Windows users looking for a free full disk encryption option should consider VeraCrypt full disk encryption. VeraCrypt seems to have become the de facto replacement for TrueCrypt. Most former TrueCrypt users I know have migrated to it, including me. VeraCrypt is an important software because, as of now, it is perhaps the most trusted free full-disk encryption programs available for Windows machines.
VeraCrypt can also be used to encrypt Mac and Linux machines. Because both of these operating systems have built-in full disk encryption options, I don’t prefer it. The newest version of VeraCrypt, version 1.18, also offers support for Windows 10 with UEFI (though I have yet to successfully use it). Setting up VeraCrypt full disk encryption can be daunting the technically challenged. The first time I fully encrypted one of my computers I was pretty nervous during the process. I think this is understandable. Hopefully this guide will give you some confidence with this process.
***I don’t mean to imply that there is not some level of risk involved in using full disk encryption. There is a chance that something could go wrong and you could lose data. Though very unlikely, the possiblity exists.***
Enabling VeraCrypt Full Disk Encryption
The first thing you need to do is download and install VeraCrypt. Before you begin it is also probably not a bad idea to consult the VeraCrypt User’s Manual. To access it, click “Help” on the VeraCrypt interface. In the drop down click “User’s Guide”. This will open the 169-page PDF.
Open the application. On the interface (top left) click the “Create Volume” button. A new screen will appear (top right). Choose “Encrypt the system partition or entire system drive”. On the next screen (bottom left) click “Normal” (if you want to know more about “hidden” mode consult the user’s manual). On the next screen select the area to encrypt. I recommend encrypting the entire drive.
The next screen, “Encryption of Host Protected Area” explains itself reasonably well. If you have doubts about whether your computer has an HPA, or if the HPA is necessary for the machine to boot, I would err on the side of caution and select “No”. If you select “Yes”, VeraCrypt will perform a test to detect hidden sectors (top right).
After the text is complete, you are asked if you work in a single- or multi-boot environment. The vast majority of users will select Single Boot. Finally, you are asked about encryption options. I recommend sticking with the defaults: AES, SHA-256.
You will be prompted to use a password. Use a good one – everything on your computer depends on it. Because you must remember and be able to enter it manually, this is an excellent application for a diceware password. Your password may be as long as 64 characters. If it is shorter than 20, VeraCrypt will give you a warning to confirm that you really wish to use a weak password.
On the next screen (top right) VeraCrypt will begin collecting a pool of random data (necessary for the encryption process). Rather than relying on a pseudorandom number generator that can be compromised, VeraCrypt asks you to move your mouse around as randonly as possibly. I recommend that you move it until the progress bar at the bottom of the screen is completey full. This greatly increases the cryptographic strength of the encryption. Upon clicking “Next” you will be prompted to enter you administrator credentials and your encryption keys will be generated.
The next order of business is to create a VeraCrypt Rescue Disk. Though VeraCrypt will allow you to skip this step, I strongly recommend you create one. This disk DOES NOT contain your password and cannot recover you data if you lose the password. It is there in the event the encryption becomes corrupted. The rescue disk can be used to repair the encryption and let you into your computer – but only when used in conjunction with the correct password. Burn the disk and store it in a safe place.
After the Rescue Disk has been created, you will be asked to choose a wipe mode to delete unused space. I recommend “None” or “1-pass”. If you are encrypting a brand new computer, there is no reason to overwrite the disk space. If you are encrypting a used machine you may wish to be certain that everything has been securely deleted from unused space. One pass is sufficient for this purpose and little is gained from additional passes.
Finally VeraCrypt is ready to being the system pre-test. This test ensures that everything “works” with your machine before the disk is actually encrypted. Click “Next”.
On the next screen VeraCrypt offers some recovery instructions. You are encouraged to print these so you have them in the event you cannot get back into your computer. Click “OK” and you will be asked to restart the computer.
When the computer reboots you will see a black screen prompting you to enter your password. Enter your VeraCrypt password. You will also be asked to enter your PIM; simply press Enter to skip this step (we have not assigned a PIM [Personal Iterations Multiplier]). VeraCrypt will verify your password and the computer will boot. VeraCrypt will automatically open, letting you know that the pretest is complete. When you are ready, click “Encrypt”.
Once again VeraCrypt will display the recovery instructions (top left) and once again you will be required to enter your administrator credentials (bottom left). After you have entered your admin credentials encryption will begin (top right). If you need to interrupt the process you can do so by clicking “Defer”. You can then shut down your machine. When you reboot it, open VeraCrypt and click “Resume” and the VeraCrypt full disk encryption process will pick back up where it left off.
From now on when you boot your computer you will be presented with the VeraCrypt bootloader. You will be required to enter your VeraCrypt password before the boot sequence will begin. Congratulations – your machine is now fully encrypted!
Implementing VeraCrypt full disk encryption is certainly more involved and complicated than OEM solutions like BitLocker and FileVault. If these options aren’t available to you, VeraCrypt is still worthwhile. Though setup is a little complex, once it’s set up the only interaction you have to have with it is when entering your boot password.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.