Whole-disk encryption is an important aspect of security for many people. If you encrypt a disk properly, and your computer falls into the wrong hands, those hands won’t be able to access your data.
While the average computer user may or may not need to use whole-disk encryption (it depends on the type of data they store, as well as their own level of concern), it’s an important tool for business, government, and particularly for portable computers, such as laptops and tablets.
I’ll review a couple of my recommended approaches to encrypting a disk completely.
Become a Patron of Ask Leo! and go ad-free!
Encrypt a disk using BitLocker
If you’re running a Professional edition of Windows or better1, and your disk is formatted using NTFS (most Windows hard disks are these days), Windows can encrypt your disk using BitLocker.
Much like encrypting folders, the technique is very simple. Right-click on the drive in File Explorer and click on Turn on BitLocker.
You’ll be asked exactly how you want to unlock the encrypted drive when you want to use it. You can choose to either type in a password (actually a passphrase), or set up a USB drive to act as a secure key that, when inserted, causes the drive to be unlocked.
We’re more familiar with passwords, and since they are less easily lost or broken than a physical USB drive, I prefer them.
Click on Enter a password. Enter an appropriately secure password, re-enter it, and click Next.
This step is critical. You must save a copy of the recovery key somewhere. Should you ever forget your password (or lose that USB key, if that’s what you selected at the start), having a recovery key is the only way you’ll regain access to your encrypted data. Exactly how you save it is less important than that you save it somewhere, so that some days, months, or even years from now, you’ll have it should you need it.
I elected to save to a file.
Note: this is sensitive data. Be sure to keep your recovery key in a secure location. Anyone who has access to it can decrypt your drive.
BitLocker then gives you the option to immediately encrypt only the existing files on your system, or all of the files and currently free space.
The issue here is that when you delete a file in Windows, the data for that file is not actually removed from the hard disk. It’s marked as free space, and doesn’t actually go away until sometime later, if and when new data is written on top of it. That implies that if you’ve used your machine for any length of time, the free space may actually have fragments of sensitive data. If you’re unsure, select “Encrypt entire drive”. Regardless of which you choose, data written to the drive from here on out will be encrypted.
If you’re running Windows 10, BitLocker asks yet another question: the “mode” to be used.
This is basically an improved encryption algorithm. If you’re encrypting your internal hard drive, I recommend selecting this new mode. If, as the prompt indicates, this is a drive that might regularly be taken to other machines, use the older, compatible mode.
Finally, it’s time to encrypt the drive.
A reboot is required to begin the process, and you’ll need to specify the encryption password to begin.
This is the same message you’ll see any time you reboot your machine.
Exactly how long the encryption process takes depends on many factors, including the size of your disk, the speed of your machine, and whatever else you might be doing while the encryption proceeds. You can continue to use your computer while the disk is being encrypted.
The good news: BitLocker is strong, secure encryption built in to Windows Pro editions or better. Once encrypted, other than specifying the password to unlock the drive at boot time, it’s completely transparent.
The bad news: BitLocker is Windows only, and not available for Windows Home editions, or for drives formatted using anything other than NTFS. While it can be used to encrypt disks to be shared with others, only using machines running a compatible edition of Windows (Pro or better, supporting the same encryption mode) can decrypt the drives. Using BitLocker assumes you trust Microsoft, particularly if you use the option to store a backup of your recovery key in your Microsoft account.
Encrypt a disk using VeraCrypt
I’m not going to cover this option in detail, as the VeraCrypt documentation is quite good.
The good news: in many regards, VeraCrypt works almost exactly like BitLocker, in that once you specify the appropriate passphrase to gain access to an encrypted disk, its operation is transparent. VeraCrypt is free. Volumes encrypted using VeraCrypt should be inherently portable to any system, including non-Windows systems on which VeraCrypt has been installed. VeraCrypt works with all editions of Windows.
The bad news: If you lose or forget your passphrase, your data cannot be recovered. There is no back door. VeraCrypt is third-party, open source software, which may raise trust issues for some.
Encrypt almost an entire disk using VeraCrypt
Another approach is very similar to the approach I outline in How Do I Encrypt a Folder? Rather than using whole-disk encryption, create a VeraCrypt container that is as large as possible on the disk you’re wanting to encrypt.
So, for example, let’s say the disk you want to use is 100 gigabytes in size, and is empty. You would use VeraCrypt to create a container as large as possible – approaching 100GB3. That container would appear on the drive as a single, large file. When you mount it using VeraCrypt, another drive letter appears on your system. Files you read and write on that drive are transparently encrypted in the VeraCrypt volume. When it is dismounted, the drive letter goes away, and your encrypted data cannot be accessed.
The good news: VeraCrypt container volumes can be copied to other hard disks, or even other operating systems, and can be accessed as long as VeraCrypt is installed and you know the passphrase.
The bad news: This approach does not work for system drives (the drive containing Windows and from which you boot your system).
Once again, what’s most appropriate for you will depend on your situation. Some general guidelines include:
- To encrypt your system drive, I recommend using the system-provided encryption if you can. That means using BitLocker in Windows.
- If you can’t use BitLocker for whatever reason (perhaps you have Windows Home Edition), then use VeraCrypt if you want to encrypt your system drive.
- For any other drive – particularly those you might consider sharing with other machines – consider the “almost whole disk” approach I’ve outlined, using VeraCrypt containers instead of whole-disk encryption. It’s technically less complex and somewhat less fragile. It’s also somewhat more flexible, allowing you to copy the container to other drives or machines, should you be so inclined.
Regardless of which approach you decide to take, make absolutely certain that you have your recovery key or passphrase backed up somehow. Without them, your data will be lost.