Ceci est une ancienne révision du document !
If you’re in the UK, then you may be involved in the current (as I write this) panic to become GDPR (General Data Protection Regulation) compliant. The UK’s data protection laws were last updated over a decade ago. Now, they’re being updated to bring the UK more in line with the rest of Europe, as we exit Europe. Should be interesting.
Anyway, as an experiment (at work), I decided to try full-drive encryption on a Windows 7 machine using Veracrypt. Veracrypt is the successor to the somewhat flawed Truecrypt. Although this tutorial uses Windows 7, the procedure, and software, are exactly the same for Linux.
The basic idea behind full-drive encryption is that you generate a unique key and password. On booting the PC, you must enter the encryption password before the machine will even boot the OS. Once the OS has booted, you log in as normal. And everything looks/feels normal. It’s just that initial encryption password that’s the only noticeable difference.
Should anything go wrong at the booting stage, you have a boot disc, which is unique to that machine, which will force the machine to boot as the disc (or USB, I suppose) has the encryption key on it. Even when booting from the disc, you still need the encryption password. So, even if your PC and boot disc were lost/stolen, you’re still safe. Well, assuming you didn’t cellotape the encryption password to the device…
NOTE: please be very careful with full-drive encryption if you are dual-booting Windows and Linux. I have no experience at all with that setup.
Installing Veracrypt
First, I downloaded Veracrypt – which has a version for Windows, Linux, and Mac (even FreeBSD and Raspbian): https://www.veracrypt.fr/en/Downloads.html
Go through the Install procedure of downloading the archive file, unarchiving it, and running the executable file. Finally, after the install has finished, run Veracrypt.
Getting Prepared
I clicked the ‘Create Volume’ button. This got me a popup that lets me choose what it is I’m going to encrypt. I chose ‘Encrypt the system partition or entire system drive’, and clicked Next.
If you were encrypting a USB stick, you’d choose ‘non-system partition/drive’, and if you were creating an encrypted container to store files in, you’d choose the ‘encrypted file container’ option. For type of System Encryption, I chose ‘Normal’, and clicked Next.
For Area to Encrypt, I chose ‘Encrypt the whole drive’, and clicked Next.
For Encryption of Host Protected Area, I wasn’t sure. So I chose No, and clicked Next.
For ‘Number of Operating Systems’ - in my case - I chose single-boot, and clicked Next.
For Encryption Options - I kept the defaults (AES and SHA-256), and clicked Next.
I used a random password generator to create a ten-digit password which I entered here. Then clicked Next.
You’ll get a warning for any password less than 20 characters. I’m OK with that in this case.
Collecting Random Data will show gibberish, but you keep moving the mouse to randomise it more. You can keep going until the green bar fills up, or click Next when you’re ready to proceed.
Keys Generated just informs you that you’re ready to move to the next step, so I clicked Next.
Rescue Disk is called that for a reason. MAKE A RESCUE DISK. Do it just in case of a problem. DO NOT SKIP THIS STEP. The idea behind it is that, if there’s a problem later on (ie: your drive doesn’t boot), then you can use this disk to boot from. The disk apparently has a copy of the keys on it. The combination of this boot disk, with keys, and your password may save your bacon. So make the disk.
Clicking Next will make it create/burn an ISO (in the chosen directory) which you can burn to CD/DVD/USB.
After creating/burning the ISO, I clicked Next.
I got an error here, but it just needs the disk/USB ejected and reinserted. I clicked OK, then Next. My Rescue Disk was verified as good-to-go. For ‘Wipe Mode’, I chose 1-pass (with a 500GB HDD in this case)
I then got a warning about 3-pass+ taking a long time to complete.
Pretest
At this point, I clicked Test, and the PC reboots.
As the PC booted back up, it asked for my password. It also asked for a PIM, but, since I didn’t provide one, I just hit enter.
The PC booted back up as normal and I logged in as the admin again. Veracrypt says Pretest Completed.
Encrypt!
This is it. Clicking Encrypt (then OK) begins the process. Encryption time will depend upon the power of the machine, and size of the drive.
After many an hour, you’ll see a completion message. I clicked OK and Finish.
And that was it. Done.