Introducing Personal Data Encryption for developers on Windows devices

  • Staff

 Windows IT Pro Blog:

Personal Data Encryption (PDE) along with BitLocker constitutes Windows data protection on Windows devices. BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. However, there are some cases in which BitLocker protection alone might not be sufficient. For example, Trusted Platform Module (TPM) bus sniffing, targeting devices that do not have BitLocker TPM + PIN options set, or trying to get encryption keys by sniffing the unsecured bus between the CPU and TPM can all put BitLocker protected personal data at risk. Direct Memory Access (DMA) based drive-by attacks target devices with unsecured DMA ports and work by bypassing the sign in and getting directly to the end user's data. Applications and browsers that utilize AI to power recommendation engines capture sensitive user data and also need to be protected.

PDE provides an extra layer of security, in addition to that provided by BitLocker, for when the device is locked and powered on, protecting it from sophisticated physical attacks. PDE uses Windows Hello for Business to link data encryption keys with user credentials. When a user signs in to a device using Windows Hello for Business, decryption keys are released, and encrypted data is accessible to the user. It's important to note that PDE and BitLocker are not dependent on each other. PDE can be used with or without any other full disk encryption solutions, although it is highly recommended to use both.

PDE API offers a comprehensive and extensible set of low-level APIs for the protection of end-user content. These APIs enable the encryption of end-user data, and the keys used for encryption are protected by the user's Windows Hello credentials. It is important to note that PDE is exclusively available in Windows Enterprise and Education editions.

Content-generating applications can use the PDE API to protect content for two levels of security:
  • L1 (AfterFirstUnlock) level of protection: Data protected to this level is accessible only after the first device unlock, and it will continue to be available thereafter.
  • L2 (WhileUnlocked) level protection: Data protected to this level is only available when the device is unlocked and provides additional protection.
Now let's look at how an application that generates content can use PDE API to protect files, folders, and buffers.

 Read more:

Last edited:

Latest Support Threads

Top Bottom