Some time ago, I realized the external hard drive I carry with me when traveling was an easy thing to lose. Some of the data on that drive is encrypted in various ways, but the vast majority is completely unencrypted.
If that conveniently small, portable drive walked off in someone’s pocket, they’d have access to a lot of my stuff.
In a forehead-slapping moment, I realized I was going about this all wrong.
I should encrypt the entire drive.
Become a Patron of Ask Leo! and go ad-free!
When you encrypt an entire drive, it initially looks like an empty, unformatted drive containing “RAW” data. To access the contents of the drive, you must first “mount” it, providing the proper passphrase to enable its unencrypted access.
Once mounted, it operates like any other drive, until you shut down the computer or explicitly dismount the drive, at which point it again appears to be an empty drive.
If someone does walk away with the drive, they’ll have a nice, empty-looking drive they can do whatever they want with – except access the encrypted data.
Download VeraCrypt from its primary site.
The setup is fairly standard, so I won’t walk through all the steps here.
In general, you can accept the default settings, and when the installation is complete, double-click the VeraCrypt icon on your desktop to start the program.
Encrypting a drive
Click on the Create Volume button to begin.
There are three types of encrypted volumes you can create using VeraCrypt:
- An encrypted file container: this is a stand-alone file that contains the volume. It appears on unencrypted drives as a large file containing random data, and must be “mounted” to make its contents accessible. It’s useful if you don’t want to encrypt an entire hard disk, or if you want to copy the file container from machine to machine.
- A non-system partition/drive: this is a separate partition or drive that will be completely encrypted. This post will present this process.
- A system partition/drive: this is the partition containing Windows itself. Since this is the partition from which the machine boots, it takes additional steps (and complexity) to encrypt the entire drive and still be able to boot from it.
Since we’re encrypting an external drive, make sure “Encrypt a non-system partition/drive” is selected, and click on Next.
Select Standard VeraCrypt volume and click Next. (Hidden volumes are beyond the scope of what we need to do here.)
Click the Select Device… button on the following dialog (not shown).
You can see that each hard disk on my machine is listed, including the external one. On hard drives that have multiple partitions, each partition is listed as well. In my case, I’ll click \Device\Harddisk2\Partition1, also labeled as F:, which is my external drive, and click OK.
This returns us to the Volume Location dialog with the location filled in. Click Next.
When encrypting an external drive, VeraCrypt can operate one of two ways:
- It can erase the drive, creating a new, empty encrypted volume to contain your data. This is generally fastest, but erases all data currently on the drive or partition.
- It can encrypt the data in place. This takes more time, as every sector (used or not) is read, encrypted, and written back out to the drive.
My example external drive is full of data I no longer need, so I’ll choose “Create encrypted volume and format it”. If you wish to retain your data, choose “Encrypt partition in place”.
VeraCrypt actually supports a number of different encryption algorithms, and you can select among the variations here if you want. It’s typically best to accept the defaults and click Next.
When encrypting an entire hard disk, the Volume Size dialog simply reports the size of the drive you’re operating on. Click Next.
Password selection is perhaps the single most important aspect of this entire operation. A poor password is by far the weakest link in any encryption. VeraCrypt will allow you to see the password as you type it in, if you so choose (check the Display password box).
In this case, I’ve typed in an example pass phrase – a longer multi-word phrase that is both memorable and relatively long.
Do not forget your password. A VeraCrypt volume cannot be accessed without the password. There are no back doors or recovery methods. If you lose your password to a VeraCrypt volume, you have lost the contents of that volume.
Random data is an important aspect of encryption. Don’t take this the wrong way, but you are the most random thing connected to your computer. As you respond to the entries in this next dialog, VeraCrypt will use your random mouse movements to generate random data. Make sure the “Randomness” bar has turned green before moving on.
VeraCrypt makes a guess or two on your Filesystem choice. I tend to prefer NTFS as being slightly faster in many cases, and supporting more robust security. FAT, on the other hand, works just about everywhere.
If Quick Format is checked, the formatting process is performed quickly, writing only filesystem and directory information to the disk. The downside is that the contents of any sectors not written to could, potentially, still be recovered.
If Quick Format is not checked, then the formatting process will write to every sector on the disk, obliterating any pre-existing data. It’ll also take longer.
Click on Format.
Depending on how much pre-existing data your target drive appears to have, you may get one or two warnings it’s about to be erased. Click Yes, and formatting will proceed.
VeraCrypt will take a long time to encrypt a volume of any significant size. It doesn’t matter how much data is on the volume; all sectors, whether they’re used or not, are encrypted. When complete, VeraCrypt provides some additional instructions on how to mount your encrypted drive.
Using your encrypted drive
When you connect your VeraCrypt encrypted drive, you may get this message:
THE ANSWER IS CANCEL.
Your drive is encrypted and has not been mounted. To Windows, your encrypted data looks like an unformatted (RAW) drive. If you were to format it, you would lose everything on the drive.
Click Cancel. Open VeraCrypt and click the drive letter you want your encrypted volume to appear as, and then click Select Device….
Click the drive letter or line that represents the encrypted drive, and click OK.
You can see the volume is filled in (in my case, it’s \Device\Harddisk2\Partition1). Click Mount to mount the drive.
Enter the passphrase you used when you encrypted the drive, and click OK.
VeraCrypt takes a little time to mount the drive.
As you can see, the contents of the encrypted volume are now available as drive H:. Drive F:, the drive letter at which the external drive originally appeared, remains in use, and still looks like an unformatted disk. VeraCrypt makes its encrypted contents available as the drive you select when mounted (in this example, the H: drive).
Naturally, when you power down your machine, the encrypted volume will be dismounted. When you next power up your machine, or attach your external drive, you’ll need to mount the drive again in order to access its contents, providing the passphrase, of course.
That is kinda the point.
If you want to remove the external drive without turning off your computer:
- Close all programs currently accessing files on the encrypted volume (“H:” in my example below).
- In VeraCrypt, click the mounted volume and then click Dismount.
- Finally, click the “Safely Remove Hardware” icon in the Windows Taskbar and click the device listed there. (“F:” in my example below.)
Yes, it’s a bit of work to set up, but once it’s done, it’s relatively easy to use, with little to no impact on performance . More importantly, it’s secure. I can now lose my external hard drive without fear of anyone gaining access to its encrypted contents.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,