Device Encryption: Make a Lost Laptop Useless to Thieves
A stolen device without encryption is an open book — contacts, passwords, client files, everything. Encryption takes 10 minutes to set up and makes your data unreadable to anyone without your password.
Why encryption matters
Encryption ensures lost devices do not become data breaches.
The same encryption standard used by governments and militaries worldwide.
Modern hardware encryption has virtually no impact on system speed.
A doctor leaves their laptop bag in their car overnight. The car is broken into. The laptop contains patient records — names, diagnoses, Social Security numbers, prescription histories. Without encryption, the thief boots up and has instant access to everything. The practice faces HIPAA breach notification requirements, $150,000 in fines, and a class-action lawsuit from affected patients. All because the "Turn on FileVault" prompt was dismissed.
Encryption turns a stolen laptop into an expensive paperweight. Without it, it's an unlocked filing cabinet.
Types of encryption explained
Different encryption approaches serve different purposes. Understanding the differences helps you choose the right protection for your situation.
Full-Disk Encryption (FDE)
Encrypts the entire hard drive, including the operating system, applications, and all files. Data is automatically encrypted when written and decrypted when read by an authorized user.
File-Level Encryption
Encrypts individual files or folders rather than the entire drive. Users choose which specific files to protect with a password or key.
Hardware-Based Encryption
Uses a dedicated chip (TPM or self-encrypting drive) to handle encryption operations. The encryption key never leaves the hardware, making it resistant to software attacks.
How to enable BitLocker on Windows
BitLocker is Microsoft's built-in full-disk encryption tool available on Windows 10/11 Pro, Enterprise, and Education editions.
Check TPM Availability
Open Device Manager and expand "Security devices." Look for "Trusted Platform Module" version 1.2 or higher. Most modern PCs include a TPM chip. If yours does not, BitLocker can still work using a USB startup key.
Open BitLocker Settings
Go to Settings > Privacy & Security > Device encryption, or search "BitLocker" in the Start menu and select "Manage BitLocker." Windows 11 Pro, Enterprise, and Education editions include BitLocker. Windows 11 Home includes Device Encryption if a TPM is present.
Turn On BitLocker
Click "Turn on BitLocker" for your operating system drive. Windows will check that your system meets the requirements. If prompted, choose how to unlock your drive at startup (TPM is recommended for seamless operation).
Save Your Recovery Key
Choose where to back up your recovery key: Microsoft account, USB flash drive, a file, or print it. Store this key securely and separately from the encrypted device. Without it, you will permanently lose access to your data if the TPM fails.
Choose Encryption Mode
Select "Encrypt entire drive" for maximum security (recommended for drives already in use). Choose "New encryption mode (XTS-AES)" for fixed drives, or "Compatible mode" for removable drives that may be used on older Windows versions.
Start Encryption
Click "Start encrypting." The initial encryption may take several hours depending on drive size. You can continue using your computer during this process. Do not shut down or lose power until encryption completes.
How to enable FileVault on Mac
FileVault is Apple's built-in full-disk encryption for macOS. On newer Apple Silicon Macs, encryption is enabled by default.
Open System Settings
Click the Apple menu and choose "System Settings" (macOS Ventura and later) or "System Preferences" (older versions). Navigate to "Privacy & Security." On Apple Silicon Macs (M1 and later), FileVault is enabled by default when you set a login password.
Enable FileVault
Scroll down to the FileVault section and click "Turn On." You will be prompted to authenticate with your administrator password. If you have multiple user accounts, you must choose which users can unlock the disk.
Choose Recovery Method
Select whether to use your iCloud account or create a recovery key to unlock the disk if you forget your password. If you choose a recovery key, write it down and store it in a secure location separate from the Mac.
Encryption Begins
FileVault encrypts the startup volume using XTS-AES-128 encryption with a 256-bit key. On modern Macs with SSDs, encryption typically completes within an hour. You can continue working during this process. Older Macs with spinning hard drives may take significantly longer.
IRS encryption requirements for tax professionals
IRS Publication 4557 and the FTC Safeguards Rule mandate encryption for all tax preparers who handle taxpayer data. Non-compliance can result in penalties, loss of PTIN privileges, and liability in the event of a breach.
Encrypt at rest
All taxpayer data must be encrypted at rest on any device used for tax preparation
Full-disk on portables
Full-disk encryption is required on laptops and portable devices per IRS Publication 4557
Removable media
Removable media (USB drives, external hard drives) containing taxpayer data must be encrypted
Email encryption
Email containing taxpayer information must use encryption in transit
Backup encryption
Backup media must be encrypted whether stored on-site or off-site
Key management
Encryption keys and recovery keys must be stored securely and separately from the encrypted devices
Documented policy
A documented encryption policy must be included in your Written Information Security Plan (WISP)
Annual review
Annual review of encryption practices is required as part of your security program
Your Checklist
Print this page or screenshot it. Do one step today — you'll be ahead of 90% of people.
- Enable BitLocker on Windows (Settings → Privacy & Security → Device Encryption)
- Enable FileVault on Mac (System Settings → Privacy & Security → FileVault)
- Verify your phone encryption is on (default for modern iOS and Android)
- Encrypt external hard drives and USB drives that contain sensitive data
- Use a strong PIN or password on every device — not just a fingerprint
- Enable remote wipe capability (Find My iPhone / Find My Device on Android)
- Back up your encryption recovery key somewhere safe (not on the encrypted device)
- Encrypt cloud storage for sensitive files — Cryptomator is free and easy
Still Have Questions? We're Happy to Chat.
Book a free 15-minute call with our team. No sales pitch, no jargon — just straight answers about staying safe online.