I am expecting my new laptop in a couple of days. This has a 2Tb HDD and comes with Win 10 Pro. The first thing I would do is shrink the C: drive to 200Gb max and made a D: drive for my data. I also change location of all User Folders to be under a single folder in drive D:. That way all my data is on D: partition and can be backed up easily. I also move the Desktop to D:. So D: needs to be accessible when the user logs in. The second thing I want to do is encrypt the full hard disk or at least the data. I have asked in a few forums and everyone recommended using BitLocker over Veracrypt. But I am bit confused and have a few queries : 1) Can I encrypt the whole hard disk at a time or I have to encrypt both partitions individually? 2) If I need to encrypt each partition and give the same passwords, will I have to enter the passwords 2 times on boot or will both be unlocked at the same time? 3) Can both partitions be NTFS formatted? 4) At boot will only the system partition be unlocked or both partitions together? If not then when would the 2nd partition be unlocked and what would happen to the mapped user folders till the time the D: partition is unlocked? 5) If I encrypt only D: drive, can it be NTFS formatted and would it be unlocked at boot through a password or after the booting is complete? Again, what happens to folders mapped in D: drive in this case? 6) If the laptop has any problem and I want to access the hard disk by connecting to another computer, can I unlock by using BitLocker software on another computer? Should I turn off TPM for this to work? How? 7) Is this scenario better suited to BitLocker or VeraCrypt?
you have to make sure that the PTK/TPM settings are present and on in your uefi bios settings for the windows partition to be able to be encrypted with bitlocker. you can easily encrypt other partitions that are not the windows partition using bitlocker, like a drive for all your personal data, which is what I do. All my partitions other than my windows partition are encrypted with bitlocker. there are other free software options for encryption, but I think it is just easiest to use what is already built into windows. no partitions are set up to be automatically unlocked at boot other than the windows partition when it is encrypted with bitlocker, and when the PTK/TPM settings are correct. so any mapped folders, or user profiles will not be able to be found because other partitions will have to be manually unlocked after sign in. you will have to use windows with bitlocker support to unlock any partition that is locked by bitlocker if the drive is removed and used in another computer or attached to another device for recovery purposes.
Thanks for the reply. If the partitions are not unlocked before boot, then I need to keep the user folders in C: drive only. But this defeats the purpose of having a data partition. I can of course create all new folders but then I can't use the "User folder" which may have it's own advantages. How do you deal with this issue? I generally hibernate the PC rather than shut down. In this case, what would happen, does BitLocker lock the folders or drive on hibernation or sleep? I guess even if I use VeraCrypt, it will have the same issue with mapped folders. I am keen to know how people address this issue. Every windows dialog box has the user folders linked so it's easier to change the location of user folders. But if this is not possible then I need to create shortcuts to my folders everywhere.
If you are not looking for further problems, encrypt your documents, folders - whatever, but do not encrypt your drive. Take this just like a warm (not hot) recommendation. Why do I recommend it? As you have noticed, there have been more and more cases in which there is no hard disk access after the updates, if the drive was before update encrypted. But decide for yourself how you want to get rid of your documents and other important files.
Then maybe I can just encrypt the data partition and not the system partition. I also have daily backups of all the data.
Think well, whether you need to do it. Do somebody really try to get into yours hard drive every day and steal or ruin your documents there? Are only thieves and malicious people around you? It's worth remembering that hackers don't interfere if something is encrypted. Hackers are always at least one step before of any kind of defense.
I understand your point. The only reason i want to do it is safeguard against laptop theft. There is no secret inside but just lot of personal files and family pictures which i wouldn't want anyone to have access to.
This is not entirely accurate information. You can simply disable the TPM requirement easily in Group Policy and furthermore set up pretty much any unlocking technique you want. Moreover, considering the original poster is using BitLocker's software encryption, as opposed to using BitLocker to offload the encryption to a hardware device (self-encrypting drive, for example), the requirements for using BitLocker is very low and can be enabled without any sort of hardware security. Hardware security integration like a TPM are designed to mitigate unattended tampering and prevent the breaching of data-at-rest. It's primary focus is not data-in-transit (i.e. "from the internet"). All hardware security is designed with the assumption the end-user is not brain-dead, and thus will also ensure their data is secure when the device is accessible. The TPM's primary focus is to protect the encryption key and ensuring hardware that it has authenticated by assigning its own certificates contained within the module itself remain married to the device, thus making removed hardware non-functional by just plugging it into another device. Of course there are ways around this, as nothing is 100% secure, the TPM is designed for hardware integrity and consistency; not to protect internet traffic or hold key passes. Those are things the end-user is required to do. Lastly, full BitLocker support is not necessary for recovery purposes, as BitLocker Recovery Agent certificates use the certificate's thumbprint, included with command-line/PowerShell, for full recovery purposes.
I think i will try both BitLocker and VeraCrypt on the data partition once I get the laptop. Would there be any way that I could unlock the partition before user logs in? Then i could maybe shift the user files to data partition
Yes, bitlocker is more secure, but what are we talking about protecting? I know you can bypass the drive lock easier, but it's more convenient. Any sensitive data I encrypt in databases of some kind. I know that probably wouldn't be good enough if the drive is forensically examined. Everything else isn't a big deal, so I'd rather not let them just format the drive and reuse it. On the other hand, if your data is sensitive enough, and if you want the added hassle of drive encryption including encrypted backups, then you should do that.
Maybe it would be better not to create a data partition and just organiser data within the user folders. That way i can use BitLocker on the single partition. But i am not too happy with that scenario
What I'm trying to say is that if my laptop gets stolen, I don't wan't the content's to be as easily accessed as "click to extract password". On the other hand, I'm willing to accept that it's still hackable, because going beyond regular encryption, whatever that means, isn't worth it.
There is NO SUBSTITUTE for Drive/Partition Encryption when dealing with security, especially from theft. My laptop has a master boot password, can't go past post without it, not even boot selection, but if the hard drive was ever removed, even with a hard drive password set, the drive contents can be accessed. This is not the case with Encryption. Anyone suggesting OP to not encrypt is not very adept at security.