Citadel / Controls / DriveEncryption

DriveEncryption Control

What does this control check?

The DriveEncryption control verifies that your computer's hard drive is encrypted. Encryption protects your data by making it unreadable to anyone who doesn't have the correct password or key.

Important: Even if you have a password to log into your computer, a criminal who steals your laptop can remove the hard drive and read all your files by connecting it to another computer. Disk encryption prevents this by making all data unreadable without the encryption key, regardless of which computer the drive is connected to.

Why is this important?

🔒

Data Protection

If your laptop is lost or stolen, encryption ensures that your files, documents, and personal information cannot be accessed by unauthorized individuals.

🛡️

Compliance

Many regulations and policies require encryption to protect sensitive business data and personal information, helping your organization meet legal requirements.

🔐

Privacy

Encryption protects your privacy by ensuring that your emails, photos, passwords, and browsing history remain confidential even if your device is compromised.

How to fix this

Enabling BitLocker on Windows

  1. Click the Start button and type BitLocker
  2. Select Manage BitLocker from the results
  3. Find your system drive (usually C:) and click Turn on BitLocker
  4. Choose how to unlock your drive at startup (recommended: Enter a password)
  5. Create a strong password and click Next
  6. Choose how to back up your recovery key:
    • Save to your Microsoft account (recommended)
    • Save to a USB flash drive
    • Save to a file
    • Print the recovery key
  7. Choose Encrypt used disk space only (faster) or Encrypt entire drive (more secure)
  8. Select New encryption mode
  9. Click Start encrypting
  10. Wait for the encryption process to complete (this may take some time)
⚠️ Important notes:
  • BitLocker is only available on Windows Pro, Enterprise, and Education editions
  • Save your recovery key in a safe place - you'll need it if you forget your password
  • Your computer must remain plugged in during the encryption process
  • You may need to restart your computer to complete the setup

Enabling FileVault on macOS

  1. Click the Apple menu in the top-left corner
  2. Select System Settings (or System Preferences on older versions)
  3. Click Privacy & Security (or Security & Privacy)
  4. Click the FileVault tab
  5. Click the lock icon and enter your administrator password to make changes
  6. Click Turn On FileVault...
  7. Choose how to unlock your disk and reset your password if needed:
    • iCloud account (recommended for personal Macs)
    • Create a recovery key and store it safely
  8. Click Continue
  9. Click Restart to begin encryption
  10. After restarting, encryption will continue in the background
⚠️ Important notes:
  • Save your recovery key in a safe place if you chose that option
  • Encryption happens in the background and may take several hours
  • Your Mac must remain powered on (can be sleeping) during encryption
  • You can continue using your Mac normally while encryption is in progress

Verifying the fix

After enabling encryption, Citadel will automatically verify this control during its next check.

To check encryption status manually:

  1. Click the Start button and type BitLocker
  2. Select Manage BitLocker
  3. Your system drive should show "BitLocker on"

Alternatively, go to Settings → Privacy & security → Device encryption.

To check encryption status manually:

  1. Click the Apple menu and select System Settings
  2. Go to Privacy & Security
  3. Click FileVault
  4. It should show "FileVault is turned on"

You can also check encryption progress from this screen while it's encrypting.