Either via hardware (built into the hard drive)
or software, such as:
Wikipedia's "Comparison of disk encryption software"
Martin Brinkmann's "List of TrueCrypt encryption alternatives"
Lifehacker's "How to Encrypt and Hide Your Entire Operating System from Prying Eyes"
Micah Lee's "Encrypting Your Laptop Like You Mean It"
Chris Hoffman's "Why a Windows Password Doesn't Protect Your Data"
EFF's "What Should I Know About Encryption?"
But from /u/jm9fw on reddit:
Veracrypt: A note for those doing full disk encryption:
I've said it here before many times but people just don't get it. I read the forums daily and constantly
see people who either can't login to their OS anymore or they just lost everything.
After seeing this guy yesterday who said his life was on an encrypted disk and now he can't open it,
I decided to post again here. DON'T DO DISK ENCRYPTION. USE A CONTAINER. This poor guy explains what happened
and it looks like Windows decided to initialize the drive because it had no standard signature.
This isn't a Veracrypt issue, it's a Windows issue and Microsoft has been denying it for more than 10 years.
It happened to me twice. There is no way to recover this by restoring a header or anything. There are people
here who will say "blah blah you don't know what you are talking about, I don't have a problem." Sure, so go ahead
and learn the hard way and ignore the pages of similar complaints in the Veracrypt forum. Of course the people
who lost everything didn't have a backup either. It's a terrible thing to lose everything you have and I hate having
to see it almost daily. Use containers.
And from /u/CharredOldOakCask on reddit:
VeraCrypt system encryption is flawed, and simply not user-friendly enough.
When windows upgrades, or the computer unexpectedly shuts down (out of power), my [Veracrypt] boot-loader stops working,
and I have to use the recovery USB. This is happening a few times a year now, across multiple computers,
and every time I have no clue what the correct menu choice I should use when recovering. And the documentation
I was asked to save does not reference the same menu choices which are in the recovery USB. They say similar things,
but it is ambiguous which to choose. Googling to find clarity doesn't work either because the instructions there
are too generic too. More like what you can do, vs how to do it. It doesn't directly reference the recovery USB menu,
even when I specify version number. I'm quite tech-literate, data scientist and programmer by profession,
but I'm not a security specialist, nor do I know much about how hardware and how a computer really boots.
The recovery USB is full of jargon, with very similar menu options, and even how to get it to run is unclear.
On top of this, booting after hibernation literally takes 20 minutes.
This simply isn't user-friendly enough. I'm going to upgrade windows from Home to Professional and use Bitlocker.
Ultimately the threat vector I'm concerned about is losing my laptop, and some crook reading data off it.
If some dedicated attacker (like the government or whatever) is after me, I'm screwed regardless.
I'm stilling going to use the file-based VeraCrypt encryption for extra sensitive data, but whole-disk
system encryption doesn't work for me.
The software approach offers several alternatives and gets a bit confusing;
hardware encryption may be the wave of the future (faster, OS-independent).
But hardware encryption is not open-source, you can't verify how good/bad it is, and:
Dan Goodin's "Western Digital self-encrypting hard drives riddled with security flaws"
Joseph Cox's "Some Popular 'Self Encrypting' Hard Drives Have Really Bad Encryption"
Bill Buchanan's "Doh! What, My Encrypted Drive Can Be Unlocked By Anyone?"
Brendan Hesse's "How to Switch to Software Encryption on Your Vulnerable Solid-State Drive"
Hardware-encrypted flash drives are available, but again you can't verify the encryption, and probably not cheap:
FabatHome's "The 8 Best Encrypted Drives of 2018"
Keep your most critical data in an encrypted container / virtual disk (an encrypted file that looks like a disk drive to the OS),
perhaps by using VeraCrypt
or something similar.
Some advantages: you can have multiple containers, of varying sizes, with same or different passwords,
back them up on different schedules and/or to different places.
A more limited solution: keep your most critical data in an encrypted text file
(perhaps by using
or something similar). But it doesn't have to be a text file; you could have an Excel file
or Word file or database file.
Bitlocker, 7-Zip, AxCrypt can encrypt individual files or sets of files.