Some Windows 10 devices ship with “Device Encryption”, but other PCs require you to pay another $99 to get BitLocker on Windows Pro for full-disk encryption. If you’d rather not, you can use the free and open-source VeraCrypt software to get full-disk encryption on any version of Windows.
Encryption is the best way to ensure attackers can’t read your files. It scrambles your files into random-looking gibberish and you need a secret key to access them. Even if someone gains access to your physical hard drive, they’ll need your password (or key file) to actually see what you have on the drive. Of course, this doesn’t protect you against malware that attacks your PC while it’s running—just against someone stealing your PC or its hard drive and trying to view your files.
VeraCrypt is a free and open-source tool you can use to enable full-disk encryption on any Windows PC. It works on Windows 10, 8, 7, Vista, and even XP.
It’s not complicated to use: After setting it up, you just have to enter your encryption password each time you boot your PC. You use your computer normally after it boots. VeraCrypt handles the encryption in the background, and everything else happens transparently. It can also create encrypted file containers, but we’re focusing on encrypting your system drive here.
VeraCrypt is a project based on the source code of the old TrueCrypt software, which was discontinued. VeraCrypt has a variety of bug fixes and supports modern PCs with EFI system partitions, a configuration many Windows 10 PCs use.
How to Install VeraCrypt and Encrypt your System Drive
Download VeraCrypt to get started. Run the installer and select the “Install” option. You can keep all the default settings in the installer—just click through it until VeraCrypt is installed on your computer.
Once VeraCrypt is installed, open your Start menu and launch the “VeraCrypt” shortcut.
Click System > Encrypt System Partition/Drive in the VeraCrypt window to get started.
You’ll be asked whether you want to use “Normal” or “Hidden” system encryption.
The Normal option encrypts the system partition or drive normally. When you boot your computer, you’ll have to provide your encryption password to access it. No one will be able to access your files without your password.
The Hidden option creates an operating system in a hidden VeraCrypt volume. You’ll have both a “real” operating system, which is hidden, and a “decoy” operating system. When you boot your PC, you can enter the real password to boot your hidden operating system or the password to the decoy operating system to boot the decoy operating system. If someone is forcing you to provide access to your encrypted drive—due to extortion, for example—you can provide them with the password to the decoy operating system and they shouldn’t be able to tell there’s a hidden operating system at all.
In terms of encryption, using “Normal” encryption keeps your files just as secure. A “Hidden” volume only helps if you’re forced to disclose your password to someone and want to maintain plausible deniability about the existence of any other files.
If you’re not sure which you want, select “Normal” and continue. We’ll be going through the process of creating a normal encrypted system partition here, as that’s what most people will want. Consult VeraCrypt’s documentation for more information about hidden operating systems.
You can choose to either “Encrypt the Windows system partition” or “Encrypt the whole drive”. It’s up to you which option you prefer.
If the Windows system partition is the only partition on the drive, the options will be basically the same. If you just want to encrypt your Windows system partition and leave the rest of the drive alone, choose “Encrypt the Windows system partition”.
If you have multiple partitions with sensitive data—for example, a system partition at C: and a files partition at D:—select “Encrypt the whole drive” to ensure all your Windows partitions are encrypted.
VeraCrypt will ask how many operating systems you have on your PC. Most people only have a single operating system installed and should choose “Single-boot”. If you have more than one operating system installed and you choose between them when you boot your computer, select “Multi-boot”.
You’ll then be asked to choose which type of encryption you want to use. While there are multiple options available, we recommend sticking with the default settings. “AES” encryption and the “SHA-256” hash algorithm are good choices. They’re all solid encryption schemes.
You’ll then be asked to enter a password. As VeraCrypt’s wizard notes, it’s very important to choose a good password. Choosing an obvious or simple password will make your encryption vulnerable to brute-force attacks.
The wizard recommends choosing a password of 20 more more characters. You can enter a password of up to 64 characters. An ideal password is a random combination of different types of characters, including upper and lower case letters, numbers, and symbols. You’ll lose access to your files if you ever lose the password, so make sure you remember it. Here are some tips for creating a strong, memorable password if you need them.
There are a few more options here, but they’re not necessary. You can leave these options alone unless you want to use them:
- Use keyfiles: You can choose to enable “Use keyfiles” and provide some files that must be present—for example, on a USB drive—when unlocking your drive. If you ever lose the files, you’ll lose access to your drive.
- Display password: This option just unhides the password in the password fields in this window, allowing you to confirm that what you’ve typed is correct.
- Use PIM: VeraCrypt allows you to set a “Personal Iterations Multiplier” by enabling the “Use PIM” checkbox. A higher value can help prevent against brute force attacks. You’ll also need to remember whatever number you enter and enter it alongside your password, giving you something else to remember in addition to your password.
Select any of these options if you want them and click Next.
VeraCrypt will ask you to move your mouse randomly around inside the window. It uses these random mouse movements to increase the strength of your encryption keys. When you’ve filled up the meter, click “Next”.
The wizard will inform you it’s generated the encryption keys and other data it needs. Click “Next” to continue.
The VeraCrypt wizard will force you to create a VeraCrypt Rescue Disk image before continuing.
If your bootloader or other data ever gets damaged, you must boot from the rescue disk if you want to decrypt and access your files. The disk will also contain a backup image of the contents of the beginning of the drive, which will allow you to restore it if necessary.
Note that you’ll still need to provide your password when using the rescue disk, so it isn’t a golden key that allows access to all your files. VeraCrypt will simply create a rescue disk ISO image at C:\Users\NAME\Documents\VeraCrypt Rescue Disk.iso by default. You’ll need to burn the ISO image to a disc yourself.
Be sure to burn a copy of the rescue disk so you can access your files if there’s ever a problem. You can’t just reuse the same VeraCrypt rescue disk on multiple computers. You need a unique rescue disk for each PC! Consult VeraCrypt’s documentation for more information about VeraCrypt rescue disks.
Next, you’ll be asked for the “wipe mode” you want to use.
If you have sensitive data on your drive and you’re concerned someone might attempt to examine your drive and recover the data, you should select at least “1-pass (random data)” to overwrite your unencrypted data with random data, making it difficult to impossible to recover.
If you’re not concerned about this, select “None (fastest)”. It’s faster not to wipe the drive. The larger the number of passes, the longer the encryption process will take.
This setting only applies to the initial setup process. After your drive is encrypted, VeraCrypt won’t need to overwrite any encrypted data to protect against data recovery.
VeraCrypt will now verify everything is working correctly before it encrypts your drive. Click “Test” and VeraCrypt will install the VeraCrypt bootloader on your PC and restart. You’ll have to enter your encryption password when it boots.
VeraCrypt will provide information about what to do if Windows doesn’t start. If Windows doesn’t start properly, you should restart your PC and press the “Esc” key on your keyboard at the VeraCrypt bootloader screen. Windows should start and ask if you want to uninstall the VeraCrypt bootloader.
If that doesn’t work, you should insert the VeraCrypt rescue disk into your PC and boot from it. Select Repair Options > Restore Original System Loader in the rescue disk interface. Restart your PC afterwards.
Click “OK” and then click “Yes” to restart your PC.
You’ll have to enter your VeraCrypt encryption password when your PC boots. If you didn’t enter a custom PIM number, just press “Enter” at the PIM prompt to accept the default.
Sign into your PC when the normal welcome screen appears.You should see a “Pretest Completed” window.
VeraCrypt advises that you have backup copies of the files you’re encrypting. If the system loses power or crashes, some of your files will be irreversibly corrupted. It’s always important to have backup copies of your important files, especially when encrypting your system drive. If you need to back up your files, click the “Defer” button and back up the files. You can then relaunch VeraCrypt later and click System > Resume Interrupted Process to resume the encryption process.
Click the “Encrypt” button to actually encrypt your PC’s system drive.
VeraCrypt will provide information about when you should use the rescue disk. After it does, it will begin the process of encrypting your hard drive.
When the process is complete, your drive will be encrypted and you’ll have to enter your password each time you boot your PC.
If you decide you want to remove the system encryption in the future, launch the VeraCrypt interface and click System > Permanently Decrypt System Partition/Drive.