Explained: When to Encrypt your Hard Drive, and When not to

Dennis Faas's picture

Infopackets Reader Scott writes:

" Dear Dennis,

I'm thinking of turning on disk encryption for my Windows 10 computer. I've never done this before. Is there anything to be concerned about or to be aware of? "

My response:

This is a good question.

The truth of the matter is that if you encrypt your entire C drive using Windows BitLocker or a third party utility, it's going to slow your system down quite a bit. The reason for this is because every single file written to the drive must be encrypted, and then decrypted when read - including your operating system files.

Constantly encrypting and decrypting files requires processing by the CPU, which takes time. The result is that you will be doing a lot of waiting while the system is constantly processing data in the background. This will be especially evident when you launch a program, open files, open folders (especially folders containing many files), copy files, extract files from an archive, install a program, and the like. Basically, anything you do on the system will now have considerable overhead. As such, I don't recommend encrypting the entire C drive unless you absolutely must.

Below I will explain various approaches to encrypting your data, and when you should use it.

When You should Encrypt the Entire Hard Drive

There are a few instances where encrypting the entire hard drive makes sense.

For example, you may work for a company that requires all the data on the drive be encrypted. In this case, it is company policy and therefore you have no choice in the matter.

Another possibility is that you are a political activist in a non-democratic society and you want to hide your tracks as to where you've been online. In this case, encrypting the entire drive makes sense because user data (and especially web browsing data) is mixed in with the operating system, which then can be used to trace user activity.

Unfortunately, using this method comes at a performance cost - but it does work.

Encrypting Only User Files on a Separate Partition

Another option is to only encrypt user files (and not the operating system) using BitLocker or similar. Compared to encrypting the entire hard drive, this doesn't have anywhere near as much overhead, and therefore the system won't be slowed down nearly as much.

I have a client (who is a Medical Doctor), who had medical records on her hard drive which by law must be encrypted in some manner or another. Before she met me, she encrypted the entire drive using BitLocker. When I started working on her system I noticed it was incredibly slow, which is how I noticed she had BitLocker turned on in the first place. Since there is no law to say exactly how her medical records were to be encrypted - only that they must be encrypted - I was able to convince her to disable BitLocker on the C drive, then move her medical records onto another hard drive partition (the "D Drive"), and only encrypt that. In doing so, it sped up her system dramatically.

For most users, the same can be achieved by creating a separate hard drive partition (let's call it the D drive) and then moving all your Documents, Pictures, Videos, Downloads, and anything else in your user Library to that drive. You would then need to modify your user Library preferences to point to the new partition so that shortcuts pointing to the Libraries are valid. Once that is done, you can turn BitLocker on the D drive and it will only encrypt those files.

Locking the Hard Drive with a Password via the BIOS

Another option is to lock the hard drive using a password in the BIOS (basic input output system).

The BIOS is a pre-Windows environment that allows you to control the hardware of your computer with specific settings. Setting a hard drive password would essentially lock the drive and it would not be able to boot into Windows unless you provide the key. The key would then be required every single time the computer is turned on or rebooted. If the hard drive was taken out of the machine and placed in another, it would still remain locked unless a key was provided.

The best thing about this approach is that it does not require any CPU processing. The hard drive key is stored in the firmware on the hard drive; without the password, the hard drive is not accessible. Files are not encrypted, but the drive itself can only be accessed with the key, which means it is essentially locked from unauthorized use. This provides very good protection.

Password Protecting Files using Archives

If you have a handful of files that are sensitive which aren't used very often, then one option would be to store those files in a password encrypted archive file.

Using 7-Zip (freeware), this is possible - but only if you use the .7z format as this will password protect the contents of the .7z file from being browsed (and also extracted). It's important to note that the contents of a password protected .ZIP file can be browsed - but not extracted without a password. Please understand this distinction should you use 7-Zip.

For all intents and purposes, storing files inside a password protected archive is not very practical if you intend to modify the contents of the archive. In this case you would have to extract whichever file from the password protected archive, read or modify the file, then place it back into the password protected archive, then securely delete the non-archived file to cover your tracks.

Encrypting Text Files

If your sensitive data is simply text files - such as passwords and banking information - another option is to store the text in a password protected AND securely encrypted file.

For example, Excel files can be password protected and encrypted, though the strength of the encryption depends on which version you're using (the newest versions contain the strongest encryption). Optionally, you can use a freeware third party utility that encrypts + password protect text files (preferably AES 128-bit encryption strength or better), or use a program like RoboForm to store your passwords - which also has the option to create password protected (and very strongly encrypted) files to hold text data.

In either of these cases, the file would not be viewable unless you provided a password; in RoboForm's case, the file would also automatically close if left open for a period of inactivity. You could also easily edit and save changes to any of these file without having the hassle I mentioned with archived files.

Conclusion

There are Pros and Cons to encrypting your data, and many options to choose from (and some not mentioned in this article) - it all depends on what you're trying to achieve. Whichever method you choose - please remember this: for anything that is password protected, please store the password in a safe place; otherwise you may not be able to access your files.

If anyone reading this article needs to discuss their particular issue further - or, if you need help implementing any of the ideas I've mentioned, I would be more than happy to help (described next).

Additional 1-on-1 Support: From Dennis

As I've outlined in this article, encrypting the entire hard drive requires considerable overhead and will slow your computer down quite a bit. However, if managed properly, overhead can be minimal. If you need help encrypting data - whether it's a few files, an entire partition, or even a backup - I can help using my remote desktop support service. Simply contact me briefly describing your situation, and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question -- or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 4.7 (9 votes)

Comments

scowei's picture

I'm intrigued with encrypting only my documents, but many of these are shared via Dropbox with others. That would eliminate their ability to open them, right? Just like encrypting everything, I guess.

Scott

ecash's picture

CORRECT..there are Some programs that can reside on Systems that will Auro open certain files..Like WORD, being able to open .xtml files(with all the Stuff in it) and show you the Page..without all the design and page settings..

Dennis Faas's picture

If you encrypt your documents on a partition (whether it's the entire drive or a separate volume), Dropbox would see the files as unencrypted as it operates as a service. If you use BitLocker to encrypt the files, the only thing you are protecting is the fact that the files are not accessible outside of authenticating your account (I.E.: logging into Windows). Once the account is authenticated and/or you have a third party service accessing those files, the files are accessible.

ecash's picture

First learn the Good bad of encryption..
Good, no one can read Data..
BAD. Forgot CODE..

Remembering codes is a Problem, and People like SHortcuts..
SImple and short Passwords can be broken..
ALL you get is TIME with simple pass codes..
NEVER encode the OS..(windows/mac/linux/..) it Just causes SLOW systems, and you will KILL your computer. You will take a Large hammer and beat it to death.. waiting for Pictures and music to OPEN and PLAY..

There are Programs that will ENCODE every piece of DATA..BUT that same program is available to EVERYONE..7Zip..

There are Many tricks that can be done..But There are people that KNOW what can be done..Like opening a Tin can of beans, and it 1/2 full..YOU KNOW there WAS another 1/2 can there.

Your best bet is:
Only encode Data..a WHOLE Hard drive is Tedious/a hassle/and unless you REALLY need to protect yourself..not worth it.. If you REALLY want to protect your system...
Get an OLD electromagnet for Degassing Video tape.. A wire switch relay on your case, so the COMPUTER MUST switch this, BEFORE starting..
If Triggered, it will be about 1-2+ minutes Before anyone gets the IDEA that the system is DYING..as the Magnet, ON TOP of the Hard drive, slowly destroys your computer..

If this is just for Privacy..
Go ahead. Keep the kids out.. DONT encrypt Programs, they cant Up date and RUN badly. Create a Directory of files to have Encrypted.. Or get another Hard drive FOR this.. save all your DATA there, and have fun.. If you have a Hacker friend, he can ADD a line to ERASE the Encoding program, if the WRONG password is entered..

Gekko_15158's picture

Thanks for this article. The first part was the most interesting. What you think about Linux encryption on installation? I understood it has improved and has very little headroom. Your example seem to apply to Windows only am I right? I think it's not a good idea to use Windows if you are political activist anyway. So does simply using unencrypted Linux substitute the need of full drive/partition encryption? And if you add some other layers like Whonix and VPN in between? And disable IME. Do you still think the full encryption is necessary for avoiding stalking?