This is another entry in my list of articles on encrypting your entire digital life
…from end to end. Click here for the lead article. This article is about encrypting your entire boot disk on your server, desktop, or laptop computer. I’ll be giving specific instructions for Windows, but Mac & Linux steps are similar. Note that encrypting your boot drive is performed differently than encrypting non boot drives (which I’ll also cover in a separate article). These instructions are using free, open source software that’s NOT from Microsoft.
Short (VERY short version)
- Install encryption software.
- Backup boot drive (no, seriously! DO THIS!)
- Select boot volume.
- Provide passphrase.
- Enter passphrase on boot prompt.
- Wait for boot.
- Encrypt volume.
The rest of this shows you the details of those steps.
Note the following trade-offs to encrypting your boot drive:
- When powering on or rebooting, your PC will stop until you enter your encryption passphrase. This means you can’t reboot your PC remotely. Someone has to physically be there.
- After typing in your passphrase, there will be a delay. My PC takes 48 seconds that it didn’t take before.
- Download and Install VeraCrypt from https://veracrypt.codeplex.com/releases/view/616110
- Open the “System” menu and choose “Encrypt System Partition/Drive”.
- Follow the directions in the software.
- After you’ve answered all the prompts in the software, it will require you to reboot. During boot, BEFORE Windows boots, you’ll be prompted to enter your passphrase. Go ahead and enter it and hit [Enter].
- You’ll then be prompted for “PIM”. Honestly, I have no idea what this is. I just left it blank and hit [Enter]. All is good.
- Your PC will work on decrypting for a while. My Quad-Core i5-4690K CPU @ 3.5Ghz takes about 48 seconds here. Your mileage may vary depending on the speed of your CPU.
- Once it’s done there, Windows will boot. Go ahead and log in.
- You still haven’t actually encrypted your disk yet. You just got the VeraCrypt bootloader installed. Shortly after you log in, VeraCrypt will automatically open and walk you through actually encrypting your disk. That will be the final step.
DO NOT FORGET YOUR PASSPHRASE!!!!!
After that, you’re all done. Now, every time you reboot, you’ll be prompted for your passphrase SO DON’T YOU DARE FORGET IT! Seriously! If you forget your passphrase, there’s NO WAY to recover it. That’s it. It’s done. The data on your boot drive will be gone forever. You’ll have to reformat your drive, install a fresh copy of Windows, and start all over OR pull out the drive and set it aside, hoping you’ll remember some day. I cannot stress this enough. You CANNOT forget your passphrase! I recommend storing a HINT of your passphrase in an ENCRYPTED password management tool, like LastPass. I use the “secure notes” feature to store mine.
Your drive is now much more secure.
What you NEED to know about Windows 8 and 10 disk encryption
And by “Windows 8 and 10 disk encryption”, I mean the built-in encryption capabilities of Windows. I’m NOT talking about what we just did above with a third party product called VeraCrypt…
- If you install Windows 8 or 10 on your own PC, then log into your Microsoft account, at that time, your DECRYPTION KEYS are UPLOADED to Microsoft servers!!! Yes! Without asking!
- If you buy a PC with Windows 8 or 10 already on it, your decryption keys are ALREADY uploaded to Microsoft servers.
- You can request that Microsoft delete your decryption key, but it’s already too late. Once your decryption key leaves your hands, you can no longer trust that it’s secure.
- To fix this, you’ll need to RE-Encrypt your disk, which requries generating a NEW key, then NEVER log into Windows with your Microsoft account. Just… DON’T! But DO create a LOCAL user account and use that from now on.
Thank you for sharing this article. See this image?
You’ll find actual working versions of them at the top and bottom of this article. Please click the appropriate buttons in it to let your friends know about this article.