Maximum PC

DRIVE ENCRYPTION

Keep it secret, keep it safe; but you don’t need to encode your most secret of messages on an all-powerful gold ring—we have the power of full-disk encryption, and Maximum PC as your guide

Protect your personal al data from prying eyes

WE LOVE TELLING YOU to do boring stuff with your state-of-the-art PCs: back up your files, update Windows, use strong passwords…. Now you can add another one to the list: encrypting your hard drive. But wait, don’t turn the page, we’re here to show you how full-disk encryption is easy, while ensuring those rascals at NSA HQ can’t access your data without your sayso (precluding any legally permissibl­e enhanced interrogat­ion techniques that our friends in the Department of Defense feel are appropriat­e).

Turned your cell off and popped on your tinfoil hat? Let’s carry on… By default, the files on your Windows PC are accessible to anyone with physical access to it. If you use a local Windows account, it’s trivial to reset the password and gain administra­tor access; a suitably motivated attacker could even reset an online account if they know some personal details.

Sure, for your Steam game files, who cares? But do you really want sensitive documents, accounts, and more accessible to all? And if you junk an old system, toss a drive, or lose a USB stick, if someone random picks it up, do you want them to be able to read every file? Here comes full-disk encryption to the rescue!

IN THIS GUIDE, we’re going to take you through encrypting entire drives. This includes the main scenarios, utilizing the most widely used solutions—of which we’re sticking with just two. To kick things off, we’re looking at the Microsoft-supplied option, because surely that’s the best option, right? We’ll toss in a few opinions on that further into the article…. As for scenarios, we’re looking at full-disk encryption for a data disk, removable drives for a container drive file, and finally lead you through setting up your boot drive with encryption, which is really the important one.

As for software, you’ve probably guessed that the Microsoft solution is its long-standing BitLocker system, which we’re covering first. We then move on to something far more flexible, but a touch more complex, in the form of VeraCrypt. Both have their plus and minus points, but they’re not mutually exclusive either, so it’s not even a case of choosing one or the other, more picking what works best for you.

As for encryption technology itself, we’re not going to get bogged down with the technicali­ties here. Even the basics might as well effectivel­y be magic to most people who don’t have a PhD in the field of cryptograp­hy. We should also dismiss any concerns about performanc­e; similar to compressio­n, it’s the initial encrypting that takes the time (even this can be done on the fly and in the background while you work), while the decryption costs a minimal performanc­e hit—around one percentage point—in even oldish processors (going back to Intel’s 2010 Nehalem range, and AMD’s 2011 Bulldozer range onward) utilizing dedicated hardware accelerati­on via AES commands.

BITLOCKER LAID BARE

Introduced with Windows Vista, BitLocker is seen by Microsoft as an enterprise-level feature, so it’s only available on Enterprise, Ultimate, and Pro editions of its operating systems. It’s likely you’re running Windows 10 Pro, so you’re good to go. If not, you can either opt to upgrade your version of Windows or, more sensibly, skip ahead to the section on the freely available opensource VeraCrypt.

The other major requiremen­t for encrypting the OS boot drive is a system equipped with a Trusted Platform Module (TPM)—it’s not essential, because BitLocker can fall back to using a USB key to store the decrypt key, which you may or may not want to do. The TPM is typically part of the motherboar­d, and is a bit of cryptograp­hic magic that securely stores the decrypt key and maintains the system’s chain of trust, among other things.

Why is a TPM so important, and why so many options? During the boot process, there’s a chain of trust—how do you know that none of the parts involved in starting your PC have been compromise­d by malware, rootkits, or another evil actor? This goes for the motherboar­d’s BIOS firmware, the bootloader, Windows kernel components, and software running on your system. Every stage needs to be protected; all software components should be signed with a secure key and checked via Secureboot. If a driver or module isn’t signed, it’s not loaded. If the drive is removed and placed in another system, the original TPM won’t be found, and your system won’t boot; if the TPM is taken, it’ll refuse to work in another system. The TPM is designed to be an unwavering guardian of that trust, which flags up any changes in that chain. Enough of this, though, because we’re here for just the encryption, rather than a full-on privacy or infosec feature.

To check whether your system has BitLocker and a TPM, open the Start menu, type “bitlocker” and click the Control Panel option—if there’s no BitLocker, you’re not running a suitable version of Windows. In the BitLocker window, you should

see a list of drives (these should claim BitLocker is off)—ignore these. Click “TPM Administra­tion” in the bottom-left to see if you have a TPM-enabled system. If not, but you think you do, boot into the BIOS/UEFI, and look for an option to enable the TPM.

Let’s assume you do have a TPM. Click “Turn BitLocker on” next to the drive in question. To initiate and activate the TPM, Windows has to reboot. Once back, you need to create a boot PIN, password, or USB key—this is used before Windows will even start loading. Next, a recovery key has to be created in case you forget your password, the USB key explodes, or is left on a train. This can be saved as any or all of these options: to your cloud-based Microsoft account, to a file, on a removable drive, or printed out. The encryption is about to begin. Windows offers two approaches: encrypt every byte on the drive, or only used data. The latter is quicker, but doesn’t protect deleted data; the former can take a while. The process is done in the background, though, so time may be irrelevant.

Finally, your Windows 10 PC asks if it should use New or Compatible mode. For fixed drives, choose “New.” For removable drives using On The Go, you might want to choose “Compatible” if the drive will be used on older Windows versions. Windows now checks compatibil­ity, configures your system, then reboots (using the new login security), and you’re done; the drive begins encryption. For data drives and removable media, no TPM is required—just click, create a password, and go.

Finally, we mentioned you don’t need a TPM to encrypt the boot disk with BitLocker. If you try, you get an error suggesting you add a policy to enable this, but no instructio­ns. To do this, type “gpedit.msc” in the Search box, and hit Return. In the tree directory, navigate to “Local Computer Policy > Computer Configurat­ion > Administra­tive Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives.” Doubleclic­k “Require additional authentica­tion at startup,” choose “Enabled,” and select “Allow Bitlocker without a compatible TPM” in the “Options” box. Click “OK.” You can now proceed using a USB key or password.

THE VERACRYPT VERSION

That was the pretty straightfo­rward (bar the TPM issues) Microsoft solution. But we can do better, can’t we? Allow us to introduce VeraCrypt. If the name sounds familiar, it’s because it’s the spiritual and source-code successor of TrueCrypt, which was a longstandi­ng and widely used drive encryption tool, going back to 2004. If you were wondering what happened to it, the project was shuttered out of the blue at the end of May 2014. A message urged people to move to BitLocker, and a decrypt-only version was released. Conspiracy theories circulated suggesting the developers had been hit with an NSA gag order, and forced to implement a back door. However, a full source audit found no serious flaws or back doors, and one of the developers named “David” stated in 2015 the reason was that “there is no longer interest [in maintainin­g the project].”

Why do we like VeraCrypt if Microsoft has a perfectly functional BitLocker solution? Because it’s open source, so we know it’s safe to use, without back doors. VeraCrypt is also portable; it offers an extract-only mode (which won’t work on the boot OS partition) that you can copy on to an external drive, and take anywhere. It’s also available for Windows, Mac OS X, BSD, and Linux, so encrypted drives or container files can be read by almost anything. It’s also superflexi­ble, with modes for data drives, the boot partition, removable drives, hidden drives, and flexible container files. There’s no need for a TPM, while there are options for any combinatio­n of passwords, keyfiles, smart cards, and so on. Our 10-step walkthroug­h explains the rest.