Currently using Dell Laptop with Win 7 Pro. I use VeraCrypt to make encrypted containers in which I store important files which are not used everyday. Many document files which I use daily, generally LibreOffice files, are not within the container but protected by long password. There are many files like 1000's of pictures which are not sensitive and are unprotected. Even emails. I always fear that if the laptop is stolen, a lot of my data would be accessible. I have daily and weekly backups at different locations. I would soon like to purchase a new laptop and will have to choose Win 10 for sure. How can I protect my data so that even if the laptop is stolen, I wouldn't have to fear? I don't need the system partition to be protected, just the data Should I encrypt the data partition (I always partition hard disk and use D: partition for data) with VeraCrypt or some other software? I don't know how this would work as my data folder (mapped in the OS) would be within this partition. So it needs to be decrypted before actual booting or the OS may give errors. I also shift the "Desktop" to D: drive generally. Or is there any hardware encryption / decryption device, password or biometric based which I should look at? Or does any laptop come with such biometric hardware? Please help me decide so that I can purchase a suitable laptop.
First of all: NOTHING could be really 100% protected! Period! Secondly: The best protection for any Data is to keep them on a removable Storage device! Have such removable storage device only connected as the data from it are needed. If your Laptop has a Fingerprint Reader, use that to protect the removable storage device for the time its connected to the Laptop. An Iris Scanner (to scan the Iris of your Eyes), if available, would even better then a Fingerprint Reader. MORE Security isn't possible, I think! Every other use of Apps etc, etc., would be much more insecure! That's just what is the most possible way to secure important data and so on!
In my opinion, and from my research, Veracrypt is the most trustworthy tool for encryption since the demise of Truecrypt. From what you're saying, I think the best solution for you would be complete physical disk encryption using Veracrypt. You said you don't need your system partition to be encrypted, but I suppose it's not a problem if it is. In this mode, the complete physical disk is encrypted, along with all its partitions. When your computer boots, the Veracrypt boot loader asks for your password. If the wrong password is entered, the disk will remain encrypted and the system will not boot. All partitions, in fact, all physical sectors on the disk, will be inaccessible. Since you use Veracrypt, you already know that encryption/decryption overhead is very small, almost negligeable, especially when using hardware accelerated encryption/decryption available on virtually all recent processors. Look for "system disk encryption" in Veracrypt documentation. However, you should know that this configuration is incompatible with dual-boot systems. Note that if your laptop is stolen while sleeping, the thief may still be able to access your data even if your system asks for your password on wake, because in theory, Veracrypt is still loaded and your system still being decrypted on the fly. The only way to take full advantage of Veracrypt's full system encryption is to completely shut down your laptop when not in use, or at least when at risk of being stolen or used without your knowledge.
Thanks for this very clear answer. Gives me a lot more confidence. I don't have an issue with system partition being encrypted. I generally partition the hard disk and use D: drive for documents as well as "Desktop". If I choose to encrypt the system, would it also encrypt this data partition or do I have to do it separately? Would the same boot loader password work for decrypting both partitions? I generally hibernate the laptop. Does Veracrypt work with hibernation or is shutting down the preferred option?
Invest into data storage that uses hardware security (i.e. TCG Opal 2 self-encrypting drive). Most SSD drives have this by default (Crucial, Samsung, etc). In my opinion, anyone investing in a laptop should make sure the drive it comes with is self-encrypting.