BitLocker takes days on an empty external disk / Is "Encrypt used disk space only" available on Windows 7?
Is the option "Encrypt used disk space only" available in Windows 7?
Unfortunately no. This option was introduced with Windows 8, as announced in the Microsoft TechNet Tip of the Day post BitLocker 'Encrypt Used Disk Space Only':
Previously, BitLocker encryption has been an ‘all or nothing’. Either a volume was completely encrypted or it was not. Windows 8 brings us a new option, ‘Encrypt Used Disk Space Only’.
Why does BitLocker take hours on a brand new empty disk?
Because without the Encrypt Used Space Only option, BitLocker must encrypt the entire disk, i.e. both data and free space (technically it only wipes the free space). This is also why the volume has only 6 GB free space during the encryption process. Here's the Microsoft BitLocker Team's explanation of what's going on:
Q: I enabled BitLocker on my volume and – poof! – all my free space is gone! What’s wrong? More importantly, how do I get it back?
Good news: nothing is wrong and the only thing that you have to do to get it back is wait. Here’s a high level explanation (some intricate technical details have been omitted for brevity).
In the IT world “delete” usually means “remove from plain view” rather than “obliterate out of existence”. Unallocated disk space is prone to contain interesting data: rotting skeletons of compensation spreadsheets, “deleted” text files with passwords and credit card numbers, discarded autosave copies of top secret presentations. Hence, BitLocker cannot just ignore free space when the volume is being encrypted.
On the other hand, encrypting (or, to be exact, “reading, encrypting, and writing back”) free space is a real waste on a typical volume that is usually less than twenty percent full. As a performance optimization, BitLocker simply overwrites unallocated space with noise, thereby avoiding redundant reads. As expected, wiping free space is about two times faster than encrypting data, but it still takes considerable time on large volumes.
Now, free space tends to be very fluid. Unallocated chunks of disk space appear and disappear all over the place, all the time. Determining whether a given sector needs to be encrypted or wiped at a particular moment of time is a considerable technical challenge. BitLocker solves this problem by creating a huge file that takes most of the available disk space (leaving 6 GB for short-term system needs) and wiping disk sectors that belong to the file. Everything else (including ~6 GB of free space not occupied by the wipe file) is encrypted. When encryption of the volume is paused or completed, the wipe file is deleted and the amount of available free space reverts to normal.
Additional solution:
-
Use a friend's Windows 10 to format the drive + enable BitLocker with "Encrypt used disk space only" feature on. It will take only a few minutes.
-
When you're back on Windows 7 Ultimate, you can still read/write the disk
And even better:
- When you're back on Windows 7 Pro, you can still read/write the disk!
The latter is very interesting because "BitLocker is unavailable for Windows 7 Professional and it cannot be downloaded and installed.". My test showed that creating a new BitLocker-encrypted disk is not possible with Windows 7 Pro, but using (read+write) on an already-BitLocker-enabled is possible with Windows 7 Pro!
Important note: it doesn't fully work with Windows 10 build 2004. More precisely, even if you choose legacy encryption (and not new encryption), then you can still read it with Windows 7, but you cannot "automount" when the USB external disk is inserted:
So I used a Windows 8.1 virtual machine to do it from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ (90 day expiration).
Full disk encryption isn't only about hiding content of files; it's also about hiding their presence or lack. A properly encrypted disk should look like it's completely filled with random data unless you know the encryption key.
BitLocker was probably fully formatting the encrypted volume, i.e. filling it with zeros, to make sure every part of it looks like random data before decryption.