting only used areas of the disk. They merely advertise this as having the biggest impact on fresh systems, where you don't have any data yet besides the base OS (and therefore all data will be "newly written"). That is, Windows 10 will encrypt all your existing files after activation – it simply won't waste time encrypting disk sectors which don't contain anything yet. (You can opt out of this optimization via Group Policy.)

(The article also points out a downside: areas which previously held deleted files will also be skipped as "unused". So if encrypting a well-used system, do a free-space wipe using a tool, and then let Windows run TRIM if you have an SSD, all before activating BitLocker. Or use the Group Policy to disable this behavior.)

In the same article, too, there is a mention of recent Windows versions supporting self-encrypting SSDs using the OPAL standard. So the reason why you don't see any background I/O may be because the SSD was internally encrypted from day one, and BitLocker recognized this and only took over the SSD-level key management instead of duplicating the encryption effort at OS level. That is, the SSD no longer unlocks itself on power-on but requires Windows do to so. This can be disabled via Group Policy, if you prefer the OS to handle encryption regardless.

Suspending BitLocker causes a plaintext copy of the 'master' key to be written directly to disk. (Usually this master key is first encrypted with your password or with a TPM.) While suspended, this allows the disk to be unlocked on its own – clearly an insecure state, but it allows Windows Update to reprogram the TPM to match the upgraded OS, for example. Resuming BitLocker simply wipes this plain key from disk.

BitLocker is not related to EFS – the latter works at file level, associating keys to Windows user accounts (allowing fine-grained configuration but making it impossible to encrypt the OS's own files), while the former works at whole-disk level. They can be used together, although BitLocker mostly makes EFS redundant.

(Note that both BitLocker and EFS have mechanisms for corporate Active Directory administrators to recover the encrypted data – whether by backing up the BitLocker master key in AD, or by adding an EFS data recovery agent to all files.)

Related

Bad font anti-aliasing in Ubuntu
Why use a tiling window manager?
SSH with authorized_keys to an Ubuntu system with encrypted homedir?
How would I replace a "TAB" in Notepad++?
What is vegur appearing in HTTP headers?
Access internal IP using public IP
Extracting a tar.gz file returns, “This does not look like a tar archive.”
What is Apache Synapse?
How to remove http:// adding in addressbar of google-chrome/firefox?
Can I set a default title for a tmux window?
Underscore at end of URLs with Google Chrome
How can I hide the toolbar in Notepad++?