How do I Encrypt My Windows Hard Drive? Why You Should I Do It and Which Options Are Best?
We all want to keep our data safe. Whether it’s personal or for business, we don’t want it to be stolen, altered or deleted. From the violation of individual privacy to breaches that cost companies millions to recover from, losing control of data can be damaging in numerous ways.
There are many techniques for keeping data safe and any good security policy must combine a range of them. One important piece of the data-security puzzle is full-disk encryption. This encrypts everything on the disk, apart from the master boot record.
Encryption allows you to make data unreadable unless someone has the key. With full-disk encryption, the key must be entered when you boot your device in order to access the disk or any of its files.
Why Should You Use Full-Disk Encryption on Your Windows Hard Drive?
If you have sensitive or valuable data, you should definitely consider full-disk encryption as part of your data security strategy. One of the main benefits of this technology is that it prevents your data from being accessed if your computer is lost or stolen. It also encrypts file names, folders and their contents, as well as other meta-data.
Because full-disk encryption essentially encrypts everything, it is impossible for users to forget to encrypt an important file, leaving it vulnerable. Full-disk encryption can also be used to retire a drive – all you have to do is dispose of the key and the data is effectively rendered useless.
Full-disk encryption can also be used to meet various regulations, such as HIPAA and PCI. In some cases, it may be able to tick the box of compliance on its own, however that doesn’t necessarily mean that your data is adequately protected. Full-disk encryption should generally be combined with other forms of encryption for greater security and piece of mind.
What Are the Limitations of Full-Disk Encryption?
Full-disk encryption cannot protect your data in all scenarios. If your computer is stolen while it is hibernating or turned off, the data will not be readily accessible. If it is taken while it is active, your files will be free for a thief to do what they want with them. Likewise, if you leave your computer on and unattended for a few minutes, someone may be able to access your files.
Your data is also vulnerable to internet-based threats. This is because full-disk encryption functions below applications and the operating system (OS). If a hacker can access applications that store sensitive data or the OS, they may be able to steal, alter or delete your information.
Another threat comes from privileged users. Whether it is an insider threat or someone who has had their credentials stolen, full-disk encryption cannot stop them from stealing the data.
If you want to transfer data that has been stored on your hard drive, you will have to use other means to secure it. For these reasons, it is generally recommended to use it alongside other types of encryption such as file-level encryption.
Open Source vs Proprietary Full Disk Encryption Software
Full disk encryption software is either proprietary or open source, with each of these options having its own advantages. Proprietary encryption software generally has better customer support and warranties, while the support for open-source options is generally limited to forums.
Many proprietary encryption programs are paid for, while many of the open-source projects are free. Proprietary programs are also often more intuitive and tend to be easier to use.
One of the downsides of proprietary products is that the encryption algorithm is usually not publicly available, meaning that the code can’t be viewed by by anyone unless they have permission from the company. Because of this, proprietary products normally haven’t been tested and evaluated as rigorously as open-source software. This is why many security professionals often have more faith in open-source encryption programs.
The Best Full Disk Encryption Software for Windows
TrueCrypt was the go-to program for open-source full-disk encryption for ten years, however its development was halted when Microsoft stopped supporting Windows XP. The TrueCrypt site says that the software may have security issues, although there was a long-held debate over whether the software was safe to use. The torch has since been passed on to various TrueCrypt forks, such as VeraCrypt and Ciphershed.
VeraCrypt is essentially the same as TrueCrypt, but with some additional security improvements. As a TrueCrypt fork, it is regarded by many as the best open-source full disk encryption software. It can be slightly more complex to use than programs such as BitLocker, but it provides a high level of security with a range of advanced settings.
One of the greatest strengths of VeraCrypt is that its code is audited regularly and thoroughly. This is what makes it one of the most trusted options for encryption. It can be used to create encrypted containers and also to encrypt individual files and folders. VeraCrypt can use a range of different cyphers, including AES, Kuznyechik, Twofish, Serpent and Camelia.
Some of its advancements over TrueCrypt include that its partitions and containers go through 30 times as many iterations. This can make it take longer to start up, however once it is going, it runs normally.
VeraCrypt gives its users plausible deniability because it allows them to keep hidden volumes in the free space of visible volumes. Users can also set up hidden operating systems alongside the visible ones. In theory, these measures allow you to deny that there is encrypted data on the hard drive, although there is some debate about how well plausible deniability actually holds up.
One thing to note when setting up is that users will need to make a recovery disk in case they lose their key. For high-level security needs, such as those who think their data is being targeted by the government, VeraCrypt is probably the best full disk encryption solution.
This is another fork of TrueCrypt that has similar features to VeraCrypt. The development of Ciphershed has been much slower than VeraCrypt, but TrueCrypt’s vulnerabilities have still been patched. Much like VeraCrypt, it can be used for full-disk encryption or for encrypting containers.
One key difference is that Ciphershed can still be used with TrueCrypt containers, while VeraCrypt can’t. This is because of VeraCrypt’s more advanced key derivation, which actually makes it more secure. The plausible deniability is the same as VeraCrypt, and likewise, it is hard to tell how much protection this feature gives its users.
DiskCryptor is another open-source encryption program. It is easy to use, fast, light on resources, and capable of using AES-256, Twofish, Serpent, or a combination of XTS mode’s cascaded algorithms to encrypt the data. One issue is that it hasn’t been audited as much as VeraCrypt, leading many to be skeptical about how secure it really is.
One of the main advantages is that DiskCryptor has many bootloading options as well as support for complex hardware configurations. It can also encrypt external devices such as USBs, hard drives, DVDs and CDs.
As far as plausible deniability goes, you can install your computer’s bootloader on a CD or a USB drive. This makes the encrypted data on your hard drive appear as random data, however you will always have to connect your bootloader CD or USB when you want to decrypt your disk.
Another downside of Diskcryptor is that it has no multi-factor authentication options to keep you secure. It also lacks any key-recovery options, which endangers your data if you lose your key.
BitLocker is a full disk encryption tool that was developed by Microsoft. It is included in versions of Windows 10 Pro, Education and Enterprise. If you don’t have any of these versions, you can upgrade in the Windows Store, but the $99 price tag will steer many back towards VeraCrypt.
Bitlocker is seamless and easy to use, making it one of the better options for those who don’t want to dedicate too much time to encrypting their hard drive. BitLocker uses AES-128 or AES-256 to encrypt volumes, however it can’t make encrypted containers.
BitLocker is one of the easier-to-integrate encryption tools and it can be used alongside third-party encryption software. It features authentication through a PIN or a key that is stored on a USB. It can also let users know if the software has been modified by attackers.
One negative is that there is no real plausible deniability, although as we have discussed with the previous tools, there is a debate as to how much it can really protect users.
One of the biggest security concerns is that it is proprietary software developed by Microsoft. Although the encryption algorithm that it uses has been publicly reviewed, security researchers can’t access and audit the rest of the code unless they sign an NDA. This makes many skeptical, with some theorizing that there is a backdoor in the software.
Microsoft denies these claims and there isn’t any evidence, but those who fear that they are being targeted by the government should still probably choose another encryption option.
Bitlocker also supports storing recovery keys in your Microsoft account. It is unclear how much access Microsoft has to decrypt everyone’s Bitlocker-encrypted partitions. For those concerned that their encryption keys might be accessible to a third party, Bitlocker might not be the best choice.
Which Windows Full Disk Encryption Software Is Right for You?
This will really depend on your individual needs. If your version of Windows already has BitLocker and you just want protection that is simple to use, its probably best to stick with it. If you would prefer more advanced options or you have a high threat-level, VeraCrypt will probably be your best choice.