DHitMA: Disk Encryption

Encryption, done appropriately, prevents one's storage devices from having their contents read; this is true, even if the devices are physically stolen. It is like applying a strong password to an account and never revealing it to anyone, so only the true owner can unlock the account. We recommend fully that full-disk encryption be applied to one's data storage devices, especially if the data is sensitive; we also recommend system drive encryption if nothing else is done. Full-disk and system encryption enable us to be worry-free regarding breaches of privacy, since all data at rest, which is generally the most sensitive, is locked behind our very strong passphrases.

The below paragraphs contain links to outside websites and sources of data; we maintain that the individual must verify the links therein.

Encryption Algorithms

It is not the intent of this article to delve into the mathematics of encryption algorithms. Here we give a brief bit of knowledge about encryption. Most encryption is done using the AES-256 algorithm, which is a standard of encryption, even for government entities. A 256-bit key presents a scenario of computational infeasibility for attackers who may try to brute-force guess one's password. We maintain that the user must use a strong password when employing the use of an encryption scheme. Other algorithms exist which compete with AES-256, like Twofish and Blowfish, which can actually be "layered" with one another. We recommend AES-256 fully.

Small-scale Encryption

The "poor man's" way of encryption can be done using a compression tool. These compression tools cannot reasonably encrypt a full disk; however, they can be useful for small packs of files. When zipping a collection of files, the option to encrypt the archive can be enabled, and a password set. Most of these applications use AES-256. Once zipped and clicked to open, the archive requires the appropriate password to decrypt the archive. We do not recommend this means of encryption, except for smaller and relatively non-sensitive packs of files.

System Partition Encryption

Encrypting one's system partition (the large portion of the drive on which one's operating system is installed) is a very good measure for security. We recommend this, absolutely. It can be done in as little as ten minutes, and no data is lost. If one keeps their applications installed in their system drive, which is encrypted, should the drive be recovered by some nefarious entity, it will be, with high certainty, impossible for said entity to recover anything at all. This is because most applications store their temporary data either in their local directory or somewhere within the system drive, so should this drive be encrypted, even physical access will have itself denied data recovery. We recommend VeraCrypt be used. Encrypting the system partition can be done easily: https://www.veracrypt.fr/en/System%20Encryption.html (https://archive.is/SFOYM). Once VeraCrypt is installed, it is as simple as selecting "System > Encrypt System Partition/Drive" and following the steps through to the end. Data is encrypted in place, and no data is lost to the encryption process. Setting a strong password is the only step worth noting; this password will be required before one's local operating system password, every time the computer is turned on.

Full-disk Encryption

One can also encrypt non-system disks in their entirety. Full-disk encryption should be performed with VeraCrypt as well. Their tutorial can be followed at https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html (https://archive.is/H0v5i). You will likely want to encrypt an entire drive, and not just a file container. If so, on the first screen, select "Encrypt a non-system partition/drive". The remaining steps are similar to the tutorial. We recommend data drive encryption for your files (sensitive or not) and highly recommend that one encrypts their system drive as well, as described heretofore.

Below is duplicated VeraCrypt's tutorial; it was edited minimally.

  1. If you have not done so, download and install VeraCrypt. Then launch VeraCrypt by double-clicking the file VeraCrypt.exe or by clicking the VeraCrypt shortcut in your Windows Start menu.
  2. The main VeraCrypt window should appear. Click Create Volume.
  3. The VeraCrypt Volume Creation Wizard window should appear. In this step you need to choose where you wish the VeraCrypt volume to be created. A VeraCrypt volume can reside in a file, which is also called container, in a partition or drive. In this tutorial, we will choose the first option and create a VeraCrypt volume within a file. As the option is selected by default, you can just click Next.
    • DHitMA note: select the second option, "Encrypt a non-system partition/drive", if one desires for an entire drive to be encrypted. The steps will remain mostly the same; elsewise, the Veracrypt wizard is very intuitive.
  4. In this step you need to choose whether to create a standard or hidden VeraCrypt volume. In this tutorial, we will choose the former option and create a standard VeraCrypt volume. As the option is selected by default, you can just click Next.
  5. In this step you have to specify where you wish the VeraCrypt volume (file container) to be created. Note that a VeraCrypt container is just like any normal file. It can be, for example, moved or deleted as any normal file. It also needs a filename, which you will choose in the next step. Click Select File. The standard Windows file selector should appear (while the window of the VeraCrypt Volume Creation Wizard remains open in the background).
  6. In this tutorial, we will create our VeraCrypt volume in the folder F:\Data\ and the filename of the volume (container) will be MyVolume.hc. You may, of course, choose any other filename and location you like (for example, on a USB memory stick). Note that the file MyVolume.hc does not exist yet – VeraCrypt will create it. IMPORTANT: Note that VeraCrypt will not encrypt any existing files (when creating a VeraCrypt file container). If you select an existing file in this step, it will be overwritten and replaced by the newly created volume (so the overwritten file will be lost, not encrypted). You will be able to encrypt existing files (later on) by moving them to the VeraCrypt volume that we are creating now.* Select the desired path (where you wish the container to be created) in the file selector. Type the desired container file name in the Filename box. Click Save. The file selector window should disappear. In the following steps, we will return to the VeraCrypt Volume Creation Wizard. * Note that after you copy existing unencrypted files to a VeraCrypt volume, you should securely erase (wipe) the original unencrypted files. There are software tools that can be used for the purpose of secure erasure (many of them are free).
  7. In the Volume Creation Wizard window, click Next.
  8. Here you can choose an encryption algorithm and a hash algorithm for the volume. If you are not sure what to select here, you can use the default settings and click Next.
  9. Here we specify that we wish the size of our VeraCrypt container to be 250 megabyte. You may, of course, specify a different size. After you type the desired size in the input field, click Next.
  10. This is one of the most important steps. Here you have to choose a good volume password. Read carefully the information displayed in the Wizard window about what is considered a good password. After you choose a good password, type it in the first input field. Then re-type it in the input field below the first one and click Next. Note: The button Next will be disabled until passwords in both input fields are the same.
  11. Move your mouse as randomly as possible within the Volume Creation Wizard window at least until the randomness indicator becomes green. The longer you move the mouse, the better (moving the mouse for at least 30 seconds is recommended). This significantly increases the cryptographic strength of the encryption keys (which increases security). Click Format. Volume creation should begin. VeraCrypt will now create a file called MyVolume.hc in the folder F:\Data\ (as we specified in Step 6). This file will be a VeraCrypt container (it will contain the encrypted VeraCrypt volume). Depending on the size of the volume, the volume creation may take a long time. After it finishes, the following dialog box will appear. Click OK to close the dialog box.
  12. We have just successfully created a VeraCrypt volume (file container). In the VeraCrypt Volume Creation Wizard window, click Exit.The Wizard window should disappear. In the remaining steps, we will mount the volume we just created. We will return to the main VeraCrypt window (which should still be open, but if it is not, repeat Step 1 to launch VeraCrypt and then continue from Step 13.)
  13. Select a drive letter from the list. This will be the drive letter to which the VeraCrypt container will be mounted. Note: In this tutorial, we chose the drive letter M, but you may of course choose any other available drive letter.
  14. Click Select File. The standard file selector window should appear.
  15. In the file selector, browse to the container file (which we created in Steps 6-12) and select it. Click Open (in the file selector window). The file selector window should disappear. In the following steps, we will return to the main VeraCrypt window.
  16. In the main VeraCrypt window, click Mount. Password prompt dialog window should appear.
  17. Type the password (which you specified in Step 10) in the password input field.
  18. Select the PRF algorithm that was used during the creation of the volume (SHA-512 is the default PRF used by VeraCrypt). If you don’t remember which PRF was used, just leave it set to “autodetection” but the mounting process will take more time. Click OK after entering the password. VeraCrypt will now attempt to mount the volume. If the password is incorrect (for example, if you typed it incorrectly), VeraCrypt will notify you and you will need to repeat the previous step (type the password again and click OK). If the password is correct, the volume will be mounted.
  19. We have just successfully mounted the container as a virtual disk M:. The virtual disk is entirely encrypted (including file names, allocation tables, free space, etc.) and behaves like a real disk. You can save (or copy, move, etc.) files to this virtual disk and they will be encrypted on the fly as they are being written. If you open a file stored on a VeraCrypt volume, for example, in media player, the file will be automatically decrypted to RAM (memory) on the fly while it is being read. Important: Note that when you open a file stored on a VeraCrypt volume (or when you write/copy a file to/from the VeraCrypt volume) you will not be asked to enter the password again. You need to enter the correct password only when mounting the volume. You can open the mounted volume, for example, by selecting it on the list as shown in the screenshot above (blue selection) and then double-clicking on the selected item. You can also browse to the mounted volume the way you normally browse to any other types of volumes. For example, by opening the ‘Computer’ (or ‘My Computer’) list and double clicking the corresponding drive letter (in this case, it is the letter M). You can copy files (or folders) to and from the VeraCrypt volume just as you would copy them to any normal disk (for example, by simple drag-and-drop operations). Files that are being read or copied from the encrypted VeraCrypt volume are automatically decrypted on the fly in RAM (memory). Similarly, files that are being written or copied to the VeraCrypt volume are automatically encrypted on the fly in RAM (right before they are written to the disk). Note that VeraCrypt never saves any decrypted data to a disk – it only stores them temporarily in RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted. When you restart Windows or turn off your computer, the volume will be dismounted and all files stored on it will be inaccessible (and encrypted). Even when power supply is suddenly interrupted (without proper system shut down), all files stored on the volume will be inaccessible (and encrypted). To make them accessible again, you have to mount the volume. To do so, repeat Steps 13-18. If you want to close the volume and make files stored on it inaccessible, either restart your operating system or dismount the volume. To do so, follow these steps: Select the volume from the list of mounted volumes in the main VeraCrypt window and then click Dismount. To make files stored on the volume accessible again, you will have to mount the volume. To do so, repeat Steps 13-18.