It seems that one can encrypt entire hard drives and portable storage devices using Bitlocker which is built into windows, and all files saved from apps will be intercepted and encrypted. As I understand it, Bitlocker uses one (or more?) encryption keys that the user must establish. If one encrypts entire drives - as I think I'll do - then one must obtain and manage an authentication certificate. As I understand it, Bitlocker is Windows only and will not allow files encrypted by it to be decrypted by a Mac or other os. That doesn't matter to me as I don't have the need to share any files with anyone on that platform.
I think the certificate is used when one starts Windows. Reference is made to using a 'smart card' to automate providing the certificate. I think of smart cards as the plastic things in one's wallet that have a chip to store data. I don't have a card reader. I tried to learn if a thumb drive can be used to store the certificate and perform as a 'smart card'. I didn't find an answer.
Does anyone know if a USB thumb drive can store the Bitlocker certificate and if it can be used to answer Bitlocker's need for the certificate?
I plan to store the Bitlocker certificate on my iOS devices, carefully disguised, of course. Should I also keep a copy on paper?
What have I missed or misunderstood about using Bitlocker? Is a third party app a better choice? Why or why not? What else should I know about Bitlocker or about encrypting files generally.


