Encrypting hard disks after VeraCrypt installation is quite trivial procedure. At first you need to start the encryption wizard by selecting System -> Encrypt System Partition/Drive.
Select Normal as System Encryption type.
In the next dialog you need to choose do you want to only encrypt the partition where the Windows is installed or whole drive.
You need to inform VeraCrypt that does you computer have multiple OSs. Usually computers have only one operating system installed so by default you should select Single-boot. If you’re running Linux or other Windows installation pick Multi-boot.
You can pick encryption algorithm from plenty of choices. VeraCrypt supports following algorithms or combination of them.
- AES(Twofish) – Data is first ecnrypted using Twofish and result is then encrypted using AES.
- AES(Twofish(Serpent)) – Data is first encrypted using Serpent and result is encrypted first with Twofish and at last using AES.
- Serpent(AES) – First AES then result is encrypted with Serpent.
- Serpent(Twofish(AES)) – AES >> Twofish >> Serpent.
- Twofish(Serpent) – Serpent >> Twofish.
Choosing the algorithm is always balancing between trust (AES is US government managed algorithm) and performance. Performance difference between algorithms is steep. By using my computer as reference the AES can encrypt and decrypt approx. 850 MB/s while Serpent’s performance is roughly fifth of it (~ 150 MB/s). Difference is probably due to the hardware acceleration of the AES algorithm.
The password must be naturally cryptographically strong. VeraCrypt guides you through a dialog to select a secure password. Although it is possible to use files as keys (password) in a dialog – however, the feature is not supported on the operating system disk encryption.
To create the key the mouse movement is used to generate random data. The user must move the mouse over the dialog to generate the random number used to create the key.
VeraCrypt provides a recovery disk that can recover a disk boot partition if it is corrupted. However, the recovery disk still requires a password to decrypt the files. You need to create a recovery disc with a separate program on a CD / DVD or a USB stick.
VeraCrypt allows encrypted data to be erased while encrypting, thus preventing any unencrypted data recovery with special tools.
VeraCrypt requires encryption pretesting. In the pre-test, VeraCrypt modifies the boot sector of the hard drive by storing there its own boot loader (Boot Loader). Preliminary testing verifies that the user password works and the Boot Loader is able to download the operating system.
After successful Pretest it is possible to start disk encryption.