How-To Geek

How to Encrypt Your Windows System Drive With VeraCrypt

Some Windows 10 devices ship with “Device Encryption”, but other PCs require you to pay another $99 to get BitLocker on Windows Pro for full-disk encryption. If you’d rather not, you can use the free and open-source VeraCrypt software to get full-disk encryption on any version of Windows.

Encryption is the best way to ensure attackers can’t read your files. It scrambles your files into random-looking gibberish and you need a secret key to access them. Even if someone gains access to your physical hard drive, they’ll need your password (or key file) to actually see what you have on the drive.

VeraCrypt is a free and open-source tool you can use to enable full-disk encryption on any Windows PC. It works on Windows 10, 8, 7, Vista, and even XP.

It’s not complicated to use: After setting it up, you just have to enter your encryption password each time you boot your PC. You use your computer normally after it boots. VeraCrypt handles the encryption in the background, and everything else happens transparently. It can also create encrypted file containers, but we’re focusing on encrypting your system drive here.

VeraCrypt is a project based on the source code of the old TrueCrypt software, which was discontinued. VeraCrypt has a variety of bug fixes and supports modern PCs with EFI system partitions, a configuration many Windows 10 PCs use.

How to Install VeraCrypt and Encrypt your System Drive

Download VeraCrypt to get started. Run the installer and select the “Install” option. You can keep all the default settings in the installer—just click through it until VeraCrypt is installed on your computer.

Once VeraCrypt is installed, open your Start menu and launch the “VeraCrypt” shortcut.

Click System > Encrypt System Partition/Drive in the VeraCrypt window to get started.

You’ll be asked whether you want to use “Normal” or “Hidden” system encryption.

The Normal option encrypts the system partition or drive normally. When you boot your computer, you’ll have to provide your encryption password to access it. No one will be able to access your files without your password.

The Hidden option creates an operating system in a hidden VeraCrypt volume. You’ll have both a “real” operating system, which is hidden, and a “decoy” operating system. When you boot your PC, you can enter the real password to boot your hidden operating system or the password to the decoy operating system to boot the decoy operating system. If someone is forcing you to provide access to your encrypted drive—due to extortion, for example—you can provide them with the password to the decoy operating system and they shouldn’t be able to tell there’s a hidden operating system at all.

In terms of encryption, using “Normal” encryption keeps your files just as secure. A “Hidden” volume only helps if you’re forced to disclose your password to someone and want to maintain plausible deniability about the existence of any other files.

If you’re not sure which you want, select “Normal” and continue. We’ll be going through the process of creating a normal encrypted system partition here, as that’s what most people will want. Consult VeraCrypt’s documentation for more information about hidden operating systems.

You can choose to either “Encrypt the Windows system partition” or “Encrypt the whole drive”. It’s up to you which option you prefer.

If the Windows system partition is the only partition on the drive, the options will be basically the same. If you just want to encrypt your Windows system partition and leave the rest of the drive alone, choose “Encrypt the Windows system partition”.

If you have multiple partitions with sensitive data—for example, a system partition at C: and a files partition at D:—select “Encrypt the whole drive” to ensure all your Windows partitions are encrypted.

VeraCrypt will ask how many operating systems you have on your PC. Most people only have a single operating system installed and should choose “Single-boot”. If you have more than one operating system installed and you choose between them when you boot your computer, select “Multi-boot”.

You’ll then be asked to choose which type of encryption you want to use. While there are multiple options available, we recommend sticking with the default settings. “AES” encryption and the “SHA-256” hash algorithm are good choices. They’re all solid encryption schemes.

You’ll then be asked to enter a password. As VeraCrypt’s wizard notes, it’s very important to choose a good password. Choosing an obvious or simple password will make your encryption vulnerable to brute-force attacks.

The wizard recommends choosing a password of 20 more more characters. You can enter a password of up to 64 characters. An ideal password is a random combination of different types of characters, including upper and lower case letters, numbers, and symbols. You’ll lose access to your files if you ever lose the password, so make sure you remember it. Here are some tips for creating a strong, memorable password if you need them.

There are a few more options here, but they’re not necessary. You can leave these options alone unless you want to use them:

  • Use keyfiles: You can choose to enable “Use keyfiles” and provide some files that must be present—for example, on a USB drive—when unlocking your drive. If you ever lose the files, you’ll lose access to your drive.
  • Display password: This option just unhides the password in the password fields in this window, allowing you to confirm that what you’ve typed is correct.
  • Use PIM: VeraCrypt allows you to set a “Personal Iterations Multiplier” by enabling the “Use PIM” checkbox. A higher value can help prevent against brute force attacks. You’ll also need to remember whatever number you enter and enter it alongside your password, giving you something else to remember in addition to your password.

Select any of these options if you want them and click Next.

VeraCrypt will ask you to move your mouse randomly around inside the window. It uses these random mouse movements to increase the strength of your encryption keys. When you’ve filled up the meter, click “Next”.

The wizard will inform you it’s generated the encryption keys and other data it needs. Click “Next” to continue.

The VeraCrypt wizard will force you to create a VeraCrypt Rescue Disk image before continuing.

If your bootloader or other data ever gets damaged, you must boot from the rescue disk if you want to decrypt and access your files. The disk will also continue a backup image of the contents of the beginning of the drive, which will allow you to restore it if necessary.

Note that you’ll still need to provide your password when using the rescue disk, so it isn’t a golden key that allows access to all your files. VeraCrypt will simply create a rescue disk ISO image at C:\Users\NAME\Documents\VeraCrypt Rescue Disk.iso by default. You’ll need to burn the ISO image to a disc yourself.

Be sure to burn a copy of the rescue disk so you can access your files if there’s ever a problem. You can’t just reuse the same VeraCrypt rescue disk on multiple computers. You need a unique rescue disk for each PC! Consult VeraCrypt’s documentation for more information about VeraCrypt rescue disks.

Next, you’ll be asked for the “wipe mode” you want to use.

If you have sensitive data on your drive and you’re concerned someone might attempt to examine your drive and recover the data, you should select at least “1-pass (random data)” to overwrite your unencrypted data with random data, making it difficult to impossible to recover.

If you’re not concerned about this, select “None (fastest)”. It’s faster not to wipe the drive. The larger the number of passes, the longer the encryption process will take.

This setting only applies to the initial setup process. After your drive is encrypted, VeraCrypt won’t need to overwrite any encrypted data to protect against data recovery.

VeraCrypt will now verify everything is working correctly before it encrypts your drive. Click “Test” and VeraCrypt will install the VeraCrypt bootloader on your PC and restart. You’ll have to enter your encryption password when it boots.

VeraCrypt will provide information about what to do if Windows doesn’t start. If Windows doesn’t start properly, you should restart your PC and press the “Esc” key on your keyboard at the VeraCrypt bootloader screen. Windows should start and ask if you want to uninstall the VeraCrypt bootloader.

If that doesn’t work, you should insert the VeraCrypt rescue disk into your PC and boot from it. Select Repair Options > Restore Original System Loader in the rescue disk interface. Restart your PC afterwards.

Click “OK” and then click “Yes” to restart your PC.

You’ll have to enter your VeraCrypt encryption password when your PC boots. If you didn’t enter a custom PIM number, just press “Enter” at the PIM prompt to accept the default.

Sign into your PC when the normal welcome screen appears.You should see a “Pretest Completed” window.

VeraCrypt advises that you have backup copies of the files you’re encrypting. If the system loses power or crashes, some of your files will be irreversibly corrupted. It’s always important to have backup copies of your important files, especially when encrypting your system drive. If you need to back up your files, click the “Defer” button and back up the files. You can then relaunch VeraCrypt later and click System > Resume Interrupted Process to resume the encryption process.

Click the “Encrypt” button to actually encrypt your PC’s system drive.

VeraCrypt will provide information about when you should use the rescue disk. After it does, it will begin the process of encrypting your hard drive.

When the process is complete, your drive will be encrypted and you’ll have to enter your password each time you boot your PC.

If you decide you want to remove the system encryption in the future, launch the VeraCrypt interface and click System > Permanently Decrypt System Partition/Drive.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.

  • Published 02/15/17
  • Bruce Shand

    Can I use VeraCrypt to encrypt my dropbox folder and/or files?

  • Dave

    Great post. I have always used TrueCrypt and now VeraCrypt to store my data files but have learned that I should also be encrypting other important system files. What do you suggest in terms of creating a rescue disk for a laptop without an optical drive. Can it be done on a USB stick? Thanks in advance for any direction you might be able to give.

  • Jason Dagless

    Works nicely but check out using long passwords and a low PIM number rather than the defaults. Otherwise you will be waiting...and waiting for the machine to boot. Most of us just need to stop the guy that finds the laptop from logging in to it. We don't need to stop a huge national security agency breaking in.

  • Tom Wilson

    You can use a VeraCrypt encrypted container to store the local copies of your Dropbox folder, but that doesn't encrypt the files on Dropbox's end - those are still available to your other sync partners unencrypted.

    VeraCrypt is meant for encrypting file systems at rest, not individual files in transit. So you could theoretically sync the container itself, but I'd be nervous about that, since one error in the sync process and the whole container would be corrupted.

    If you wanted to encrypt files in transit, using DropBox as a dumb store, I'd probably do something like create password-protected 7-zip files with and then create a batch file to package up the files you want to store on DB.

    So the process becomes something like:When you change the files locally, run "packer.cmd", which would zip up the changed files. Wait for the sync.On another computer, run "unpack.cmd" to decrypt the files that were changed remotely.

    If you want to go into more details and maybe even work up a prototype, let's do that in another thread.

  • Bruce Shand

    I mainly use DB to sync between my work pc and personal laptop and possibly phone. So if I encrypted the DB folder on each device could they sync or would that be blocked by the encryption on each device's folder? IOW, it wouldn't work that simply?Can I encrypt a single file within DB or would the syncing fail there?

  • Tom Wilson

    No, it doesn't work that way. VeraCrypt creates an encrypted volume. It does not encrypt individual files or directories.

    Basically, it just creates a new drive letter that's stored in an encrypted container. Your apps don't know that the files are encrypted because VeraCrypt encrypts and decrypts the files in the background.

    If you moved your Dropbox to an encrypted container, Dropbox wouldn't know or care about that and would just keep working like it always does.

  • Bruce Shand

    So I could put DB in encrypted volumes on each device and DB would work transparently?

  • Tom Wilson

    That's right. As far as DropBox is concerned, there is no encryption.

    However, the utility of encrypting just your local Dropbox store is kind of limited, since if someone stole your PC and managed to log in to your account, they could just redirect DB to another, non-encrypted location.

    This is why you don't do full disk encryption in parts. You either do your whole machine or none of it; if you only encrypt part of it, then it's still possible for people to steal data by leveraging the parts that are not encrypted.

  • Thanks for your help.

  • Tom Wilson

    I just noticed this in the article...

    Use PIM: VeraCrypt allows you to set a “Personal Iterations Multiplayer” by enabling the “Use PIM” checkbox. A higher value can help prevent against brute force attacks. You’ll also need to remember whatever number you enter and enter it alongside your password, giving you something else to remember in addition to your password.

    That should probably be "Multiplier."

    This is part of the process of generating the encryption key that guards your data. The PIM determines how many times that algoritm runs, and if the PIM entered during login doesn't match up with the PIM used to encrypt the header, you can't unlock the header.

  • ReadandShare

    Could users of TrueCrypt and VeraCrypt tell us a little about "performance penalty"? How much does this slow down the system during startup, usage, and shutdown? I realize we all have different size drives and use different apps, but something general just to give an idea would be helpful. I use about 80 GB (system, apps and data), running mostly browser, Office, music player... Thanks in advance.

  • Tom Wilson

    I used to use TC all the time, and I currently use Bitlocker. I don't notice any performance penalty.

    The thing is, disk I/O is one of the slowest things your computer does, and it uses very little CPU to actually accomplish that task. So even with the nominal amount of CPU time spent encrypting or decrypting your data, actual throughput doesn't suffer.

    Still, it doesn't hurt to run the benchmark tool built into VC and see what your processor can handle. If that number is significantly higher than your hard drive's throughput, you probably won't notice much in the way of slowdown. Depending on how big that difference is, you might see increased CPU utilization, but that's going to depend a lot on your CPU.

    In my experience, most hard drives can handle about 100MB/s throughput, give or take. Most SSD's can handle around 500MB/s.

    On my i7 laptop, VeraCrypt reports it can encrypt around 3.7GB/s, which is 37x faster than my hard drive can spit the data out. So that means I'm using around 3% of the CPU to encrypt or decrypt data when working with a hard drive.

    With an SSD, I would expect to use more like 15% of the CPU.

    Personally, I am using BitLocker, and so I decided to run a quick test. I tried copying an ISO from my hard drive to my SSD. I peaked at about 10% CPU utilization while reading from my 2.5" hard drive at 98MB/s, or a total throughput of 200MB/s, since I was writing back to the SSD.

  • Jason Dagless

    The only real 'performance penalty' is going with a high PIM number.

    If you go with the default or a higher one once you put the PIM number in and hit enter you will be waiting up to 30 or more seconds before the machine starts to boot.

    I go with a 25 digit password and a PIM of 5-10. I just need to stop the casual lookers.

  • Hi,How can I prevent Windows from asking to Format the encrypted Partition ?Thanks

  • Edy Medor

    Hi,

    Very well-written article. I am new to this forum, but I have a very important question with regard to scheduled tasks. I used both Macrium Reflect and EaseUs ToDo Backup to do regular backups of my system. If I installed VeraCrypt to encrypt my system Drive, are those backup applications still going to be able to wake up my PC to do those scheduled backups.

    Any help would be greatly appreciated.

    Thanks!

  • Tom Wilson

    Rather than encrypt a partition, I will create and format an NTFS partition, then create a file container inside of that partition.

    So you'll have something like Drive E: (the host partition) and Drive F: (the encrypted container.) You can go into Computer Management and remount drive E: as a path or something else if it bothers you, or you can do what I do and leave some free space on that drive for exchanging data that doesn't need to be encrypted.

  • Edy Medor

    Sorry for the typo in my post. I said " I used" when I should have said " I am using Macrium Refect & EaseUS ToDo. I have goofed up badly.

  • Jan Heckman

    Hi all,I have a laptop using full VeraCrypt encryption.It works fine (about 6 month now). Veracrypt is a great replacement for bitlocker if you have a home edition or - perish the thought - believe that MS has a backdoor.The only 'problem' - if it should be called that - came when updating to W10 anniversary edition, which was effectively a new windows installation.I expect bitlocker to accommodate such a proces (with encryption intact), but had to decrypt and re-encrypt with Veracrypt (after installation).With another major W 10 update in the making, seems people should be aware of this as there could be scenario's leading to unnecessary grief.(I seem to remember that I got a message saying the installation could not proceed, but I think it did not specifically point at the (veracrypt) encryption. Sorry, bit of time ago, problem solved, don't remember exactly.)Jan

  • Jason Dagless

    If you only need to keep a limited amount of data safe I would still recommend just using containers rather than full disk encryption. FDE is great till something goes wrong and then its tears. Certainly never do it on a machine that isn't 99.9999999999999% reliable.

  • Tom Wilson

    Been there, done that. A single corrupt sector can cause FDE software to blue screen your system, and after having this happen not once but twice, I started being more proactive.

    The trick is to image your drive first, then encrypt. Then keep good backups. Depending on the encryption software, imaging software might not let you image the drive once it's been encrypted, so you'll want to decrypt, image, and re-encrypt after major software changes. If your combination of backup software and encryption software will let you image the drive while it's still encrypted (you want to image the decrypted partition data, not the encrypted raw disk data), then use something like Reflect with its incremental backup feature. Either way, follow the golden rule of backups: if there's only one copy, it's not a backup. Always have at least two additional copies of your data, in addition to the live version, in case of trouble.

  • Jason Dagless

    Yeah I agree but meanwhile back in the real world of "Yeah I'll get round to making a backup tomorrow..."

    So in that case my stance of using safer containers still stands for mere mortals.

    Normal people only make backups if you do it for them.

  • Thanks Wilsontp,That's what I've been doing, I was thinking about Partition because I do not want to deletethe file container by mistake ( so far could not find a way to "delete proof" the file container !) :kissing_heart:

  • Tom Wilson

    If you hide the host drive letter, by mapping the drive as a directory instead, for example, then you are pretty unlikely to delete the container by accident. I also put the container and a copy of the installer in a directory named "TC", so I know exactly what's in there and what this huge, 900GB file is.

    I used to use TrueCrypt, from the time I first discovered it all the way up until TC went belly up, and I never accidentally deleted my container. If you follow those basic steps, you'll be fine.

  • Amazing, Thank you Wilsontp for lighning fast helpful reply. When you mentioned "put the container...in a directory named TC", is it the same as putting the container in a FOLDER and name it TC or VC ?

  • Tom Wilson

    Yes, they basically mean the same thing.

    A "folder" is a graphical representation of a file system directory.

  • Thanks :blush:Learn quite a few things from this site, from some kind hearted persons like youOne more question please:Is it safe to save/keep the Macrium Reflect system backup Mirror in a veracrypt container?(it's a large 30GB mirror, and since I am using the free MR version which does not have the password/encryption)

  • Tom Wilson

    Sure, so long as you have more than one of those backups.

More Articles You Might Like