Explained: When to Encrypt your Hard Drive, and When not to
Infopackets Reader Scott writes:
" Dear Dennis,
I'm thinking of turning on disk encryption for my Windows 10 computer. I've never done this before. Is there anything to be concerned about or to be aware of? "
This is a good question.
The truth of the matter is that if you encrypt your entire C drive using Windows BitLocker or a third party utility, it's going to slow your system down quite a bit. The reason for this is because every single file written to the drive must be encrypted, and then decrypted when read - including your operating system files.
Constantly encrypting and decrypting files requires processing by the CPU, which takes time. The result is that you will be doing a lot of waiting while the system is constantly processing data in the background. This will be especially evident when you launch a program, open files, open folders (especially folders containing many files), copy files, extract files from an archive, install a program, and the like. Basically, anything you do on the system will now have considerable overhead. As such, I don't recommend encrypting the entire C drive unless you absolutely must.
Below I will explain various approaches to encrypting your data, and when you should use it.
When You should Encrypt the Entire Hard Drive
There are a few instances where encrypting the entire hard drive makes sense.
For example, you may work for a company that requires all the data on the drive be encrypted. In this case, it is company policy and therefore you have no choice in the matter.
Another possibility is that you are a political activist in a non-democratic society and you want to hide your tracks as to where you've been online. In this case, encrypting the entire drive makes sense because user data (and especially web browsing data) is mixed in with the operating system, which then can be used to trace user activity.
Unfortunately, using this method comes at a performance cost - but it does work.
Encrypting Only User Files on a Separate Partition
Another option is to only encrypt user files (and not the operating system) using BitLocker or similar. Compared to encrypting the entire hard drive, this doesn't have anywhere near as much overhead, and therefore the system won't be slowed down nearly as much.
I have a client (who is a Medical Doctor), who had medical records on her hard drive which by law must be encrypted in some manner or another. Before she met me, she encrypted the entire drive using BitLocker. When I started working on her system I noticed it was incredibly slow, which is how I noticed she had BitLocker turned on in the first place. Since there is no law to say exactly how her medical records were to be encrypted - only that they must be encrypted - I was able to convince her to disable BitLocker on the C drive, then move her medical records onto another hard drive partition (the "D Drive"), and only encrypt that. In doing so, it sped up her system dramatically.
For most users, the same can be achieved by creating a separate hard drive partition (let's call it the D drive) and then moving all your Documents, Pictures, Videos, Downloads, and anything else in your user Library to that drive. You would then need to modify your user Library preferences to point to the new partition so that shortcuts pointing to the Libraries are valid. Once that is done, you can turn BitLocker on the D drive and it will only encrypt those files.
Locking the Hard Drive with a Password via the BIOS
Another option is to lock the hard drive using a password in the BIOS (basic input output system).
The BIOS is a pre-Windows environment that allows you to control the hardware of your computer with specific settings. Setting a hard drive password would essentially lock the drive and it would not be able to boot into Windows unless you provide the key. The key would then be required every single time the computer is turned on or rebooted. If the hard drive was taken out of the machine and placed in another, it would still remain locked unless a key was provided.
The best thing about this approach is that it does not require any CPU processing. The hard drive key is stored in the firmware on the hard drive; without the password, the hard drive is not accessible. Files are not encrypted, but the drive itself can only be accessed with the key, which means it is essentially locked from unauthorized use. This provides very good protection.
Password Protecting Files using Archives
If you have a handful of files that are sensitive which aren't used very often, then one option would be to store those files in a password encrypted archive file.
Using 7-Zip (freeware), this is possible - but only if you use the .7z format as this will password protect the contents of the .7z file from being browsed (and also extracted). It's important to note that the contents of a password protected .ZIP file can be browsed - but not extracted without a password. Please understand this distinction should you use 7-Zip.
For all intents and purposes, storing files inside a password protected archive is not very practical if you intend to modify the contents of the archive. In this case you would have to extract whichever file from the password protected archive, read or modify the file, then place it back into the password protected archive, then securely delete the non-archived file to cover your tracks.
Encrypting Text Files
If your sensitive data is simply text files - such as passwords and banking information - another option is to store the text in a password protected AND securely encrypted file.
For example, Excel files can be password protected and encrypted, though the strength of the encryption depends on which version you're using (the newest versions contain the strongest encryption). Optionally, you can use a freeware third party utility that encrypts + password protect text files (preferably AES 128-bit encryption strength or better), or use a program like RoboForm to store your passwords - which also has the option to create password protected (and very strongly encrypted) files to hold text data.
In either of these cases, the file would not be viewable unless you provided a password; in RoboForm's case, the file would also automatically close if left open for a period of inactivity. You could also easily edit and save changes to any of these file without having the hassle I mentioned with archived files.
There are Pros and Cons to encrypting your data, and many options to choose from (and some not mentioned in this article) - it all depends on what you're trying to achieve. Whichever method you choose - please remember this: for anything that is password protected, please store the password in a safe place; otherwise you may not be able to access your files.
If anyone reading this article needs to discuss their particular issue further - or, if you need help implementing any of the ideas I've mentioned, I would be more than happy to help (described next).
Additional 1-on-1 Support: From Dennis
As I've outlined in this article, encrypting the entire hard drive requires considerable overhead and will slow your computer down quite a bit. However, if managed properly, overhead can be minimal. If you need help encrypting data - whether it's a few files, an entire partition, or even a backup - I can help using my remote desktop support service. Simply contact me briefly describing your situation, and I will get back to you as soon as possible.
Got a Computer Question or Problem? Ask Dennis!
I need more computer questions. If you have a computer question -- or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.
About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.
Infopackets Top Windows 10 FAQs
How to Upgrade from Windows 10 32-bit to 64-bit
How to Fix: Windows 10 Antivirus Missing, Not Compatible
How to Fix: Windows 10 Display Shifted; Screen Fuzzy
How to Upgrade Windows 7, 8 32-bit to Windows 10 64-bit
to Downgrade from Windows 10
- How to Fix: Windows 10 Upgrade Failed Error C1900208
- How to Fix: Windows 10 Upgrade Failed Error 80240020
- Can I Cancel my Windows 10 Reservation and Reserve Later?
- How to Clean Install Windows 10 using Windows 7, 8 License
- Will Windows 10 Install Automatically?
- Windows 10 Upgrade: Do I have to Reinstall Programs?
- Windows 10 Upgrade: Can I choose 32-bit or 64-bit?
- Which Version of Windows 10 Will I Get (Home or Pro)?
- How to Reserve Windows 10 Upgrade (Free)
- How to Fix: CPU Not Compatible with Windows 10 Error
- Windows 10 Upgrade: Can I keep my Old Windows Install?
- How to Cancel Windows 10 Reservation (Properly)
- Download Windows 10 .ISO (DVD) for Clean Install?
- Microsoft: Windows 10 Will Be The Last Version
- Does Windows 10 require the CPU to support PAE?
- Windows 10: Can I Upgrade or do I need a Clean Install?
Click here for more Windows 10 articles.