Disk encryption. Alternatives to TrueCrypt. Programs for encrypting individual files or entire disks
To prevent unauthorized access to the system and data, Windows 7/10 provides the ability to set a password, including a graphic one, but this method of protection cannot be considered particularly reliable. The password for a local account can easily be reset by third-party utilities, and most importantly, nothing prevents you from accessing the file system by booting from any LiveCD with a built-in file manager.
To truly protect your data, you need to use encryption. The built-in BitLocker function will also work for this, but it is better to use third-party programs. For a long time, TrueCrypt was the preferred application for data encryption, but in 2014 its developers shut down the project, saying that the program was no longer secure. Soon, however, work on it was resumed, but with a new team, and the project itself received a new name. This is how VeraCrypt was born.
In fact, VeraCrypt is an improved version of TrueCrypt and it is this program that we suggest using to protect your information. In the example above, we use VeraCrypt to the maximum, using it to encrypt the entire hard drive with system and user partitions. This encryption method has certain risks - there is a chance, albeit very small, that the system will not be able to boot, so we advise you to resort to it only when you really need it.
Installation and basic setup of VeraCrypt
The installation procedure for VeraCrypt is no different from installing other programs, with one exception. At the very beginning you will be asked to choose between installation modes Install or Extract.
In the first case, the program will be embedded in the OS, which will allow you to connect encrypted containers and encrypt the system partition itself. Extract mode simply extracts the VeraCrypt executables, allowing you to use it as a portable application. Some functions, including disk encryption with Windows 7/10, become unavailable.
Immediately after launch, go to the menu Settings – Language, since by default the program is installed in English.
Disk encryption
Despite the apparent complexity of the task, everything is very simple. Select the “Encrypt system partition/disk” option from the “System” menu.
In the wizard window that opens, select “Normal” as the method (this is enough), the encryption area is the entire disk.
After completing the search for hidden sectors (the procedure may take a long time), specify the number of operating systems and...
encryption algorithm (it’s better to leave everything here as default).
Note: If Windows stops responding while searching for hidden sectors, force restart your PC and skip this step next time by selecting “No”.
Create and enter a password in the fields.
Moving the mouse randomly, generate a key and click “Next”.
At this stage, the program will offer to create a VRD - recovery disk and burn it to flash or optical media.
When prompted to run a system encryption pre-test, click Test.
You will need to restart your computer. After turning on the PC, the VeraCrypt bootloader screen will appear. Here you will need to enter the password you created and PIM - the number of encryption iterations. If you have not entered PIM anywhere before, just press enter, the option value will be set to default.
After a few minutes, Windows will boot in normal mode, but the Pretest Completed window will appear on the desktop - preliminary testing has been completed. This means you can start encrypting. Click the "Encrypt" button and confirm the action.
The encryption procedure will start. It may take a long time, it all depends on the size of the disk and how full it is with data, so be patient and wait.
Note: If the drive has an EFI encrypted partition, which is typical for recent versions of PCs, you may receive a notification at the beginning of encryption: “It looks like Windows is not installed on the drive...”. This means that such a disk cannot be encrypted using VeraCrypt.
Once the entire contents of the disk is encrypted, the VeraCrypt bootloader window will appear every time you turn on the computer and each time you will need to enter a password; there is no other way to access the encrypted data. With disk decryption everything is much simpler. All you need to do is run the program, select the “Permanently decrypt system partition/disk” option in the “System” menu and follow the wizard’s instructions.
Recently, laptops have become very popular due to their affordable price and high performance. And users often use them outside secured premises or leave them unattended. This means that the issue of ensuring that personal information on systems running Windows is not accessible to outsiders becomes extremely pressing. Simply setting a login password will not help here. And encrypting individual files and folders (read about that) is too routine. Therefore, the most convenient and reliable means is hard drive encryption. In this case, you can encrypt only one of the partitions and keep private files and programs on it. Moreover, such a partition can be made hidden without assigning a drive letter to it. Such a section will outwardly appear unformatted, and thus will not attract the attention of attackers, which is especially effective, since the best way to protect secret information is to hide the very fact of its existence.
How hard drive encryption works
The general principle is this: the encryption program makes an image of the file system and places all this information in a container, the contents of which are encrypted. Such a container can be either a simple file or a partition on a disk device. Using an encrypted container file is convenient because such a file can be copied to any convenient location and continued working with it. This approach is convenient when storing a small amount of information. But if the size of the container is several tens of gigabytes, then its mobility becomes very doubtful, and besides, such a huge file size reveals the fact that it contains some useful information. Therefore, a more universal approach is to encrypt the entire partition on the hard drive.
There are many different programs for these purposes. But the most famous and reliable is considered TrueCrypt. Since this program is open source, this means that there are no vendor-specific backdoors that allow you to access encrypted data through an undocumented back door. Unfortunately, there are speculations that the creators of the TrueCrypt program were forced to abandon further development and pass the baton to their proprietary counterparts. However, the latest reliable version, 7.1a, remains fully functional on all versions of Windows, and most users use this version.
Attention!!! The latest current version is 7.1a ( Download link). Do not use the “cut down” version 7.2 (the project was closed, and on the official website of the program they suggest switching from TrueCrypt to Bitlocker and only version 7.2 is available).
Creating an encrypted disk
Let's consider the standard approach when encrypting partitions. To do this, we need an unused partition on your hard drive or flash drive. For this purpose, you can free one of the logical drives. As a matter of fact, if there is no free partition, then during the process of creating an encrypted disk, you can choose to encrypt the disk without formatting and save the existing data. But this takes longer and there is a small risk of losing data during the encryption process if the computer freezes.
If the required partition on the disk device is prepared, you can now launch the TrueCrypt program and select the “Create new volume” menu item.
Since we are interested in storing data not in a container file, but in a disk partition, we select the “Encrypt non-system partition/disk” option and the usual type of volume encryption.
At this stage, the mentioned choice appears - to encrypt the data in the partition or format it without saving the information.
After this, the program asks which algorithms to use for encryption. For domestic needs there is no big difference - you can choose any of the algorithms or a combination of them.
Only in this case it is worth considering that when using a combination of several algorithms, more computing resources are required when working with an encrypted disk - and accordingly, the read and write speed drops. If your computer is not powerful enough, then it makes sense to click on the test button to select the optimal algorithm for your computer.
The next step is the actual process of formatting the encrypted volume.
Now all you have to do is wait until the program finishes encrypting your hard drive.
It is worth noting that at the stage of setting a password, you can specify a key file as additional protection. In this case, access to encrypted information will be possible only if this key file is available. Accordingly, if this file is stored on another computer on the local network, then if a laptop with an encrypted disk or flash drive is lost, no one will be able to access the secret data, even if they guessed the password - after all, the key file is not on the laptop itself or on the flash drive.
Hiding an encrypted partition
As already mentioned, the advantage of an encrypted partition is that it is positioned in the operating system as unused and unformatted. And there is no indication that it contains encrypted information. The only way to find out is to use special cryptanalysis programs that can, based on the high degree of randomness of the bit sequences, conclude that the section contains encrypted data. But if you are not a potential target for the intelligence services, then you are unlikely to face such a threat of compromise.
But for additional protection from ordinary people, it makes sense to hide the encrypted partition from the list of available drive letters. Moreover, anyway, accessing the disk directly by its letter will not give anything and is only required if the encryption is removed by formatting. To unpin a volume from a used letter, go to the “Control Panel” section “Computer Management / Disk Management” and, by calling up the context menu for the desired section, select “Change drive letter or drive path...”, where you can remove the binding.
After these manipulations, the encrypted partition will not be visible in Windows Explorer and other file managers. And the presence of one nameless and “unformatted” partition among several different system partitions is unlikely to arouse interest among outsiders.
Using an encrypted drive
To use an encrypted device as a regular drive, you need to connect it. To do this, in the main program window, right-click on one of the available drive letters and select the menu item “Select device and mount...”
After this, you need to mark the previously encrypted device and specify the password.
As a result, a new drive with the selected letter should appear in the Windows browser (in our case, drive X).
And now you can work with this disk like with any ordinary logical disk. The main thing after finishing work is not to forget to either turn off the computer, or close the TrueCrypt program, or disable the encrypted partition - after all, as long as the disk is connected, any user can access the data located on it. You can unmount the partition by clicking the “Unmount” button.
Results
Using the TrueCrypt program will allow you to encrypt your hard drive and thereby hide your private files from strangers if someone suddenly gains access to your flash drive or hard drive. And the location of encrypted information on an unused and hidden partition creates an additional level of protection, since the uninitiated circle of people may not realize that secret information is stored on one of the partitions. This method of protecting private data is suitable in the vast majority of cases. And only if you are being targeted with the threat of violence to obtain your password, then you may need more sophisticated security methods, such as steganography and hidden TrueCrypt volumes (with two passwords).
Hello, friends! In this article we will continue to study the systems built into Windows designed to improve the security of our data. Today it is Bitlocker disk encryption system. Data encryption is necessary to prevent strangers from using your information. How she will get to them is another question.
Encryption is the process of transforming data so that only the right people can access it. Keys or passwords are usually used to gain access.
Encrypting the entire drive prevents access to data when you connect your hard drive to another computer. The attacker's system may have another operating system installed to bypass the protection, but this will not help if you are using BitLocker.
BitLocker technology appeared with the release of the Windows Vista operating system and was improved in Windows 7. Bitlocker is available in Windows 7 Ultimate and Enterprise versions as well as in Windows 8 Pro. Owners of other versions will have to look for an alternative.
Without going into details it looks like this. The system encrypts the entire disk and gives you the keys to it. If you encrypt the system disk, the computer will not boot without your key. The same thing as apartment keys. You have them, you will get into it. Lost, you need to use a spare one (recovery code (issued during encryption)) and change the lock (do the encryption again with other keys)
For reliable protection, it is desirable to have a TPM (Trusted Platform Module) in your computer. If it exists and its version is 1.2 or higher, then it will control the process and you will have stronger protection methods. If it is not there, then it will be possible to use only the key on the USB drive.
BitLocker works as follows. Each sector of the disk is encrypted separately using a key (full-volume encryption key, FVEK). The AES algorithm with 128-bit key and diffuser is used. The key can be changed to 256-bit in group security policies.
When encryption is complete you will see the following picture
Close the window and check whether the startup key and recovery key are in safe places.
Encrypting a flash drive - BitLocker To Go
Why should you pause encryption? So that BitLocker does not block your drive and do not resort to the recovery procedure. System parameters (BIOS and boot partition contents) are locked during encryption for additional protection. Changing them may cause your computer to lock.
If you select Manage BitLocker, you can Save or Print the Recovery Key and Duplicate the Startup Key
If one of the keys (startup key or recovery key) is lost, you can recover them here.
Manage encryption of external drives
The following functions are available to manage the encryption settings of the flash drive:
You can change the password to unlock it. You can only remove a password if you use a smart card to unlock it. You can also save or print the recovery key and enable disk unlocking for this computer automatically.
Recovering disk access
Restoring access to the system disk
If the flash drive with the key is out of the access zone, then the recovery key comes into play. When you boot your computer you will see something like the following:
To restore access and boot Windows, press Enter
You will see a screen asking you to enter your recovery key.
When you enter the last digit, provided the recovery key is correct, the operating system will automatically boot.
Restoring access to removable drives
To restore access to information on a flash drive or external HDD, click Forgot your password?
Select Enter recovery key
and enter this terrible 48-digit code. Click Next
If the recovery key is suitable, the disk will be unlocked
A link appears to Manage BitLocker, where you can change the password to unlock the drive.
Conclusion
In this article, we learned how to protect our information by encrypting it using the built-in BitLocker tool. It's disappointing that this technology is only available in older or advanced versions of Windows. It also became clear why this hidden and bootable partition of 100 MB in size is created when setting up a disk using Windows.
Perhaps I will use encryption of flash drives or external hard drives. But this is unlikely since there are good substitutes in the form of cloud data storage services such as DropBox, Google Drive, Yandex Drive and the like.
This is the fourth of five articles on our blog dedicated to VeraCrypt; it examines in detail and provides step-by-step instructions on how to use VeraCrypt to encrypt an entire system partition or disk with the Windows operating system installed.
If you are looking for how to encrypt a non-system hard drive, encrypt individual files or an entire USB flash drive, and also want to learn more about VeraCrypt, take a look at these links:
This encryption is the most secure since absolutely all files, including any temporary files, hibernation file (sleep mode), swap file and others are always encrypted (even in the event of an unexpected power outage). The operating system log and registry, which store a lot of important data, will be encrypted as well.
System encryption works through authentication before the system boots. Before your Windows starts booting, you will have to enter a password that will decrypt the system partition of the disk containing all the operating system files.
This functionality is implemented using the VeraCrypt bootloader, which replaces the standard system bootloader. You can boot the system if the boot sector of the hard drive, and therefore the bootloader itself, is damaged using VeraCrypt Rescue Disk.
Please note that the system partition is encrypted on the fly while the operating system is running. While the process is ongoing, you can use the computer as usual. The above is also true for decryption.
List of operating systems for which system disk encryption is supported:
- Windows 10
- Windows 8 and 8.1
- Windows 7
- Windows Vista (SP1 or later)
- Windows XP
- Windows Server 2012
- Windows Server 2008 and Windows Server 2008 R2 (64-bit)
- Windows Server 2003
Step 1 - Encrypt the system partition
Launch VeraCrypt, in the main program window go to the System tab and select the first menu item Encrypt system partition/drive (Encrypt system partition/disk).
Step 2 – Selecting Encryption Type
Leave the default type Normal (Ordinary) If you want to create a hidden partition or a hidden OS, then pay attention to the additional features of VeraCrypt. Click Next
Step 3 – Encryption Area
In our case, it is not fundamentally important to encrypt the entire disk or just the system partition, since we have only one partition on the disk that takes up all the free space. It is possible that your physical disk is divided into several partitions, for example C:\ And D:\. If this is the case and you want to encrypt both partitions, choose Encrypt the whole drive.
Please note that if you have several physical disks installed, you will have to encrypt each of them separately. Disk with a system partition using these instructions. How to encrypt a disk with data is written.
Select whether you want to encrypt the entire disk or just the system partition and click the button Next.
Step 4 – Encrypt Hidden Partitions
Select Yes If your device has hidden partitions with computer manufacturer utilities and you want to encrypt them, this is usually not necessary.
Step 5 – Number of Operating Systems
We will not analyze the case when several operating systems are installed on the computer at once. Select and press button Next.
Step 6 – Encryption Settings
Selection of encryption and hashing algorithms, if you are not sure what to choose, leave the values AES And SHA-512 default as the strongest option.
Step 7 - Password
This is an important step; here you need to create a strong password that will be used to access the encrypted system. We recommend that you carefully read the developers' recommendations in the Volume Creation Wizard window on how to choose a good password.
Step 8 – Collecting Random Data
This step is necessary to generate an encryption key based on the password entered earlier; the longer you move the mouse, the more secure the resulting keys will be. Move the mouse randomly at least until the indicator turns green, then click Next.
Step 9 - Generated Keys
This step informs you that the encryption keys, binding (salt) and other parameters have been successfully created. This is an information step, click Next.
Step 10 – Recovery Disk
Specify the path where the ISO image of the rescue disk will be saved. You may need this image if the VeraCrypt bootloader is damaged, but you will still need to enter the correct password.
Save the recovery disk image to removable media (for example a flash drive) or burn it to an optical disk (we recommend) and click Next.
Step 11 - The recovery disk is created
Note! Each encrypted system partition requires its own recovery disk. Be sure to create it and store it on removable media. Do not store the recovery disk on the same encrypted system drive.
Only a recovery disk can help you decrypt data in case of technical failures and hardware problems.
Step 12 – Clearing Free Space
Clearing free space allows you to permanently remove previously deleted data from a disk, which can be recovered using special techniques (especially important for traditional magnetic hard drives).
If you are encrypting an SSD drive, select 1 or 3 passes; for magnetic disks we recommend 7 or 35 passes.
Please note that this operation will affect the overall disk encryption time, for this reason, refuse it if your disk did not contain important deleted data before.
Do not choose 7 or 35 passes for SSD drives, magnetic force microscopy does not work in the case of SSDs, 1 pass is enough.
Step 13 – System Encryption Test
Perform a system encryption pre-test and see the message that the VeraCrypt boot loader interface is entirely in English.
Shan 14 – What to do if Windows does not boot
Read through, or better yet, print out the recommendations in case what to do if Windows does not boot after a reboot (this happens).
Click OK if you have read and understood the message.
We bring to your attention an overview of the most popular hardware and software for encrypting data on an external hard drive.
Let's start with the simplest. Mac OS X has a built-in Disk Utility that allows you to create an encrypted disk image. You can also use third-party software to encrypt files or folders, for example, FileWard,. In addition, some backup applications offer encryption of backups out of the box.
These methods are good. But sometimes using software encryption is not the best option. For example, when you need to encrypt Time Machine backups. To protect such backups, you will have to do some tricky manipulations, because Time Machine does not support encryption. Conventional software will not help when you need to create an encrypted copy of the boot disk so that it remains bootable. Encrypted disks also have another limitation: they cannot be used on other computers (Mac or PC) without special software.
is one of those applications that allows you to encrypt the contents of a disk, which remains bootable and usable on Mac and PC. This is a great application, but to access information, PGP must be installed on each computer to which such a drive is connected. Also, if the disk is damaged, encryption may prevent data recovery.
If you need a universal solution that does not impose restrictions on disk usage, you should purchase a HDD with built-in encryption. The drive encrypts and decrypts data on its own, so there is no need to install additional software. In this case, the disk can be used as a boot volume or for Time Machine. One caveat: if the drive's controller or other electronics fail, you will not be able to transfer data from the device (even with fully working mechanics) until the HDD is fully restored.
Encryption-enabled hard drives come in several types, depending on the decryption mechanism:
Hardware keys
Some manufacturers offer encrypting HDD boxes that are locked using a physical device. As long as the key is present (connected or near the disk), the disk can be read.
HDDs of this type: RadTech’s ($95), RocStor and several devices from ($50+). All boxes have two or three compatible keys that connect to a special port on the device. SecureDISK offers with an infrared key (the media must be nearby to use the disk).
Fingerprint scanners
If you are worried about losing physical media, then you can look towards HDD boxes with a fingerprint scanner. A few examples: MXI Security ($419-$599) and LaCie ($400 for a 2GB model). (Some older models of LaCie boxes, 2.5″ format, do not encrypt data, but use less reliable locking in the firmware). These drives are easy to use and can store fingerprints of up to five people. It is worth noting that there are several techniques for deceiving the finger scanner (without the presence of the original finger).
Keyboard
($230-480) – encrypting disk boxes that do not require physical keys or biometric readers. Instead, the keyboard is used to enter a password (up to 18 characters). Using a keyboard instead of a physical key is convenient when the disk often passes between hands. The drives support a “self-destruct” feature that deletes all stored information after several unsuccessful password attempts.
Two types of authentication
At least one product offers a combination of a physical key (in the form of a smart card) and a built-in keyboard in a compact disk shell. This option for protecting your hard drive is the most reliable, since to access information the user must have a key and know the secret password. 
