How To Encrypt Your Windows Hard-Drive With VeraCrypt
VeraCrypt is a source-available freeware utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file or encrypt a partition or the entire storage device with pre-boot authentication. This guide explains how to encrypt your Windows Hard-Drive with VeraCrypt
Encrypting your Windows Hard-Drive is actually not too difficult to do. Just follow these steps in order. We’re assuming you already have VeraCrypt installed but if not, you can get it here.
First, open up VeraCrypt and click on “Create Volume”. You will then see three options. We have already done the first two in previous articles. Today we are going for option number three – “Encrypt the system partition or entire system drive.”
Click “Next” to proceed. In this case, we are going for normal encryption, not a “hidden operating system”. So choose the first option and click “Next” to move on.
COPYRIGHT_NOVA: Published on https://www.novabach.com/veracrypt-two-ways-of-using-veracrypt-to-secure-your-hard-drive/ by Daniel Barrett on 2022-08-26T22:58:05.000Z
“Encrypt the Windows system partition.” You may decide to choose the second option but if you do, you will get lots of warnings about the consequences if it all goes wrong.
If you only have Windows on your computer then you have a single-boot system. If you have multiple operating systems (say Windows and Linux for example) on your computer, then it’s a multi-boot system. So, choose which one you have.
It will now ask you which encryption option you want. But as I have indicated in the previous articles, unless you have a particular reason why, you should leave the encryption protocols on the defaults. This is the AES standard used by governments to encrypt secret documents. Also leave the hash-algorithm as it is.
After specifying your desired password, it is time to generate your encryption keys. To make them as strong as possible, you need to move your mouse or trackpad around the VeraCrypt window in a “random order”.
As you do so, the bar at the bottom will go from red to yellow to finally green. When the green bar is fully at the far right-hand end of the screen, click “Next”.
Since you are now encrypting a hard drive (or part of one), you need to take an extra cautionary step in case you lock yourself out of your hard drive. This is called the VeraCrypt Rescue Disk (VRD) which will repair any damage to the VeraCrypt boot loader or to Windows, allowing you to (hopefully) login.
However, it is not a security risk having this rescue disk as you will still need the encryption password for it to work.
VeraCrypt will select an area for your rescue disk to be placed once it is created. But you can easily move it to another location if you want, by clicking the “Browse” button. Do NOT deselect “Skip Rescue Disk verification” – that is essential.
This next step opens up the Windows Disc Image Burner. You will see that the rescue disk is an ISO file and you need to choose the disc burner on your hard drive. A normal 700MB CD disc is sufficient. Select “Verify disc after burning.”
Once the disc is in your burner drive, click “Burn” to start the process.
When the process has been finished, the disc burner will open its tray in the hard-drive. Close the tray again, let the disc run, so Disc Image Burner can verify the disc to make sure everything worked OK.
Hopefully, you will eventually see this.
It’s now time for VeraCrypt to do some pre-testing before it starts encrypting your hard-drive or partition (depending on what you chose).
As the next screenshot says, your Windows system will restart, the boot loader will be installed and assuming all went well, the system will begin encrypting. Click “Test” to begin that process.
When the computer restarts – before Windows loads – you will now see the following screen.
Enter your password in the space provided. You probably didn’t specify a PIM in the password settings (I didn’t) so in that case, leave it blank when it asks you for a PIM and hit enter.
Now wait for your system to log in. If it’s the first time you’re doing this, the log in process might be slightly delayed.
Once your password has been successfully verified, your system will begin encrypting. As you can see it takes a long time to encrypt the system, depending on how big it is, so this might be one of those times when you need to leave the computer on overnight in order for it to do its thing.
Download VeraCrypt to get started. Run the installer and select the “Install” option. You can keep all the default settings in the installer—just click through it until VeraCrypt is installed on your computer.
Once VeraCrypt is installed, open your Start menu and launch the “VeraCrypt” shortcut.
Click System > Encrypt System Partition/Drive in the VeraCrypt window to get started.
You’ll be asked whether you want to use “Normal” or “Hidden” system encryption.
The Normal option encrypts the system partition or drive normally. When you boot your computer, you’ll have to provide your encryption password to access it. No one will be able to access your files without your password.
The Hidden option creates an operating system in a hidden VeraCrypt volume. You’ll have both a “real” operating system, which is hidden, and a “decoy” operating system. When you boot your PC, you can enter the real password to boot your hidden operating system or the password to the decoy operating system to boot the decoy operating system. If someone is forcing you to provide access to your encrypted drive—due to extortion, for example—you can provide them with the password to the decoy operating system and they shouldn’t be able to tell there’s a hidden operating system at all.
In terms of encryption, using “Normal” encryption keeps your files just as secure. A “Hidden” volume only helps if you’re forced to disclose your password to someone and want to maintain plausible deniability about the existence of any other files.
If you’re not sure which you want, select “Normal” and continue. We’ll be going through the process of creating a normal encrypted system partition here, as that’s what most people will want. Consult VeraCrypt’s documentation for more information about hidden operating systems.
You can choose to either “Encrypt the Windows system partition” or “Encrypt the whole drive”. It’s up to you which option you prefer.
If the Windows system partition is the only partition on the drive, the options will be basically the same. If you just want to encrypt your Windows system partition and leave the rest of the drive alone, choose “Encrypt the Windows system partition”.
If you have multiple partitions with sensitive data—for example, a system partition at C: and a files partition at D:—select “Encrypt the whole drive” to ensure all your Windows partitions are encrypted.
VeraCrypt will ask how many operating systems you have on your PC. Most people only have a single operating system installed and should choose “Single-boot”. If you have more than one operating system installed and you choose between them when you boot your computer, select “Multi-boot”.
You’ll then be asked to choose which type of encryption you want to use. While there are multiple options available, we recommend sticking with the default settings. “AES” encryption and the “SHA-256” hash algorithm are good choices. They’re all solid encryption schemes.
You’ll then be asked to enter a password. As VeraCrypt’s wizard notes, it’s very important to choose a good password. Choosing an obvious or simple password will make your encryption vulnerable to brute-force attacks.
The wizard recommends choosing a password of 20 more characters. You can enter a password of up to 64 characters. An ideal password is a random combination of different types of characters, including upper- and lower-case letters, numbers, and symbols. You’ll lose access to your files if you ever lose the password, so make sure you remember it. Here are some tips for creating a strong, memorable password if you need them.
There are a few more options here, but they’re not necessary. You can leave these options alone unless you want to use them:
Using keyfiles:You can choose to enable “Use keyfiles” and provide some files that must be present—for example, on a USB drive—when unlocking your drive. If you ever lose the files, you’ll lose access to your drive.Display password:This option just unhides the password in the password fields in this window, allowing you to confirm that what you’ve typed is correct.Use PIM:VeraCrypt allows you to set a “Personal Iterations Multiplier” by enabling the “Use PIM” checkbox. A higher value can help prevent against brute force attacks. You’ll also need to remember whatever number you enter and enter it alongside your password, giving you something else to remember in addition to your password.Select any of these options if you want them and click Next.
VeraCrypt will ask you to move your mouse randomly around inside the window. It uses these random mouse movements to increase the strength of your encryption keys. When you’ve filled up the meter, click “Next”.
The wizard will inform you it’s generated the encryption keys and other data it needs. Click “Next” to continue.
The VeraCrypt wizard will force you to create a VeraCrypt Rescue Disk image before continuing.
If your bootloader or other data ever gets damaged, you must boot from the rescue disk if you want to decrypt and access your files. The disk will also contain a backup image of the contents of the beginning of the drive, which will allow you to restore it if necessary.
Note that you’ll still need to provide your password when using the rescue disk, so it isn’t a golden key that allows access to all your files. VeraCrypt will simply create a rescue disk ISO image at C:\Users\NAME\Documents\VeraCrypt Rescue Disk.iso by default. You’ll need to burn the ISO image to a disc yourself.
Be sure to burn a copy of the rescue disk so you can access your files if there’s ever a problem. You can’t just reuse the same VeraCrypt rescue disk on multiple computers. You need a unique rescue disk for each PC! Consult VeraCrypt’s documentation for more information about VeraCrypt rescue disks.
Next, you’ll be asked for the “wipe mode” you want to use.
If you have sensitive data on your drive and you’re concerned someone might attempt to examine your drive and recover the data, you should select at least “1-pass (random data)” to overwrite your unencrypted data with random data, making it difficult to impossible to recover.
If you’re not concerned about this, select “None (fastest)”. It’s faster not to wipe the drive. The larger the number of passes, the longer the encryption process will take.
This setting only applies to the initial setup process. After your drive is encrypted, VeraCrypt won’t need to overwrite any encrypted data to protect against data recovery.
VeraCrypt will now verify everything is working correctly before it encrypts your drive. Click “Test” and VeraCrypt will install the VeraCrypt bootloader on your PC and restart. You’ll have to enter your encryption password when it boots.
VeraCrypt will provide information about what to do if Windows doesn’t start. If Windows doesn’t start properly, you should restart your PC and press the “Esc” key on your keyboard at the VeraCrypt bootloader screen. Windows should start and ask if you want to uninstall the VeraCrypt bootloader.
If that doesn’t work, you should insert the VeraCrypt rescue disk into your PC and boot from it. Select Repair Options > Restore Original System Loader in the rescue disk interface. Restart your PC afterwards.
Click “OK” and then click “Yes” to restart your PC.
You’ll have to enter your VeraCrypt encryption password when your PC boots. If you didn’t enter a custom PIM number, just press “Enter” at the PIM prompt to accept the default.
Sign into your PC when the normal welcome screen appears. You should see a “Pretest Completed” window.
VeraCrypt advises that you have backup copies of the files you’re encrypting. If the system loses power or crashes, some of your files will be irreversibly corrupted. It’s always important to have backup copies of your important files, especially when encrypting your system drive. If you need to back up your files, click the “Defer” button and back up the files. You can then relaunch VeraCrypt later and click System > Resume Interrupted Process to resume the encryption process.
Click the “Encrypt” button to actually encrypt your PC’s system drive.
VeraCrypt will provide information about when you should use the rescue disk. After it does, it will begin the process of encrypting your hard drive.
When the process is complete, your drive will be encrypted and you’ll have to enter your password each time you boot your PC.You are now safe from invasive-nosy-do-gooders.If you decide you want to remove the system encryption in the future, launch the VeraCrypt interface and click System > Permanently Decrypt System Partition/Drive.