Protect Your Sensitive Data in Windows With Full Disk Encryption(FDE) Using Veracrypt-(PersSec101)


In this post I'll show you how to use encryption to make your system so secure not even the FBI or NSA can access your sensitive data. This post will cover Windows. For Linux information check out my other guide posted in the comments. If you have any questions or problems please comment and I'll do my best to respond.
Let's get started!

First we're going to open our browser and go to veracrypt.fr Near the top blue bar click on Download. Click Windows executable download link and open it.

rwsy65wiw465i.jpg

Accept terms and click through using all default options then click Finish

Open Veracrypt by hitting the Windows key(or going to start menu) and typing in Veracrypt.

In the top bar click on System & then "Encrypt system partition/drive.

rwsy65wiw465i2.png

Choose either normal or hidden. Normal is fine however choosing Hidden can be very important in some circumstance.

rwsy65wiw465i11.png
If you ever think you could be in a situation where you could be compelled to give your encryption keys either through force of violence or a court order(in some countries if a court asks you to give you encryption keys you must or will be held in contempt indefinitely or while traveling to a country that requires you to tell them your passwords/keys like Russia) then you should choose Hidden. If you do choose Hidden you simply create two passwords(one fake and one real) and if forced to give key give your fake one. Otherwise Normal is typically fine even for the U.S.(where it's been ruled you can not be forced to give your password/keys involuntarily) and the rest of this guide will act as if you chose Normal.

Once you choose normal or hidden and click next choose "Encrypt The Whole Drive". If it is grayed out then unfortunately to continue you need to reinstall windows under a MBR Scheme in order to have Full Disk Encryption(please see guide in comments).

rwsy65wiw465i12.png

!!!IT IS VERY IMPORTANT IF YOU HAVE ANY NON-MAGNETIC HARD DRIVE(SSD, NVME, ETC...) THAT YOU CHOOSE THE WHOLE DISK OPTION. SSD'S ETC FREQUENTLY WILL LEAK DATA TO NON-ENCRYPTED AREAS AND THIS CAN NOT BE AVOIDED UNLESS YOU ENCRYPT THE WHOLE DISK!!!

Otherwise assuming you have Encrypt Whole Drive checked click next and choose yes to Encrypt Host Protected Area then click next.

()

Click yes at any Windows prompts and choose Single-Boot or Multi-Boot(depending on how many operating systems you have installed) and click next.

rwsy65wiw465i13.png

Make sure AES at the top and SHA256(or SHA512 if available) are selected and click next.

rwsy65wiw465i3.jpg

It's time to choose our password. If we choose a good one our data will be secure. If we choose a bad one all our work will have been in vain. There are 2 main things that are important when choosing ANY password regardless of how or where your going to use it

  • NEVER choose a password you have EVER used in part or in full!
  • Your password must be a truly random 16 character or more(32+ is ideal) password including lower/uppercase and symbols and numbers.

This may sound like a pain but in a moment I'll sure you how to securely generate a password. These 2 things are especially important when using encryption b/c if we use a previous password an attacker with access to any of our old passwords(whether via breach data or a government with a warrant ) has a far easier time cracking our password.

o generate a secure password go to passwordsgenerator.net This is a great site as it creates a secure password that never gets sent out to the internet. I recommend choosing at least the default setting of 16 and then doubling it and adding a few characters in between.(so if your password is password make it passworda$5passworda$5 This makes it far stronger/complex but easy to remember.

rwsy65wiw465i4.png

Write down the password on paper(you will need it later) and then type it in both places(copy/paste is disabled), click Use PIM then click Next.

Next you will be taken to the Collecting Random Data Screen. Move your mouse around until the bar on the bottom is completely filled and green click next then yes to prompt then click next

rwsy65wiw465i5.png

Now we are at the Rescue Disk screen. You can either check skip it(not recommended) or just insert a flash drive click next and choose first option

rwsy65wiw465i7.png

Now we need to choose our wipe mode. If you have a SSD or similar you'll want to use either 1 or 3 pass unless it is brand new. Otherwise you can choose zero to save time though it's recommended to do at least 1 pass.
Click next and then click the Test button and OK.

rwsy65wiw465i8.png

At this point it will ask you to restart your computer. SAVE ALL WORK AND MAKE SURE YOU HAVE YOUR PASSWORD WRITTEN DOWN ON PAPER!!! Then click Yes.

You will be brought to a black screen where you will enter your password and then hit enter and then enter again for PIM(leaving PIM blank). At the end it should look like this...

rwsy65wiw465i17.png

It should take between a couple seconds to a couple minutes depending on your system and then your OS will load. Wait a few moments and the Veracrypt program should pop up again. Click on Encrypt, click OK/YES on prompts and it should begin the process of encrypting your disk.

rwsy65wiw465i10.png

If you need to restart your computer(not recommended for SSD's) prior to it completing you can click Defer and then come back to it later(go to Veracrypt menu and choose System-Resume Encryption)

rwsy65wiw465i16.png

This process can take from a couple hours to a couple days depending on size of HD and power of your system. Once it is finally done and at 100% exit out. Congratulations you've made your system so secure not even the FBI or NSA can access your sensitive data.

!!!IT IS IMPORTANT TO NOTE DISK ENCRYPTION ONLY HELPS YOU IF YOUR DEVICE IS OFF OTHERWISE THE PASSWORD CAN BE PULLED FROM MEMORY SO IF YOU ARE ABOUT TO OR POTENTIALLY COULD LOSE CONTROL OF YOUR DEVICE TO AN ATTACKER YOU MUST TURN IT OFF(i.e. turn off through government checkpoints or if your device is about to be seized by police)!!!

There are some situations where this won't protect you so please see my other guides in this series(PersSec 102, 103, etc...) about further hardening your system.

If you have any questions or problems please comment and I'll do my best to respond within 24 hours. If you found this useful please upvote and follow :)


Comments 1