Windows 10
Protect your data
March 2020 | |^51
BitLocker Drive
Encryption
Encrypt individual files with a personal
key using Gpg4win.
using a file extension – this can be
problematic – and click Save. Click Next
to choose your encryption options for
the volume. Five encryption algorithms
are supported: AES, Serpent, Twofish,
Camellia, and Kuznyechik – select one at
a time for a description. Beneath these
are no fewer than ten combinations of
two or more algorithms for those who
want multiple layers of encryption.
The truly paranoid can click the Test
button next to an option to verify
VeraCrypt’s implementation of the
selected algorithm is compliant with
certain standards.
Click the Benchmark button to open
the Algorithms Benchmark window,
then click Benchmark to compare the
performance of each encryption
algorithm. The process of encrypting
and decrypting data will have an impact
on disk write/read speeds, and you can
compare the different algorithms (single
and combined) from here. Straight AES
encryption is recommended for most
people, or AES combined with Twofish if
you want a second layer.
Beneath the encryption algorithm,
you’ll see a section on hash algorithms,
complete with a handy link explaining
how they work. These are basically used
to generate the encryption keys and
salt (random data used to protect
your password from hackers). Five
hash algorithms are currently
supported, but for most people, the
default SHA-512 is fine – you might
choose SHA-256 if performance is
more important than security.
([WUDDXWKHQWLFDWLRQ
Once you’ve chosen your options, click
Next. You’re now prompted to set a size
for your file container. Choose a figure
based on how much data you need to
encrypt and how much free space is
available. Click Next to enter a password
- you’ll need this to access your files in
future, so make sure it’s memorable (or
stored somewhere secure, like a
self-hosted Bitwarden password
manager), but also tough to crack. Try to
make it at least 20 characters in length.
Gain additional protection by ticking
Use keyfiles and clicking the Keyfiles
button. This adds another layer of
protection: Not only do you have to
enter your password correctly, but you
also need to select whichever file (or
files) you choose to be linked to your
container. These files can be already
present on your hard drive – choose a
compressed format such as MP3 or Zip - or you can have VeraCrypt generate a
new random key file from scratch. Either
way, make sure the files are backed up
somewhere safe, because if they’re
deleted or the first 1,024KB of data is
changed, your vault will be impossible
to access.
Checking the Use PIM box creates an
additional step after clicking Next,
where you can set a custom Personal
Iterations Multiplier. The default setting
(485) prioritises security over speed
when mounting the volume after each
system boot – should you wish to
reduce the time taken, you can set a
lower value, but make sure you’ve set a
lengthy password.
)RUPDWDQGPRXQW
After clicking Next, you’re asked if you
plan to store files larger than 4GB in
your new virtual drive – this determines
which filesystem is set as the default in
“An encrypted file container is the
safest option, because it creates a
single file on an existing hard drive”
If you’re using a higher-end version of
Windows – Professional, Education, or
Enterprise – and you’re looking to
encrypt an entire drive, you might like
to use the built-in BitLocker tool. It
can EHXVHGWRHQFU\SWÀ[HGDQG
removable drives, as well as your
Windows boot drive, making it possible
to protect the contents of your laptop
should it be stolen.
7 ype “bitlocker” into the Search box
and click Manage BitLocker. You’ll see a
list of all available drives in the main
ZLQGRZ([SDQGRQHDQGFOLFN7XUQ
BitLocker on. If you’re looking to
encrypt the main system drive, you may
see an error about your PC not having a
FRPSDWLEOH7UXVWHG3URWHFWLRQ0RGXOH
&KHFN\RXUPRWKHUERDUGVSHFLÀFDWLRQV
- you may be lucky and simply need to
HQDEOH730VXSSRUWLQWKH%,26ORRNLQ
WKH6HFXULW\VHFWLRQ
You’re prompted to create a backup
of the recovery key required, then
follow the wizard, selecting appropriate
choices depending on your drive and
PC setup. Run the recommended
BitLocker system check, and you
should be able to use your drive while
it’s being encrypted.
Fixed or removable data drives are
protected by password or a compatible
smart card – 730PRGXOHQRWUHTXLUHG
When you plug in the drive or reboot
Windows, you need to provide the
password or plug in the smart card to
unlock the drive.
BitLocker is relatively straightforward
to use, but relies on your trusting
Microsoft, because unlike the open-
source VeraCrypt, its code isn’t available
for audit. You’re also restricted to its
128-bit or 256-bit AES encryption.
Windows 10 Home users don’t get access to
native encryption tools.