Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Do I Protect My Laptop Data from Theft?

Encryption, done properly, is the answer.

Locked Laptop
(Image: canva.com)
Laptops are portable, convenient, and easily lost. If lost, all your data could easily be available to the finder. Encryption is the answer.
Question: I travel a lot, and have sensitive data on the laptop I take with me that I need as part of my job. But I’m in fear of losing the laptop and that this data will fall into the wrong hands. What do you suggest?

I know how you feel. I also have sensitive information on my laptop that I would prefer not to fall into the wrong hands.

I can handle losing the laptop, but thinking about the data in the wrong hands … well … that would be bad.

I’ve used different solutions over the years, and they all share one thing in common: encryption.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Encrypting data stored on your machine is important, and can be done in several ways: manual individual file encryption, such as Zip; whole-disk encryption, such as BitLocker; encrypted vaults, managed by tools like VeraCrypt; or automatic individual file encryption using BoxCryptor. Regardless of the tool, make sure you understand whether any unencrypted data is left around, and take care to never lose your encryption passphrase or recovery key.

Encrypting individual files

Encryption involves using archiving tools that allow you to assign the encrypted file a password.

A common approach is to use “zip” files and tools like 7-Zip. Zip files support password protection, encrypting the file’s contents.1 Originally, zip encryption was easily cracked, but it’s improved to be pretty good.

The problem with individual file encryption is that you must manually decrypt the file to use it. This also means you need to re-encrypt it when you’re done, and erase all traces of the work you did — such as temporary files — that might be left unencrypted.

Individual file encryption is appropriate for some things, but for frequent use, it’s typically too cumbersome.

Encryption of individual files offered by specific applications — such as password protection in Microsoft Office documents — can be good. Unfortunately, it can also be bad. Older versions of Office, for example, were quite poor at encryption. Current versions are better. If you go this route, you’re at the mercy of the individual application vendors’ expertise. I prefer dedicated encryption tools.

Encrypting the entire hard disk

Whole-drive encryption is the other extreme. It protects the contents of your entire system.

System-provided solutions, like BitLocker in Windows, use encryption keys based on your system login to encrypt the hard drive. If you can’t log in, you can’t access your data; it’s simple as that. It also protects your data should your hard disk be removed and attached to another computer.

If you lose your log-in account for any reason, you can lose access to your data permanently. BitLocker encourages you to back up the encryption key separately when you first encrypt your drive. If you use BitLocker, I strongly recommend you do so.

Third-party tools like VeraCrypt also support whole-drive encryption. This is independent of your system login and uses a secure passphrase to decrypt the drive and boot your system.

Important: your data is only secure if you log out or shut down. As long as you are logged in and able to access your data yourself, it’s available in unencrypted form. Avoid states like Sleep or Hibernate, neither of which is an actual logout.

I now use whole-disk encryption on my laptop, making sure to log out and shut down completely when appropriate.

Encrypted vaults

For many years, I used TrueCrypt. While TrueCrypt itself is no longer supported, derivatives like VeraCrypt are worthy successors.

VeraCrypt is free, open-source, on-the-fly encryption software. It provides industrial-strength encryption while still being fairly easy to use.

The two most common ways it’s used are:

  • To encrypt an entire disk volume, such as a USB thumb drive, single partition, or entire hard disk, as described above.
  • To create an encrypted virtual disk “volume” or container.

It’s the latter approach I use, as it makes it easy to copy entire containers from machine to machine.

An encrypted virtual disk is a file that VeraCrypt “mounts” as an additional drive letter on your machine. You specify the passphrase when it’s mounted, and the unencrypted contents of the container appear as another drive.

For example, you might create an encrypted volume in a file c:\windowssecritstuf. If someone were to look at its contents, they would see only random gibberish — the result of encryption. When mounted by VeraCrypt, it appears as another drive, perhaps “P:”. Drive P: looks and operates like any other disk and contains the unencrypted contents of the encrypted drive. Encryption is as simple as moving or copying a file to the drive.

The trick for security is to never mount the drive automatically. When your machine boots up, “P:”, for example, would be nowhere to be found. The file c:\windowssecritstuf would be present, but only visible as encrypted gibberish. If someone stole your machine, that’s all they would find.

Only after you’ve used VeraCrypt to select the file (c:\windowssecritstuf), chosen to mount it as (P:), and supplied the correct passphrase would the virtual drive be mounted and the encrypted data accessible.

Encryption for the cloud

Yet another solution to laptop security leverages a tool meant to keep your data secure in the cloud: BoxCryptor.

You can think of BoxCryptor as a kind of hybrid combination of VeraCrypt’s vault with individual file encryption. (BoxCryptor: Secure Your Data in the Cloud has a more detailed comparison.)

Instead of a file, you point BoxCryptor at a folder — generally a folder in one of the online cloud storage services, like OneDrive — and it mounts that folder as a virtual drive. The data in the actual OneDrive folder is encrypted, and the virtual drive gives transparent access to the encrypted data, much like a VeraCrypt volume. Unlike VeraCrypt, the files are encrypted individually. When a file changes, only that file needs to be updated with the cloud provider.

While BoxCryptor is designed specifically to keep your cloud data secure, there’s nothing that says you can’t use it for other purposes. You can point it at any folder on your computer and have BoxCryptor manage encrypting the contents.

Particularly if you’re already using BoxCryptor for your cloud data, you won’t have to install any other software to encrypt local data.

Encryption and security caveats

Most of these approaches are relatively straightforward. The trade-off is complexity in setup versus complexity to use.

But there are additional items to keep in mind whenever you secure your system in this way.

  • Passphrases are the weakest link.  Encryption does not make a bad passphrase any more secure. If you choose an obvious passphrase, a dictionary attack can certainly be used to unlock your encrypted volume or decrypt your encrypted file.
  • Encrypted volumes and encrypted files do you no good if the files you care about are elsewhere on your machine in some unencrypted form. This is one of the benefits of whole-disk encryption — it’s all encrypted, no matter what.
  • You must back up. I recommend keeping the backups unencrypted but secure in some other way, in case you lose your computer, encrypted disk or files, or forget your password. Without the password, encrypted data is not recoverable.

Encryption is an important part of your security strategy. Keeping sensitive data secure requires forethought and planning. With viruses and spyware running amok, not to mention theft, there’s no excuse not to take time now to save grief later, should the unthinkable happen.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: The data is encrypted, but the file names remain visible. To obfuscate those, zip the zip file with a password. In this case, the “inside” zip file need not have a password.

75 comments on “How Do I Protect My Laptop Data from Theft?”

  1. When I last looked at PGP it wasn’t as clear to use and didn’t provide the virtual disk drive functionality. If that’s changed, it could be a good alternative as well.

    Reply
  2. What about stuff like Srcusrar’s DriveCrypt Plus Pack DCPP? Encryption of the whole operating system at the kernell level…

    Reply
  3. What about stuff like Secustar’s DriveCrypt Plus Pack DCPP? Encryption of the whole volume and operating system at the kernel level…

    Reply
  4. Thank you for making this information available. It has been extremely helpful to me. I plan to do a lot of traveling and I needed a place to start the search for making my laptop secure. THANKS :o)

    Reply
  5. I used pgp 7.0 which offered the same functionality, and more. The Truecrypt virtual disk looks to be just as good AND they added a nice new feature: the “hidden” volume. If forced to unveil a password you can mount the volume with a second password that only gives away part of the data, not your truly secret stuff. I started to use Truecrypt in the 1st place because I could not find a pgp (or gpg) version that supports XP anymore…

    Reply
  6. use truecrypt instead of pgp because its a lot cheaper, but its a bitch to get started, i had to read the readme.


    Proxys get around bess

    Reply
  7. Easy as pie

    Chuck the hard drive all togeather
    Set CDROM drive as master in bios
    boot up in slax linux,surf as usual
    keep a little usb thumbdrive handy for backing up stuff.
    Oh and a little knowledge in linux would help.

    But hey no body can get your data cause you don’t have a hard drive on that IDE cable inside the unit its self …lol

    Reply
  8. Knoppix
    Slax
    Puppy linux
    Pc linux OS
    D@m small linux

    They all work on CD as a read only OS.
    You really DON’T need a hard drive!!!!.
    just use a small thumbdrive to store stuff.
    Make sure your on a router that has PPOE or auto DHCP selected so your linux CD knows you want to surf the WWW.

    Learn linux it’s the ultimate in privacy.
    Don’t count on payware that bloats your OS to the size of the hindenburg.
    Right now this message is being typed in Slax Linux 5.1.7 LIVE CD no HD
    Pentium 4 2.4 Ghx
    2 gig ddr
    4 gig Gigabyte I-ram pseudo drive____ ((((IDE CARD with 4 sticks of 1 gig each on it))))
    Nvidia 128 meg graphics.
    Linksys 10/100 ethernet card.
    1 dvd read drive
    2 cdrw burner drives.

    Not meant to impress just to show the configuration.
    Gigabyte motherboard

    Reply
  9. Some time I used PGP disk to protect my private data, but now I am using Eterlogic SecretDrive, it supports many encryption algorithms, RAM disk, and hidden volumes. It is fully compatible with Windows Vista, so I recommend it to anyone.
    You can get it at http://www.eterlogic.com

    Reply
  10. I wonder what about keyloggin programs for Windows XP? If a potential intruder would like to get to the encrypted volume, he could install keyloggin software considering he has the access.
    Is TrueCrypt offers any protection for such scenario?

    Reply
  11. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    If your system has been compromised with a keylogger, then absolutely, all bets
    are off as they could easily sniff anything you type including your TrueCrypt
    password.

    Basically if your system has been compromised in any way, you must assume the
    worse.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFG7xaYCMEe9B/8oqERAmzhAJ46vhyOKUANsQMxKizN3H+SPof7JwCgi/DW
    egxssENxomLOCleB5seo3NM=
    =Dal0
    —–END PGP SIGNATURE—–

    Reply
  12. Hey I was wondering about Lojack on my Dell. It seems like a great way to protect sensitive data. My Dell Laptop has Absolute’s Computrace Module on the BIOS but I disabled it b/c I read about how the company is able to see private files on my compute, although i now don’t know how much more important this is compared to tracking down my computer if it were stolen. I was wondering if i could still install the software and it work without the hardware side of the service working, and if so i have another question. Couldn’t someone then just wipe the harddrive or reinstall windows or i heard it doesn’t work on non-windows OS’s, so then install say ubuntu or something and connect to the internet no problem. Cool, that’s all for now, Hey great work, much appreciated. Thanks, Blaze

    Reply
  13. I think Truecrypt has limitations – not above 100 MB. I find deslock easy to use, without any limitations and is free.

    Reply
  14. —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    It may have limitations, but that’s not one of them. I have
    a 16 gigabyte TryeCrypt volume on my 32gig thumbdrive.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIFoMYCMEe9B/8oqERAvXsAJ9vkHbfk7E6QR/bcHUddleD/TvSwQCfVCGu
    FdP4MOj5s8DALpFilaeC71I=
    =7ZJV
    —–END PGP SIGNATURE—–

    Reply
  15. while the suggestions others made are good ones (using “live CD’s” etc) I have to go with Leo on this one..

    Truecrypt is practically the industry standard for any pc techs in the know.. it being Open Source *to me* means it is more trustworthy as far any possible “backdoors or backdoor keys” being built in or handed over to the NSA or Big Brother, seeing as how you can check the code yourself..(or anyone else) its offers very fast on the fly encryption in various forms as well as multifactor authentication.. ie, you can set it up so it needs both a password and a keyfile (or as many keyfiles as you wish) to unlock its goodies)

    the keyfile can be any file you choose, anything, even an mp3..or let truecrpt randomly generate one.. -on the laptop itself or on separate media (USB key, CD etc) for added protection..

    you can encrypt the whole drive or create an “opaque” file that is mounted as another drive letter, -which can easily be burned/copied to external media.. it also allows you to combine encryption algorythms if want to go crazy. although you will take a little more of performance hit doing that.

    Trucrypt limits the volume size to a max of 1 Petabyte. -which i’m sure is all you’ll need for the time being. -so no worries there.

    personally, i’d just keep sensitive data on two USB keys (or smart cards such as those used in cameras and the like) and leave the rest of the laptop unencrypted. -thats your call.

    Trucrypt also has “Traveler Mode” for USB keys so you can carry any important data on just a the key itself.

    what this mode does is allow the USB key to be a become a fully self-contained, plug-in, on the fly encrypt/decrypt hardware device. -that leaves no foot prints. -you could combine this with a say, a “Live CD” Ubuntu distro on a bootable high-speed USB key for the ultimate easy “ready to boot” secure “traveling O/S” that you can plug into any USB 2.0 port..

    lastly, Truecrypt volumes contain no volume headers of any kind and truly look like a bunch of random noise (gibberish).. cant prove there is anything there..for those who need a bit more discretion than the average joe..

    Research it for yourself. you’ll find many industry heavyweights using it. -combine it with a virtual machine for added fun.. :)

    btw: if you want to learn more about PC security, give steve gibson’s Security Now podcasts a listen. -over at grc.com.

    if you cant make an informed decision after getting schooled by him, well..

    -soundwash

    Reply
  16. TrueCrypt doesn’t work from a usb drive unless you have admin access to the PC. This rules it out for me as most corporate PCs I use (and public ones) don’t allow admin access.
    Any decent alternatives?

    There are two issues:

    Yes, the device driver either requires administrator privileges or an administrator must have already installed TrueCrypt making it accessible to all users.

    But are you really saying you want to open your sensitive encrypted data on a system where you don’t know who the administrator is? A system that might have been compromised with spyware or what not before you even got to it?

    It just doesn’t seem like a good thing do to, in my opinion.

    All that being said, perhaps http://sourceforge.net/projects/tcexplorer/ might be an option.

    -Leo

    Reply
  17. >> But are you really saying you want to open your sensitive encrypted data on a system where you don’t know who the administrator is? A system that might have been compromised with spyware or what not before you even got to it?

    Fair comment, but I work in a variety of universities & companies, I need access to my data while there and very few allow admin access!
    I’ll look at tcexplorer – thanks
    S

    Reply
  18. Rick,
    I have a need for serious data security. Is there a program that would automaticly wipe clean my hard drive if say..I dint log in every 2 hours. Is there something that will allow me to call from a cellphone and activate the program that would WIPE my hard drive. By wipe I mean NEVER be able to recover the data or for that matter use the laptop again at all.

    WIPE? No. But you can get just as secure, I believe, by keeping your data in a TrueCrypt volume with an appropriately strong passphrase, and configuring it to auto-dismount on inactivity.

    – Leo
    12-Dec-2008
    Reply
  19. You can also use the BIOS option of providing a password to your hard drive – this keeps honest but nosy people out and is much more difficult to “break” than a Windows password.

    Reply
  20. I am working in a company which makes website for health, fitness, mini roulette, IT, shopping etc and I was in a great need of buying a laptop. So I finally bought a Dell Latitude D530, laptop last week.
    Most of the people adviced me that it would not be a good deal to buy a laptop, instead they advised me to buy a desktop. I don’t know why people have so much misconception regarding buying a laptop.

    Reply
  21. I’m 99% ready to set up TrueCrypt. I travel and do not want anyone to steal my data – if they steal my laptop. What setting should I select? BB

    Reply
  22. File protection is great with passwords for access and editing. But it doesn’t stop somone from accidently deleting the file.

    How do I stop an accidental deletion?

    Reply
  23. This is a great article and discussion. One of the things I have been pleased by is services services like Alertsec which offer hard disk encryption as a fully managed service. It uses the Full Disk Encryption (former Pointsec) software but is a web based encryption service that radically simplifies deployment and management of PC encryption. It is a heck of a lot easier for an enterprise than trying to manage all those laptop encryption on your own! We put off encryption for way too long (and got burned once) and this managed approach made it possible for us to afford it from a money and more importantly staff resource perspective.

    Reply
  24. I run Alertsec and it sure is easy. The good thing is that they have a great telephone support which help you unlock your laptop when you forget or type your password in wrongly (Which I have done twice in the last 16 months..) so it is worth that little extra you pay – compared to installing it yourself. It is encryption we are talk about here – so if you b-gger it up you are really and truly lost.

    Reply
  25. Hi, when installing TrueCrypt what is the best option to use: Install or Extract (for travel) … BTW I run Windows 7 and there is a message saying is not supported … any risk on using it despite of this !?

    I just install. (Extract is useful for some cases, but if you’re not sure, just install.) From what I’ve seen it works fine in Win 7, but I’d expect an update very quickly after 7 releases.

    Leo
    11-Oct-2009

    Reply
  26. I personally use SecureDoc (by WinMagic) to encrypt, from BOOT level, the whole hard drive.
    Power down, drive off, no one can access that drive, even by ripping it out to take files (understood, some espionage hacker might….)

    this way, I can have home, personal, finance, etc, with me at all times, .;

    I do NOT do STANDBY/sleep modes ever

    I ALSO use TrueCrypt for usb drives, even other containers ON the encrypted hard drive itself.

    TrueCrypt has a bootable protection feature also, but I have not tried it.

    Look up Blue Cross laptop theft. YOUR INSURANCE companies can’t even get it right; 850,000 physicnan names/social security numbers/provider numbers on that stolen laptop, couple months ago. Laptop was NOT encrypted.

    anyway, hope this helps
    nick

    Reply
  27. Have different passwords for different things (banking, websites, blogs) was always forgetting which password went where.

    Installed truecrypt as a container file with a really strong letters and number password.

    Now, if i am uncertain which password goes where just mount the virtual disk and they are all there.

    excellent program

    Reply
  28. I understand that without the password the data cannot be hacked – yes maybe NASA can break it . But these days there are several professional agencies with a lot of fancy software who recover such data from computers. If someone took my laptop to such a professional agency specialising in recovering/ hacking such data could the agency recover this data without the password in say one or two weeks of attempt.

    This point is especially important as it will help determine the the level of confidential info i can store on my laptop.

    Reply
  29. I make encrypted vaults which are on my Laptop and external drive using Dekart. I selected them because you can run the Dekart application from the external drive. So if you want to access your data from your external drive the computer you access it from doesn’t need Dekart installed.

    Reply
  30. An important consideration for travelers using encryption software such as TrueCrypt is that they should never put anything inside an encrypted volume that might get them in trouble with the authorities. When crossing international borders, authorities do have the right to examine your computer and media and to demand that you unlock any encrypted volumes. If you refuse then you run the risk of having your computer impounded.

    Reply
  31. Can you encrypt the information you want saved from the laptop to a high capcity thumb drive then completely erase the harddrive of the encrypted informaiton?

    Reply
  32. @ Ernest You can do this, but be aware of two things. 1. Thumb drives are easy to lose and subject to data loss. Keep a few backups. 2. When you say completely erase the file, you should use a file shredder to permanently erase your file. Personally, I’d keep the encrypted file on my computer or at least on a removable hard drive. Thumb drives are good for transporting data but not so good for permanent storage.

    Reply
  33. How much overhead does the whole disk encryption place on your system? At work, I’ve had to use Symantec’s PGP WDE for a few years now. Every laptop we have used it installed on whether an old 2.5ghz Intel Core 2 Duo or an I5, or even an I7, we’ve found that about between 4 to 8 minutes is added to the boot time. Also, once booted the system performs noticeably slower.

    I’d like to use a type of whole disk encryption, on my personal laptop. However, I don’t want excessively long boot time and performance issues. So how have the alternatives like BitLocker, TrueCrypt/VeraCrypt gone for you? How much of an impact has it had on boot time and performance?

    -Yes, the personal laptop has an SSD and a less than 45 second boot time currently.

    Please, no arguments about why whole disk encryption is necessary. As it is, on the work side I already deal with data on laptops I don’t want falling into the wrong hands. I can find ways to limit the data on my personal laptop to an encrypted folder on it or a thumb drive. What I’m looking for is how your find the performance of your laptop after securing it.

    Reply
    • Last week I had a rare opportunity. I was able to use a SSD in one of our Samsung I5 laptops. The only non-standard portion is that this one has 12gb of ram than the usual 6gb. System was also built on our standard Windows 7 image. With an SSD this system would take about 30 seconds to reach the desktop. Adding the Symantec WDE has only added 15 seconds to the boot time and no noticeable issues on startup. I’m impressed the SSD was able to tear through the encryption process and subsequent reboots. 4-5 Minutes is the usual boot time for the same system with 6gb ram and a standard HDD.

      So if you want some form of WDE, get SSD.

      Reply
    • “How much overhead does the whole disk encryption place on your system?”

      Well if your computer has a i5 CPU for example… it can run AES encryption much faster since it has hardware acceleration built into the CPU for AES. hence, less load on the CPU for similar work loads when using AES vs a CPU without the hardware acceleration (or using another encryption algorithm which won’t use the CPU’s hardware acceleration). in short… it will be a noticeable difference on CPU load.

      you can run a benchmark in VeraCrypt for example and see the speed difference between encryption algorithms. but if your on a CPU that has hardware acceleration for AES, which i5 CPU’s have this, AES will be easily the fastest due to the hardware acceleration.

      but lets say for example (I think my math is roughly correct here)… say with AES hardware acceleration your CPU can process data at a max speed of 3GB/s (3000MB/s) and say with something else like Twofish (etc) it can do a max of 0.5GB/s (500MB/s) since it would have no hardware acceleration. that means when accessing data on a hard drive at say 100MB/s, it would be roughly using 20% of your CPU on Twofish. but with AES it would only be using about 3.3% of your CPU for the same task in this example. so a clear difference.

      but in terms of general usage scenario’s, I can’t comment too much since I don’t really use it for encrypting boot drives. but I would imagine encrypting the whole hard drive will be noticticeably slower than normal usage when booting up etc.

      Reply
  34. The one reason holding me back from using full disk encryption is that I sometimes need to reboot my computer remotely. If my disk is encrypted, don’t I need to be physically at my keyboard to type in the password before it will actually boot up the operating system?

    If so, is there any way around that requirement? For example, an option that lets you enter your password before rebooting, and automatically enters that password during the next (and only the next) reboot?

    Reply
    • Mike,

      I don’t know about the other software, but I have bypassed the password with Symantec’s PGP Whole Disk Encryption.

      https://support.symantec.com/en_US/article.TECH171761.html

      Also in the past, I had a machine with a TrueCrypt encrypted external mounted drive. I used a batch file to mount it automatically when necessary. When used this was set to run at startup. @Echo Off is used so that someone booting or logging into the computer does not see the password displayed on the screen

      @Echo Off
      “c:\Program Files\truecrypt\truecrypt.exe” /v e:\Backups\backups /a /l K /p Your-P4sswordIsXposedHere! /q

      http://andryou.com/truecrypt/docs/command-line-usage.php

      Reply
    • I’m not aware of a workaround. In a way such a work around could be seen as a serious weakening of the very security you’re looking for. If you need remote reboot you’ll need to secure your data some other way.

      Reply
  35. Well, Duh. All that’s well & good about encryption, but there’s a step that was overlooked. I use a strong tether inserted into my laptop and wrap it around a table leg or whatever is available. That seems like an obvious safety precaution to me. This is particularly useful when working in a coffee shop and having to decide what to do when nature calls.

    Reply
  36. Hi Leo

    If I use encryption, how will I be able to leave my PC at a repair shop? I assume I would have to leave it un-encrypted to allow them to work on it.
    My main concern would be Word Files, which I am led to beleive the passwords can be cracked easily by a techie.

    Regards

    Reply
    • It would depend on what you need done with the repairs. If it’s a hardware repair you may be able to keep it encrypted. If it’s a software problem, then of course the tech will need to boot it up and sign in if it’s fully encrypted. Basically, you’ll need to really think through your encryption needs if you have to take the computer to a tech. For instance, if you are mostly worried about your Word files, then perhaps encrypting just that directory will be enough.

      Reply
    • You are correct, in general. If you use whole-disk encryption, then the technicians would need access to your machine to help you.

      Reply
  37. Steganos Privacy Suite. Create a secure drive with “”SAFE”” that does not appear in the windows directory until you open it with the password.
    Then it appears and works like any other windows drive.

    Reply
  38. Leo, I think this might be a good topic for a book. I would suggest a simple way to setup and encrypt file for a simple person like me. My biggest fear would be theft of my computer. Most stuff I could care less about but files like financial date I worry about.

    Reply
  39. If you’re working on something–say a Word document–in an encrypted volume P:, what about temporary files and such: could they be exposed?

    Reply
    • Yes. You’d need to take steps to clean up temp files (a free space wiper, for example). One reason to consider whole-disk encryption.

      Reply
  40. I use the hard-drive password option in the bios. Separate from the bios password.
    I also use SafeHouse Explorer, which is encrypted containers.
    I don’t really know how SafeHouse Explorer rates, compared to others, but I just use it to keep my non-tech siblings out.

    Reply
  41. I recently discovered a freeware application that will encrypt either files or folders. It’s called EncryptOnClick, made by the people who created PKWare. It uses 256-bit AES encryption, files are both compressed & encrypted which results in a smaller file size (good for saving to cloud storage services), they are password protected, there’s an option to encrypt filenames, keep or delete the original file, and it can be used on a USB key by copying 3 specific files to it.

    It’s available at: http://www.2brightsparks.com/freeware/index.html

    Reply
  42. I’m confused about one point. If I encrypt my files, and back these files up, won’t the backup copies also be encrypted? If so, these backups won’t save me from losing my password.

    Reply
    • If you back up encrypted files, the files in the backup will also be encrypted. You would always have to remember the master password you use to encrypt your other passwords. If you forget that, all your encrypted files would be lost.

      Reply
    • This depends ENTIRELY on how you encrypt your files, AND how you back up.

      Backing up encrypted files will not protect you from password loss. However backing up UNencrypted files (which I also tend to recommend) and then securing those backups some other way, does.

      Reply
  43. Both of my laptops are set up to require a BIOS password before booting into Windows. Make sure you don’t forget the password if you decide to do so. I’ve seen techs break out in a sweat when I mention I use one, thinking I’ve forgotten it. My understanding is that the only way around it is to replace the motherboard. Both machines have Windows 10 Pro and I use Bitlocker to encrypt the hard drives.
    I back up using Macrium Reflect, which can be used to restore the image, even when encrypted. The drives that I back up to are unencrypted and the image files are still accessible. When restoring an image backup, if the Macrium rescue drive is properly set up, Macrium will remove Bitlocker encryption during the restoration. This requires going back to Bitlocker and encrypting the drive again after the image is restored. Just went through this after replacing a drive in one of my laptops with a larger drive.
    When traveling, I just shutdown the laptop when I’m not actively using it. I also make sure I don’t leave it unsecured even then. I don’t leave it in a hotel room and take it with me.

    Reply
      • A BIOS password would be another way to prevent the machine from being rebooted from something else. And, yes, I have heard of people forgetting it. (I think it’s mostly always-on machines so they’re not typing it every day.)

        Reply
        • I believe whole disk encryption is better than a BIOS password. It’s easy to remove a hard drive and access it with another computer. If it’s encrypted, it’s uncrackable. Do you see any way a BIOS password would add to that? It seems like putting an uncrackable safe in a tool shed with a padlock.

          Reply
          • The reason I use a BIOS password is that the laptop has a TPM module that Bitlocker stores the encryption key on. Booting the laptop automatically unlocks the drive. Which I understand would allow someone to access the data on the hard drives, if they know how to bypass the Windows password.
            I use Bitlocker to negate the possibility of someone removing the hard drives to use on another machine.
            If someone snatches the laptop and tries to resell it, they just stole a paperweight. If they were interested in the data, they are still blocked. I figure the more obstacles I can raise, the better.

          • Depends on how the machine is set up. I agree it’s probably redundant, but the BIOS password does protect against certain things that just encrypting the hard drive does not.

          • The only thing I can think of that the BIOS password would protect against is the person who has that computer won’t be able to install an new operating system on it. So you may want to brick it if it’s stolen.

  44. My concern with using VeraCrypt for whole-partition encryption has to do with file corruption. I currently have more than 130,000 files on my data (D:) drive. If one file gets corrupted I lose that file. But with whole-partition encryption, if the VeraCrypt container file becomes corrupted I would lose access to that entire volume. This would also be the case for files stores on my D: drive in a VeraCrypt (non whole-partition) container.

    Reply
    • a) I believe that’s not the case. I believe (and you could check with them) that VeraCrypt encrypts at the sector level — meaning a single sector corruption would potentially only impact one file within the container.

      b) if there’s any chance of data loss, you’re not backed up. And regardless of whether you use veracrypt or not there’s ALWAYS something that can fail without warning.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.