How to encrypt a SD card without Bitlocker or TPM

@grawity has what I think is the best answer, assuming you're using a Professional (or higher) edition of Windows. EFS (Encrypting File System) is a feature of NTFS that performs transparent encryption and decryption of files using keys that are stored in the OS and (transparently) protected by your account password. Note that you can safely change your password (where you enter the old one first, then the new one), but resetting the password via an Administrator or an out-of-Windows tool will make the files unrecoverable. Note also that if you're using a domain account, the decryption key will be stored on the domain controller and any domain admin can recover it (but for a non-domain account, even a local admin will have a difficult time recovering the key). Also, just knowing your password isn't enough to recover the key; the encryption master key itself is random and the password is just used to encrypt and decrypt the master key.

For these instructions, I'm assuming your SD card is mounted at drive F:

1. Format the card using NTFS.

   • If it's currently formatted FAT32 (or possibly EXFAT; I never tried it with that), you can convert it to NTFS instead of reformatting using the built-in Windows tool convert.exe (may require Admin).

   convert F: /FS:NTFS

2. Once the card is NTFS and mounted as such, right-click the drive (or folder within it) and open Properties.
3. If it's a shared computer, go to the Security tab and remove all users but yourself, giving yourself Ownership and Full Control access. (This wouldn't stop an attacker who removes the card; it's only for protection against local non-admin users.)
4. Now to actually encrypt the data.
   • If you have a directory (other than the root) that the files are all in, you can use Explorer.
     1. Open the Properties of the directory (if you don't have them still from step 2).
     2. On the General tab, under Attributes, click Advanced.
     3. Check the box for "Encrypt contents to secure data".
     4. Click OK, then click Apply or OK on the Properties box.
     5. You will get a "Confirm Attribute Changes" box; select "Apply changes to this folder, subfolders, and files" and click OK.
   • If you want to encrypt the root of the drive, you can't do that from Explorer for some reason so you will need to use the command line utility cipher.exe.
     1. Open a Command Prompt or Powershell window (shouldn't need to be Admin since you own the root directory on the drive).
     2. Run the command cipher /E /S:F:\ /H F:\ (not sure if specifying the path in /S and in general is needed, but it shouldn't hurt).
     3. Wait for the job to complete.
5. In either case, the files on the volume will now be encrypted, nobody can decrypt them except you (or an admin who can steal your key and your password), they will automatically encrypt/decrypt for any program running under your password-authenticated account, and any new files or directories created on the volume will also be encrypted.
6. To decrypt, repeat step 4. except either uncheck the box for "Encrypt contents to secure data" or use the /D flag instead of /E (cipher /D /S:F:\ /H F:\)

Related videos on Youtube

13 : 36

Protect Your Data: How to Use Bitlocker Disk Encryption Windows 10, 11 – Step by Step

Frank Westphal

256

08 : 36

How to Encrypt System Disk C with BitLocker in Windows 10 Without TPM, Enable TPM 🤔🔐💻

Hetman Software: Data Recovery for Windows

52

13 : 32

19. Enable BitLocker Encryption on Windows 10 without TPM

MSFT WebCast

37

10 : 04

How to HACK Windows Bitlocker - MUST SEE!

Andy Malone MVP

26

02 : 32

How to encrypt a SD card without Bitlocker or TPM?

Roel Van de Paar

12

05 : 23

How to use BitLocker without a TPM

Dave's Tech Rescue

11

Author by

BaronGrivet

Mountain bike obsessive, writer, coder, talker, social catalyst, enthusiastic arm waver, new father.

Updated on September 18, 2022