3DSC Days 26 & 27: Full Disk Encryption

Last weekend I wrote about file-level encryption.  This is an excellent way to protect sensitive files, but it isn’t perfect.  First, the learning curve is slightly steeper.  It takes time to open VeraCrypt, find the volume you want to open, and mount it.   Worse, unencrypted versions of your files are very likely stored on your hard drive.  These versions may be compromised by an attacker.  A more comprehensive form of encryption is this weekend’s task: implement full disk encryption (FDE).

Full disk encryption has several huge advantages.  It encrypts your entire hard drive, including your operating system.  This means that your computer cannot be booted without your password.  This means that an attacker with physical access cannot turn your computer on and tamper with your OS or programs.  It also means that all of your files are encrypted and secure.  And, believe it or not, full disk encyption is easier to use: you enter a password just before startup.  That’s it – no programs to learn, no volumes to find and mount, etc.  The only negative is that setting it up (in Windows) can be somewhat daunting.

SPECIAL CONSIDERATIONS: READ THIS BEFORE YOU BEGIN!

Regardless of your operating system, there are some special considerations before you take this step.  First, though there is vanishingly little risk inherent in enabling full disk encryption, that still adds up to some risk.  Let me be clear: take this step at your own risk.  Do your homework before you begin! This is more important if using a third-party application like VeraCrypt. I have encrypted dozens of personal and work computers with TrueCrypt and VeraCrypt, and assisted scores more students with their machines, and have only encountered one issue.  It was correctable but took some time and patience.

You should also know that this process may take several hours to complete, so plan accordingly.  Depending on the size of your hard drive and speed of your processor, this time may be considerable (up to several hours).  All the of the encryption methods mentioned here have a recovery mechanism.  With BitLocker and FileVault this will be a code.  For VeraCrypt you will be required to burn a “recovery disk”.  You should carefully safeguard this recovery mechanism.  It should also go without saying that you should be one-hundred percent certain you can remember your chosen password before you begin encrypting.  Forgetting your password means your data will be totally unrecoverable.

OPERATING SYSTEM SPECIFICS

Windows 7:  For Windows 7 systems I recommend using VeraCrypt if you do not have BitLocker.  I migrated to VeraCrypt a few months ago due to a bug discovered in TrueCrypt.  You will need the ability to burn a CD (the VeraCrypt Rescue Disk) prior to beginning the process.  Before beginning the process I recommend thoroughly familiarizing yourself with the process through the VeraCrypt User’s Guide (p. 32 and 33).

OS X:  Mac computers come with FileVault II built right in.  This is an excellent full disk encryption solution.  To enable it open System Preferences, Security & Privacy, FileVault.  Click “Turn On FileVault” and enter your user password.  You will be prompted to record your Recovery Key, and the encryption process will begin.

Windows 10:  This is where things get a little complicated.  If your Windows 10 system comes with BitLocker enabled, I recommend using it.  A very thorough guide from Windows on the features of BitLocker can be found here.  VeraCrypt will work on Windows 10 (I have successfully used it) but it will not work on ALL instances of Windows 10.  If VeraCrypt fails (due to a GPT issue) you may be able to revert the installation to BIOS, but this is a fairly complicated process.  I am sorry to report that I do not have better guidance to offer at this time.

Leave a Reply