As technology improves our devices keep getting smaller and smaller, allowing us to take our data with us wherever we go. Desktop sales are falling while laptop and mobile device sales remain strong.
One of the safest ways to store data is using any of our best cloud storage providers, but sometimes you just have to keep files on your local disk as well. While carrying all our data with you is convenient, there is a potential problem that some users never stop to think about — what happens if your laptop or tablet is stolen or lost?
Your data is valuable to you. Whether it’s years of family pictures, your research, or your work files, chances are you don’t want a stranger snooping through it. By encrypting your hard drive — or securing it with a TrueCrypt alternative before sending it off to the cloud — you’re guaranteeing your data’s safety.
Today I’m going to show you how to encrypt a hard drive. It’s easy to do and once you have it set up the process is automatic. You don’t have to know arcane technical details to follow along, but I’ll provide a quick overview of how it works and then show you the best way to encrypt a hard drive — on Windows, Linux or MacOS.
Hard Drive Encryption Methods
Disk encryption works a little differently than email encryption in that you don’t have to encrypt files on an individual basis.
You could choose to encrypt only certain files, if you wanted to, but there is a problem with doing so: as you open files and use software, your computer often writes temporary files to the disk in locations you may not be aware of.
For example, if you are working on a sensitive document that you plan on encrypting when you’ve finished, the software may be copying the data to a temporary file as it automatically saves your work.
Even if you encrypt the file when you are finished and delete the original copy, it’s not truly gone. Think of your hard drive as storing an address that points to your files, rather than the files themselves — when you delete the file, you actually delete the “address” pointing to the file and your computer views that area as free space.
The data doesn’t actually disappear until your computer overwrites it, which occurs at random as you create or download new files. This means that an attacker could use forensic software to locate files that you thought were deleted, which defeats the point of encrypting them in the first place.
That is why full disk encryption is the best way to encrypt a hard drive. When you hibernate or shut your computer down, all of your data is locked away. It appears as random garbage to anyone that attempts to access it. If you want to learn more about this process, Symantec has an excellent white paper that’s a short, concise overview of the process.
A partition is simply a slice of your hard drive reserved for usage. Full disk encryption will create a small partition at the beginning of your drive that allows your computer to begin booting up.
The encryption software will encrypt the hard disk partition containing your operating system and data. When your computer starts only the small, unencrypted boot partition is available. Your data remains safe and inaccessible until you decrypt it.
Best Software to Encrypt a Hard Drive
The best program to encrypt a hard drive will depend on which operating system you are using. Operating system vendors realize that your data is valuable to you and each OS typically includes a utility to encrypt your hard disk during installation.
If you’ve already installed your operating system and find yourself wanting to encrypt a hard drive without formatting, don’t fret — there are ways to encrypt a hard disk drive that don’t require you to format and reinstall your computer.
What You’ll Need
All you need to encrypt your hard drive is the encryption software and, preferably, a flash drive or CD to store a backup key and passphrase, which is what you’ll need to unlock your encrypted disk.
Depending on the software used, you will unlock your hard drive using a password, a keyfile or both.
It’s extremely important that you do not lose your passphrase or key. Ideally, you will keep a written copy of your passphrase stored in a secure location known only to you at least until you’ve memorized it. Keep a copy of your recovery key on a USB drive and store it somewhere safe, as if you lose your passphrase and key there is no way for you to recover your data.
Encrypting a Hard Drive in Windows, Mac or Linux
We’ve covered why you need to encrypt your drive and what you’ll need to do it, now we’ll focus on the process of encryption depending on your operating system.
Encrypt a Hard Drive in Windows 7, 18 and 10
If you’re using Windows, I’ll show you how to encrypt a hard drive with BitLocker, provided by Microsoft. BitLocker is a highly secure tool that encrypts data using the Advanced Encryption Standard to lock your data away.
Step 1: Click “start,” click “control panel,” click “system and security” and then click “BitLocker drive encryption.”
Step 2: Click Turn on BitLocker.
Note: If your computer has TPM (Trusted Platform Module), BitLocker may turn it on and require a reboot. When you turn your computer back on, you’ll see a prompt on how to enable TPM — it varies depending on your hardware manufacturer, but if you need assistance feel free to comment or email me and I’ll walk you through it.
Step 3: You’ll choose to use a PIN, passphrase or a startup key to decrypt your hard drive, depending on which version of Windows or Bitlocker you use, and whether or not you have a computer with TPM.
Choose a pin from 8-20 characters and write it down until you memorize it. If you choose a startup key you can copy it to a flash drive.
Step 4: Save or print a recovery key. I suggest doing both, as losing this means losing your data. You may also choose to save the recovery key to your Microsoft account.
Step 5: You’ll be prompted to restart your computer and BitLocker will begin the encryption process.
Encrypt a Hard Drive in MacOS
Apple has taken a strong pro-privacy stance (well, most of the time) in order to protect their users. Since OS X Yosemite, FileVault has been enabled by default (check out our article on best TrueCrypt alternatives to find out more about FileVault).
This means if you are running Yosemite or later, you may already have full disk encryption enabled. You can check this by going clicking the Apple icon, clicking “system preferences” and then clicking “security & privacy.” The FileVault tab will show whether or not it is enabled.
Step 1: To turn FileVault on and encrypt a hard drive on your Mac, simply click the button labeled “turn On FileVault.” You will have to enter an administrator username and password, and if there are multiple user accounts you’ll have to click the “enable user” button. When FileVault is enabled, no user can automatically log in. The hard drive is only decrypted when a user enters their password to log in.
Step 2: At this point you’ll create a recovery key. On Yosemite and later versions, you can use your iCloud account to unlock your disk and reset your password.
If you’re still running Mavericks or earlier, you can store the recovery key with Apple by providing a security question and three answers.
Note: Write these down. If you lose them Apple will not be able to help you recover your data.
There is also an option to create a local recovery key. Again, write this down and store it in a secure location.
Encrypt a Hard Drive in Linux
There are many different distributions of Linux and encrypting a hard drive in Linux can be accomplished in several different ways.
The easiest method, of course, is to encrypt your hard drive during the installation of your chosen distribution.
Most of the popular Linux distributions provide this option during installation. Fedora, Ubuntu, Debian, Mint and openSuse are among the distributions that provide an easy-to-use full disk encryption method during installation.
Here’s the bad news: enabling full disk encryption on your Linux system after installation is a complex process that requires several several tricky steps.
First, you must be using Logical Volume Management (LVM) so that you can resize your existing partitions. Then you must have enough free space to create encrypted partitions for your existing data, copy it over and then delete your original unencrypted partitions.
To encrypt an existing Linux installation, you’ll need to be comfortable with the command line, as well as creating, resizing and destroying partitions manually. Your easiest option is to backup your data to an external drive using a tool like DejaDup and then installing a fresh copy of your distro of choice.
Most Linux distributions use a setup called “LVM on LUKS,” which means Logical Volume Management on Linux Unified Key Setup. This is a lengthy topic that I won’t delve into here for brevity’s sake, but interested readers can read more if they’re curious.
In short, during installation, when the installer is at the partitioning stage you can select to encrypt your hard disk. You’ll choose a passphrase, and be given the option to overwrite your existing data. If you have sensitive data, you should let the system overwrite it. Be aware that depending on your disk size this can be a very lengthy process.
As always, write your passphrase down until you’ve memorized it or keep it written down in a safe location. If you lose this passphrase, you lose your data.
A laptop is an easy thing to steal, and with it the valuable data you keep on it. While you can encrypt a file or a folder by itself, the only way to protect all of your data at once is to use full disk encryption.
Encrypting your hard disk in Windows, Mac or Linux is pretty easy and can be done in just a few minutes. If you want to double up on your security, we also recommend using any of our secure cloud storage providers.
Please let us know if you have any questions or comments, and feel free to share this on social media to help your friends, family or coworkers learn to keep their valuable data secure. Thank you for reading.