August 3, 2022 at 10:24 AM
Hello Breached,
I haven't seen any technical posts on the forum about setting up full disk encryption on Windows. So, decided I'll may as well create a simple user guide those who may not be experienced and/or may not understand the benefits of Full Disk Encryption (FDE). Let’s Proceed!
• What is Full Disk Encryption (FDE)?
Simply put, Full Disk encryption or whole disk encryption is a means of protecting information by employing secure encryption algorithms to encrypt your data on disk, it includes temporary files, programs, and system files; but excludes the master boot record (MBR), or similar area of a bootable disk, with code that starts the operating system loading sequence.
• What is VeraCrypt?
VeraCrypt is a fully audited and open-source fork of TrueCrypt that ‘solves many vulnerabilities and security issues found in TrueCrypt.’ It is also under active development, and is therefore likely to be improved upon and security’s up-to-date.
• What are the benefits of VeraCrypt?
- Encrypt an entire partition / storage device (HDD/SSD/USB). <-- (This’ll be our focus).
- Create a virtual encrypted disk (Volume) that is mountable and operates like a real disk.
- Create a partition or storage drive containing an entirely different/hidden operating system etc.
- All encryption is performed on-the-fly in real-time, making VeraCrypt transparent in operation.
- Provides plausible deniability, in case an adversary or LEA forces you to reveal the password.
*While this tutorial is focused on Microsoft Windows, VeraCrypt is also available for OSX and Linux and follow the same procedure.
Quick Guide
- Download VeraCrypt here: https://www.veracrypt.fr/en/Downloads.html (Check the PGP signature!)
- Install and launch VeraCrypt:
- Select “System” and click “Encrypt System Partition / Drive” option:
- Select “Single Boot” option and press Next:
[spoiler]
[/spoiler]
- You will be presented with “Encryption Options” UI:
[spoiler]
* Note: The default values - (AES) is more than secure for your average user, however. If you’re paranoid, you can select a stronger cipher, though there will be a trade off in encryption time depending regardless if you have SSD or HDD.
[/spoiler]
- Next, you’ll be presented with the “Password” UI:
[spoiler]
* Recommend: A secure password should be 20 or more characters, including capital letters, symbols and numbers.
[/spoiler]
- Now, it’s the fun part. Wiggle your cursor around the program to randomly generate your keys:
[spoiler]
[/spoiler]
- Next you’ll be presented with the “Rescue Disk” UI:
[spoiler]
* Recommend: Your VeraCrypt Rescue Disk is used in the event the VeraCrypt’s bootloader, master keys or windows is corrupted or missing. It allows you to permanently decrypt the partition before Windows is booted. If you decide to create one, format a USB to FAT/FAT32 and place all contents in the root directory of the USB.
[/spoiler]
- Now you’re almost complete! You will be presented with the “Wipe Mode” UI:
[spoiler]
* Note: Unless you’re preforming a fresh install and decide to wipe any previous contents of the drive, we recommend you leave the default value as “None (fastest)”.
[/spoiler]
- Lastly, you’ll be presented with the “System Encryption Pretest” UI:
[spoiler]
* Note: You will have to agree to VeraCrypt’s Terms of Service and Usage Policy. Once accepted you system will reboot and perform a pretest where you will have to input your password you created in the previous steps and then Windows will be decrypted and loaded.
[spoiler]
- Once logged into Windows you’ll be presented with a “Pretest Complete” UI:
[spoiler]
Note: Press accept and the encryption process will begin and give you an estimated time till fully disk encryption! Will this is running we recommend you leave your system idle as not to interfere with the process.
[/spoiler]
Congrats!
Your system is now fully encrypted and near impossible to decrypt without the master password you’ve created. Any time you restart or power on your PC, you will be presented with VeraCypt’s bootloader and asked to input your password.
I haven't seen any technical posts on the forum about setting up full disk encryption on Windows. So, decided I'll may as well create a simple user guide those who may not be experienced and/or may not understand the benefits of Full Disk Encryption (FDE). Let’s Proceed!
• What is Full Disk Encryption (FDE)?
Simply put, Full Disk encryption or whole disk encryption is a means of protecting information by employing secure encryption algorithms to encrypt your data on disk, it includes temporary files, programs, and system files; but excludes the master boot record (MBR), or similar area of a bootable disk, with code that starts the operating system loading sequence.
• What is VeraCrypt?
VeraCrypt is a fully audited and open-source fork of TrueCrypt that ‘solves many vulnerabilities and security issues found in TrueCrypt.’ It is also under active development, and is therefore likely to be improved upon and security’s up-to-date.
• What are the benefits of VeraCrypt?
- Encrypt an entire partition / storage device (HDD/SSD/USB). <-- (This’ll be our focus).
- Create a virtual encrypted disk (Volume) that is mountable and operates like a real disk.
- Create a partition or storage drive containing an entirely different/hidden operating system etc.
- All encryption is performed on-the-fly in real-time, making VeraCrypt transparent in operation.
- Provides plausible deniability, in case an adversary or LEA forces you to reveal the password.
*While this tutorial is focused on Microsoft Windows, VeraCrypt is also available for OSX and Linux and follow the same procedure.
Quick Guide
- Download VeraCrypt here: https://www.veracrypt.fr/en/Downloads.html (Check the PGP signature!)
- Install and launch VeraCrypt:
- Select “System” and click “Encrypt System Partition / Drive” option:
- Select “Single Boot” option and press Next:
[spoiler]
- You will be presented with “Encryption Options” UI:
[spoiler]
* Note: The default values - (AES) is more than secure for your average user, however. If you’re paranoid, you can select a stronger cipher, though there will be a trade off in encryption time depending regardless if you have SSD or HDD.
[/spoiler]
- Next, you’ll be presented with the “Password” UI:
[spoiler]
* Recommend: A secure password should be 20 or more characters, including capital letters, symbols and numbers.
[/spoiler]
- Now, it’s the fun part. Wiggle your cursor around the program to randomly generate your keys:
[spoiler]
- Next you’ll be presented with the “Rescue Disk” UI:
[spoiler]
* Recommend: Your VeraCrypt Rescue Disk is used in the event the VeraCrypt’s bootloader, master keys or windows is corrupted or missing. It allows you to permanently decrypt the partition before Windows is booted. If you decide to create one, format a USB to FAT/FAT32 and place all contents in the root directory of the USB.
[/spoiler]
- Now you’re almost complete! You will be presented with the “Wipe Mode” UI:
[spoiler]
* Note: Unless you’re preforming a fresh install and decide to wipe any previous contents of the drive, we recommend you leave the default value as “None (fastest)”.
[/spoiler]
- Lastly, you’ll be presented with the “System Encryption Pretest” UI:
[spoiler]
* Note: You will have to agree to VeraCrypt’s Terms of Service and Usage Policy. Once accepted you system will reboot and perform a pretest where you will have to input your password you created in the previous steps and then Windows will be decrypted and loaded.
[spoiler]
- Once logged into Windows you’ll be presented with a “Pretest Complete” UI:
[spoiler]
Note: Press accept and the encryption process will begin and give you an estimated time till fully disk encryption! Will this is running we recommend you leave your system idle as not to interfere with the process.
[/spoiler]
Congrats!
Your system is now fully encrypted and near impossible to decrypt without the master password you’ve created. Any time you restart or power on your PC, you will be presented with VeraCypt’s bootloader and asked to input your password.
