Encrypt Your Laptop Before International Travel: Step-by-Step Setup Guide
You're flying to London next month. Your laptop contains work files, personal photos, saved passwords, and two decades of email. A border agent asks you to unlock it.
This scenario isn't hypothetical. U.S. border agents can search devices without a warrant, and similar authority exists in many countries. The legal mechanism is clear: border crossings sit outside normal Fourth Amendment protections. Agents can examine your device, copy data, and hold it for further review.
Encryption doesn't prevent the search. But it changes what happens when you power off the device. An encrypted laptop that's shut down is a locked vault. The data inside is scrambled, unreadable without the decryption key. Border agents can still ask for your password. You still face the legal and practical consequences of that request. But encryption ensures that if the device is off, the data is protected.
This guide walks through laptop encryption setup for Windows and macOS, explains what encryption actually protects, and covers the specific decisions you'll face when traveling internationally with encrypted devices.
What Full-Disk Encryption Actually Does
Full-disk encryption scrambles every file on your hard drive using a cryptographic key derived from your password. When the laptop is powered off, the entire drive is unreadable ciphertext. When you boot up and enter your password, the operating system decrypts data on the fly as you access it.
The encryption happens at the disk level, below the file system. Applications, documents, system files, temporary data, deleted files not yet overwritten, everything gets encrypted. You don't encrypt individual files. You encrypt the entire storage device.
Windows uses BitLocker. macOS uses FileVault. Both implement AES-256 encryption, a symmetric cipher that researchers consider secure against brute-force attacks when paired with a strong password. The underlying mechanism is similar across platforms: the encryption key lives in memory while the laptop is running, and disappears when you shut down.
Encryption protects data at rest. If someone steals your powered-off laptop, they can't access the files without your password. If you leave the laptop in a hotel room and it's taken, the data is safe. If you cross a border with the device shut down, the contents are encrypted.
Encryption does not protect data in use. If the laptop is on, logged in, and unlocked, encryption offers no barrier. Someone with physical access to a running laptop can see everything you can see. Sleep mode and hibernation vary by platform and configuration, some implementations keep the encryption key in memory, others don't. The only guaranteed protection is a full shutdown.
When Encryption Matters for Travel
Encryption addresses three specific travel scenarios: device theft, device loss, and border searches.
Device theft is the most common. Laptops get stolen from airport security bins, hotel rooms, rental cars, and conference venues. Around 70 million smartphones are lost or stolen each year globally, and laptops follow similar patterns. Encryption ensures that a stolen device doesn't become a data breach. The thief gets hardware, not your files.
Device loss is accidental but frequent. You leave the laptop on a plane, in a taxi, at a coffee shop. Someone finds it. Encryption protects you from the good Samaritan who tries to return it by looking through your files to find contact information, and from the opportunist who tries to extract value from the data.
Border searches are legally distinct. The U.S. Customs and Border Protection authority allows device searches at ports of entry without probable cause or a warrant. Other countries have similar or broader powers. In 2025, U.S. border agents conducted around 40,000 device searches, a small fraction of total crossings but a non-zero risk. Encryption doesn't exempt you from search authority, but it does mean that a powered-off device can't be casually browsed.
The practical question isn't whether border agents can legally compel you to unlock an encrypted device, they can, and refusal carries consequences including device seizure, denial of entry, and secondary inspection. The question is whether you want your data accessible if the device is off, lost, stolen, or in someone else's hands for any reason.
Encryption is a baseline precaution. It doesn't solve every problem, but it closes a specific vulnerability: unprotected data on a device you don't control.
Encrypting a Windows Laptop with BitLocker
BitLocker is built into Windows 10 Pro, Windows 10 Enterprise, Windows 11 Pro, and Windows 11 Enterprise. Home editions don't include BitLocker. If you're running Windows Home, you'll need to upgrade to Pro or use a third-party encryption tool like VeraCrypt.
Before you start, back up your data. Encryption itself doesn't delete files, but any disk operation carries risk. Store a backup on an external drive or cloud service before proceeding.
Step 1: Check TPM status. BitLocker relies on a Trusted Platform Module, a dedicated chip on your motherboard that stores encryption keys. Most laptops manufactured after 2016 include TPM 2.0. To verify, press Win + R, type tpm.msc, and press Enter. The TPM Management console will show your TPM version and status. If TPM isn't present or enabled, you can still use BitLocker with a password or USB key, but the setup process differs slightly.
Step 2: Open BitLocker settings. Go to Settings > Privacy & Security > Device Encryption (Windows 11) or Settings > Update & Security > Device Encryption (Windows 10). If Device Encryption is available and already turned on, your drive is encrypted. If not, look for "BitLocker Drive Encryption" in the Control Panel. Search for "BitLocker" in the Start menu and select "Manage BitLocker."
Step 3: Turn on BitLocker for your system drive. In the BitLocker Drive Encryption window, find your C: drive (or whichever drive contains your operating system). Click "Turn on BitLocker." The wizard will start.
Step 4: Choose how to unlock your drive at startup. BitLocker offers two options: enter a password every time you boot, or use a USB flash drive as a key. The password option is more practical for travel. Choose "Enter a password" and create a strong passphrase, at least 16 characters, mixing words, numbers, and symbols. Write it down and store it somewhere separate from the laptop. Don't rely on memory alone.
Step 5: Save your recovery key. BitLocker generates a 48-digit recovery key that can unlock the drive if you forget your password. You must save this key. The wizard offers four options: save to your Microsoft account, save to a USB flash drive, save to a file, or print it. Choose at least two. Save to a file on a separate device (not the laptop you're encrypting), and print a physical copy. Store the printed copy in a secure location at home, not in your laptop bag.
Step 6: Choose how much of the drive to encrypt. BitLocker asks whether to encrypt the entire drive or only the used space. For a laptop you're already using, "Encrypt used disk space only" is faster and sufficient, new data gets encrypted as you write it. For a new laptop or one you're about to sell, choose "Encrypt entire drive" to ensure deleted files can't be recovered.
Step 7: Choose the encryption mode. Select "New encryption mode" if the drive will only be used on Windows 10 version 1511 or later. This uses XTS-AES, a stronger mode. If you might connect the drive to an older Windows system, choose "Compatible mode." For a modern laptop, use new encryption mode.
Step 8: Start encryption. Click "Start encrypting." The process runs in the background. On a 256GB SSD with moderate data, encryption typically takes 30 to 90 minutes. You can use the laptop during encryption, but performance may be slower. Don't shut down or restart until encryption completes.
Step 9: Verify encryption status. After encryption finishes, open the BitLocker Drive Encryption window again. Your system drive should show a closed padlock icon and "BitLocker on." Click "Turn off BitLocker" if you ever need to decrypt the drive, but leave it on for travel.
Step 10: Test the setup. Restart your laptop. Before Windows loads, BitLocker will prompt you for your password. Enter it. If the password works, Windows boots normally. If you enter the wrong password, BitLocker will ask again. After too many failed attempts, you'll need the recovery key.
From this point forward, your drive is encrypted whenever the laptop is powered off. Sleep mode may or may not keep the encryption key in memory, depending on your power settings, assume it does. Full shutdown is the only guaranteed protection.
Encrypting a macOS Laptop with FileVault
FileVault is built into every version of macOS. It's been the default encryption method since macOS Lion in 2011. If you bought a Mac in the last decade and set it up with a password, FileVault might already be enabled.
Before you start, back up your data using Time Machine or another method. Encryption won't delete files, but any system-level change carries risk.
Step 1: Check FileVault status. Open System Settings (macOS Ventura or later) or System Preferences (earlier versions). Click "Privacy & Security" and scroll down to FileVault. If it says "FileVault is turned on for the disk," you're already encrypted. If it says "FileVault is turned off," continue to the next step.
Step 2: Turn on FileVault. Click the lock icon in the lower-left corner and enter your administrator password to make changes. Click "Turn On FileVault." macOS will prompt you to choose how to unlock your disk if you forget your password.
Step 3: Choose a recovery method. FileVault offers two options: allow your iCloud account to unlock the disk, or create a recovery key. The iCloud option is convenient, if you forget your login password, you can reset it using your Apple ID. The recovery key option gives you a 24-character alphanumeric key that you must store securely. For travel, the recovery key is safer. Choose "Create a recovery key and do not use my iCloud account."
Step 4: Save your recovery key. macOS displays a 24-character recovery key. Write it down. Store it in a password manager, a safe, or another secure location separate from your laptop. Do not store it on the laptop itself. If you lose both your login password and the recovery key, your data is permanently inaccessible. Click "Continue."
Step 5: Restart to begin encryption. macOS will prompt you to restart. Click "Restart." After the restart, FileVault encrypts your drive in the background. You can use the laptop normally during this process. Encryption time depends on drive size and speed, around one to three hours for a typical SSD.
Step 6: Verify encryption status. Open System Settings > Privacy & Security > FileVault. It should say "FileVault is turned on for the disk" and show an encryption progress bar if encryption is still running. Once complete, the bar disappears.
Step 7: Test the setup. Shut down your Mac completely. Power it back on. At the login screen, enter your password. If the password works, macOS boots normally. This is the same login you've always used, FileVault doesn't add a separate pre-boot password on modern Macs with T2 or Apple Silicon chips. The encryption key is tied to your user password.
From this point forward, your drive is encrypted when the Mac is powered off. Sleep mode keeps the encryption key in memory, treat a sleeping Mac as unlocked. Full shutdown is the only guaranteed protection.
What Encryption Doesn't Protect
Encryption secures data at rest, not data in transit or data in use. Here's what it doesn't do:
It doesn't protect a running laptop. If your laptop is on, logged in, and unlocked, encryption offers no barrier. Anyone with physical access can see your files, open your applications, and access your accounts. Lock your screen when you step away. Shut down the laptop when you're not using it in unfamiliar environments.
It doesn't protect data you've already synced to the cloud. Files stored in Dropbox, Google Drive, OneDrive, or iCloud are encrypted on your laptop, but they also exist on remote servers. Encrypting your laptop doesn't encrypt your cloud accounts. If border agents want your cloud data, they can request it from the service provider or ask for your cloud account credentials.
It doesn't protect data in email or messaging apps. Your email client stores messages locally, and those messages are encrypted along with everything else on the drive. But the emails also exist on your email provider's servers. Encrypting your laptop doesn't make your Gmail account private. The same applies to messaging apps, WhatsApp, Signal, Telegram, and others store messages on their servers or on other devices you've used to log in.
It doesn't prevent border agents from asking for your password. U.S. Customs and Border Protection can ask you to unlock your device. Refusal can result in device seizure, denial of entry, or secondary inspection. Some travelers power off devices and claim they don't remember the password. This strategy carries legal and practical risks that vary by country, citizenship status, and individual circumstances. Encryption doesn't exempt you from search authority.
It doesn't protect against sophisticated forensic tools. Law enforcement and intelligence agencies have tools that can extract data from devices in specific circumstances, cold boot attacks that capture encryption keys from RAM, hardware exploits that bypass encryption, and forensic techniques that recover data from unencrypted swap files or hibernation images. These tools are expensive, specialized, and typically reserved for high-value targets. They're not used in routine border searches. But encryption isn't impenetrable.
It doesn't protect data you've backed up to an unencrypted drive. If you back up your encrypted laptop to an external hard drive that isn't encrypted, the backup contains readable copies of all your files. Encrypt your backup drives using the same tools, BitLocker for Windows, FileVault for Mac external drives, or third-party tools like VeraCrypt.
Encryption is one layer. It works best when combined with other precautions: strong passwords, two-factor authentication, cloud account security, and awareness of what data you're carrying.
Traveling with an Encrypted Laptop: Practical Decisions
You've encrypted your laptop. Now you're at the airport. Here's what to consider.
Power off before you reach the border. Encryption protects data when the device is off. Shut down your laptop completely before you enter the airport, before you board the plane, and before you reach customs. Don't rely on sleep mode. A full shutdown ensures the encryption key is cleared from memory.
Carry your recovery key separately. Store your BitLocker recovery key or FileVault recovery key in a password manager on your phone, in a secure note app, or on a piece of paper in your wallet. Don't store it on the laptop. If you forget your password while traveling, you'll need that key to regain access.
Decide in advance how you'll respond to a search request. If a border agent asks you to unlock your device, you have limited options. You can comply, you can refuse and accept the consequences (device seizure, secondary inspection, potential denial of entry), or you can claim you don't remember the password. The third option is legally and practically risky, agents may not believe you, and the consequences are similar to outright refusal. There's no universal right answer. The decision depends on your citizenship, destination country, the sensitivity of your data, and your personal risk tolerance.
Consider traveling with a clean device. Some travelers carry a secondary laptop with minimal data, a fresh install, no saved passwords, no sensitive files. They access cloud accounts as needed and delete local copies before crossing borders. This approach reduces risk but requires planning. You'll need to configure the clean device, ensure you can access your work files remotely, and manage the logistics of carrying two devices or leaving your primary laptop at home.
Use a VPN for in-flight or airport WiFi. Encryption protects your hard drive. A VPN protects your network traffic. If you're working on the plane or in the airport, a VPN encrypts data between your laptop and the internet, preventing eavesdropping on public WiFi. This is separate from disk encryption but complementary.
Check destination country laws. Some countries restrict or ban encryption. Others require you to disclose passwords under penalty of prosecution. Research the specific laws of your destination before you travel. The EFF's Surveillance Self-Defense guide covers international considerations, though it's not exhaustive.
Don't forget about your phone. This guide focuses on laptops, but your phone carries as much or more sensitive data. Encrypt your phone (iOS encrypts by default, Android offers encryption in settings), use a strong passcode, and apply the same travel precautions. Border agents search phones more frequently than laptops.
After You Return: Ongoing Encryption Maintenance
Encryption isn't a one-time setup. It requires ongoing attention.
Keep your operating system updated. Security patches sometimes address encryption vulnerabilities. Windows and macOS release updates regularly. Install them. Delayed updates leave your encryption implementation exposed to known exploits.
Periodically verify encryption status. Open BitLocker or FileVault settings and confirm that encryption is still enabled. Some system updates or hardware changes can disable encryption. Check every few months, especially after major OS upgrades.
Store your recovery key in multiple secure locations. Don't rely on a single copy. If you saved your BitLocker recovery key to your Microsoft account, also print a copy and store it at home. If you saved your FileVault recovery key in a password manager, also write it down and store it in a safe. Redundancy prevents permanent data loss.
Re-encrypt if you change your password. Changing your login password doesn't automatically re-encrypt your drive with a new key. On Windows, BitLocker uses a separate encryption key protected by your password. On macOS, FileVault ties the encryption key to your user password. In both cases, changing your password updates the protection around the key but doesn't change the key itself. This is generally fine, but if you suspect your old password was compromised, consider decrypting and re-encrypting the drive with a new key. This process is time-consuming and requires a full backup first.
Encrypt external drives. Any external hard drive or USB stick you use for backups or file transfer should also be encrypted. Use BitLocker To Go on Windows or FileVault on macOS to encrypt external drives. An encrypted laptop with an unencrypted backup drive defeats the purpose.
Understand the performance impact. Modern encryption has minimal performance impact on recent hardware, but older laptops with slower processors or traditional hard drives may see a slowdown. If you notice significant lag after enabling encryption, consider upgrading to an SSD or a newer device. Don't disable encryption to regain speed, the security tradeoff isn't worth it.
The Bigger Picture: Encryption as Baseline Precaution
Encryption is a baseline, not a complete solution. It protects data at rest. It doesn't protect data in use, data in transit, or data you've already shared with cloud services. It doesn't exempt you from border search authority. It doesn't prevent device theft or loss, it just ensures that theft or loss doesn't become a data breach.
But baseline precautions matter. Most data breaches don't involve sophisticated attacks. They involve stolen laptops, lost devices, and unencrypted hard drives sold on eBay. Encryption closes that vulnerability.
In Neuromancer, William Gibson described cyberspace as a "consensual hallucination," a shared digital landscape where data flows freely and boundaries dissolve. The novel's protagonist, Case, is a hacker navigating corporate datastores and AI constructs, always one step ahead of the security systems trying to lock him out. The book was published in 1984, before the commercial internet, before laptops, before the concept of personal encryption even made sense to most people. But the core tension remains: the data you carry is valuable, and the systems designed to protect it are constantly negotiating with the systems designed to access it. Encryption is your lock on the door. It doesn't guarantee privacy, but it forces anyone who wants in to knock first.
You're flying to London next month. Your laptop is encrypted. If it's stolen, the data is safe. If it's lost, the finder can't access your files. If a border agent asks you to unlock it, you'll make the decision that fits your circumstances. But the decision is yours to make, not forced by an unlocked device.
Encrypt your laptop before you travel. It's not optional anymore.
