Sunday again, this time I thought I would take you on a trip to the realm of security
In the news section, there was a little story a few days back about BitLocker, the built in system encryption for Windows breaking due to applying the anniversary update. Like I mentioned it has been hacked as far back as 2010 and even if it wasn’t it can not be trusted. This is so because any company doing system wide encryption has to value the privacy of the user. Microsoft has lost any and all credibility in this respect with their privacy trespassing telemetry collection and so simply can not be trusted with the task. I mean, what are the odds your encryption password is sent to Microsoft? Many of your other passwords (web, wi-fi a.s.o.) are sent and so Microsoft can not be trusted with your security and privacy.
Mr. Belvedere made a note of VeraCrypt and since I really like the open source, cross platform tool and use it on my work laptop, I thought I should do a freebies galore tutorial on it.
For a computer in your home, encrypting the system drive may not be interesting, but for a laptop used on the road which may be stolen, this is a great extra protection. Since I bring my work laptop with me on the road and it may contain traces of confidential information related to customers, I have chosen to encrypt the entire system.
The site has a very good beginners tutorial using it for encrypting a data drive or use an encrypted container. However, for encrypting the system drive, the information is not as thorough and so I’ll do a step by step on it using a virtual machine with Windows 10 installed to better be able to grab screenshots.
A word of warning before you commence:
[B]Make a complete image backup of your system. If anything should go wrong during the process, you can expect it to have devastating effect.[/B]
While I have never experienced anything going wrong, a backup is a great precaution in this case.
Download, install and start VeraCrypt. This is so straight forward I will not bore you including it here…
What you will note once it is started and in the screenshot above is that your system drive [B]C:[/B] is nowhere to be found in the window (no simple encryption can be done on the volume). In the ‘System’ menu the top choice is ‘Encrypt System Partition/Drive’ which is the choice needed.
As shown above, you have two inistial choices for encrypting the operating system. Personally, I do not fear extortion or anything else and so do not need to hide the existence of an operating system and so I choose ‘Normal’.
And then we get on to the second set of choices. When doing system wide encryption, I have always encrypted the entire drive. You have the possibility to encrypt only the system partition though.
If you have doubt about the ‘Host Protected Area’ being used before Windows loads, choose ‘No’ above. For a VM, it is not used and so I’ll simply choose ‘Yes’.
Here the obvious choice is ‘Single-boot’ unless you have several operating systems installed. Most have only one operating system installed on their computer (i.e. Windows 10).
Here you set your encryption option. The default is AES but you can choose to have additional encryption as well. I think I will leave that up to you with a remark of the fact that a properly seeded Rijndael encryption has not been cracked so far as the password is not included and so it is extremely resistant to brute force and cracking generally. There are links to more information both on AES and the SHA-256 hashing algorithm for those interested in knowing more on the subject.
Finally we’re at where you can set your password and other security meassures like keyfiles and PIM. Personally, my main objective is to stop people stealing my laptop from getting any information and so I settle for only a password albeit an advanced one. To be secure, VeraCrypt recommends you use a password of 20 or more characters including special characters. It will all depend on the level of security you need, but it will accept any password length.
If your password does not match the recommended length, you will have to click yes on the above requester to acknowledge that you accept using a short password.
As a side note, if you try to change the keyboard layout to your native prior to entering your password you will be greeted by the above requester telling you of the fact that only the US keyboard is available on the boot screen.
Now this is important - move your mouse in random directions over the window as much as possible until the red bar gets to the end, then click Next. This is the random seed used to hash your password and so is VERY important. The algorithm used is the same as for the RandGen program mentioned here.
Then you get a confirmation of the fact that the keys are generated and the possibility to display the generated keys in clear text if interesting, you do not need to view them though.
The ‘Rescue Disk’ step is another of the VERY important steps as there will be nothing else to aid you should you need to access the encrypted disk if something happens to the loader or other critical parts of the disk.
On the VM I had to check ‘Skip Rescue Disk verification’ as it didn’t recognize that the disk had been created. This can be safely checked anyway, I’ll get back to it.
just click OK, there are imo a few unnecessary steps here
You will have to have a CD or other optical media ready to be burned in the next step…
Here I have checked ‘Verify disc after burning’. This really should make ‘Skip Rescue Disk verification’ above safe to check as the burn will be verified after completion.
Now this was what met me on the VM after burning and so I had no option but to cancel the encryption and do all steps over, making sure I ticked ‘Skip Rescue Disk verification’ in the above step. This has never happened on my laptop, but it may be because the optical drive is shared between all VMs.
Here you have the option to choose how you want to wipe the drive you’re encrypting. For me the encryption is always done after install of the OS and so I always go with ‘None’, but you have the option to do it any way you see fit. A simple one pass would probably be enough for most…
VeraCrypt is all about security, even before encryption taking place. This step ensures the bootloader works before encrypting the drive. Just click ‘Test’.
Some information on what to do if Windows fails to start during the test, Print it and click ‘OK’
Man, there are a few unnecessary steps, click ‘Yes’
After rebooting, you get the first encounter with boot screen you will become very familiar with in the future. I used a password only and so I enter it tap [Enter] and simply tap [Enter] again at the PIM: as it is not in use
Back in Windows, you are greeted by the continuing installer telling you that the pretest successfully completed. Click ‘Encrypt’.
Here you get information how to boot using the resque disc, I recommend you print it and keep it with the rescue disc. Click ‘OK’
The encryption has started, you can as you see if you read the installer continue working and do pretty much anything as it will continue even if you shut down your PC in the middle of the process.
Once all done, you will be informed that the process has completed.
If you start the VeraCrypt application after encryption, you will see your system drive without any letter and what encryption was used to encrypt it.
While it seems overly many steps, the whole process takes only minutes while the encryption process could take several hours. Now whenever you start your laptop, you will be greeted with the boot screen before being allowed to start windows. This will leave anyone stealing your laptop with no other option than a reinstall…
Unless you get the password right here, no Windows or in other words no OS to start. Secondly none knows if you have used PIM or not and so you should be pretty safe
In day to day use, VeraCrypt is absolute transparent and should not slow down your laptop