How to keep your data safe from bad guys? Implementing VeraCrypt – Part 3

Encrypting hard disks after VeraCrypt installation is quite trivial procedure. At first you need to start the encryption wizard by selecting System -> Encrypt System Partition/Drive.

Opening Encrypt System Partition/Drive wizard.

Select Normal as System Encryption type.

Type of System Encryption

In the next dialog you need to choose do you want to only encrypt the partition where the Windows is installed or whole drive.

Select Area to Encrypt

You need to inform VeraCrypt that does you computer have multiple OSs. Usually computers have only one operating system installed so by default you should select Single-boot. If you’re running Linux or other Windows installation pick Multi-boot.

Singe-boot vs Multi-boot

You can pick encryption algorithm from plenty of choices. VeraCrypt supports following algorithms or combination of them.

  • AES
  • Serpent
  • Twofish
  • Camellia
  • AES(Twofish) – Data is first ecnrypted using Twofish and result is then encrypted using AES.
  • AES(Twofish(Serpent)) – Data is first encrypted using Serpent and result is encrypted first with Twofish and at last using AES.
  • Serpent(AES) – First AES then result is encrypted with Serpent.
  • Serpent(Twofish(AES)) – AES >> Twofish >> Serpent.
  • Twofish(Serpent) – Serpent >> Twofish.
Selection of the encryption options.

Choosing the algorithm is always balancing between trust (AES is US government managed algorithm) and performance. Performance difference between algorithms is steep. By using my computer as reference the AES can encrypt and decrypt approx. 850 MB/s while Serpent’s performance is roughly fifth of it (~ 150 MB/s). Difference is probably due to the hardware acceleration of the AES algorithm.

Benchmark comparison of algorithms.

The password must be naturally cryptographically strong. VeraCrypt guides you through a dialog to select a secure password. Although it is possible to use files as keys (password) in a dialog – however, the feature is not supported on the operating system disk encryption.

Password selection

To create the key the mouse movement is used to generate random data. The user must move the mouse over the dialog to generate the random number used to create the key.

Random data generation
Notification of the generated keys

VeraCrypt provides a recovery disk that can recover a disk boot partition if it is corrupted. However, the recovery disk still requires a password to decrypt the files. You need to create a recovery disc with a separate program on a CD / DVD or a USB stick.

Creation of Rescue Disk
Notification of the created Rescue Disk

VeraCrypt allows encrypted data to be erased while encrypting, thus preventing any unencrypted data recovery with special tools.

Wipe Mode settings

VeraCrypt requires encryption pretesting. In the pre-test, VeraCrypt modifies the boot sector of the hard drive by storing there its own boot loader (Boot Loader). Preliminary testing verifies that the user password works and the Boot Loader is able to download the operating system.

VeraCrypt Boot Loader

After successful Pretest it is possible to start disk encryption.

VeraCrypt is encrypting hard disk

Leave a Reply

Your email address will not be published. Required fields are marked *