Any issues with encrypting C:\Users Folder, but not entire Partition?
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hello,
At the moment I'm planning on Encrypting my entire 2nd Hard Drive (Laptop) (Disk 2),
while not doing Full Disk Encryption on the main OS Drive (Disk 1).
I do additional partitions on Disk 1 apart from C: which I will be encrypting.
On "C:" partition, I would however like to specifically encrypt the entire "C:\Users" Folder/Directory.
Can someone please tell me if I may run into issues by doing this?
I'll be using VeraCrypt for the first time, so I'm not quite sure when I'll be given the option to password unlock (mount) "C:\Users", and if it may possibly affect my system starting in any way.
(Trying to research this, but not finding clear answers).
Ideally I would like:
(OS Drive is not encrypted, but all other partitions are encrypted, including the OS "C:\Users" folder)
1) Turn on Computer
2) Given option to unlock/mount all encrypted volumes with one password (I can put the same for each)
3) Windows Loads (before or after mount, I'm not sure the order or what's capable here)
4) I login to my User account, and all volumes should already be mounted/decrypted by this time.
Please let me know how I could achieve this, or what misconceptions I may be having about this.
Thank you,
Andrew
VeraCrypt does not perform folder or file encryption. VeraCrypt is a partition/disk encryption program.
Therefore, you cannot just encrypt the C:\Users folder.
Always have backups of your data. The same risks that can corrupt unencrypted HDD due to user error, software issues or hardware failure exist for encryption. Backup of your data to other physical medium is required to prevent lost of data.
Thanks for your responses.
Oh, I didn't know that.
In this case, I'll be researching and enquiring about other options/programs that could possible accomplish the same/similar.
Thanks for the reminder about backups.
Yes, I'm definitely very precautions with avoiding data loss, and I already have multiple backups of all my files (backed up again before disk exchange).
I have at least 2 external disk copies of my data (one is a WD Passport disk, which is auto-encrypted).
My main laptop has 2 disks inside of it. One is used for automatic backups of the other's important data.
Additionally, after I've completed my VeraCrypt setup, I plan on also having cloud backups (Glacier storage or similar), but I'll have to work out the exact process.
The issue of using third party programs to encrypt the C:\Users folder is that during the Windows OS loading sequence, the C:\Users folder will not be available during the boot process causing your system to fail to start properly.
You can research Microsoft's Encrypting File System (EFS).
Or you can use Microsoft's BitLocker to encrypt the entire C drive. There are some caveats if your PC does not have TPM which most consumer PCs do not have the TPM hardware. Google search will provide results for getting around the BitLocker TPM issue.
Continue to monitor the VeraCrypt version releases as more improvements are being added to avoid issues when performing a major Windows 10 upgrade when using VeraCrypt system encryption. The latest is 1.24 Beta 2.
https://sourceforge.net/p/veracrypt/discussion/general/thread/1aa241dcfc/
Thanks for the info. I can see how that could be a problem (getting third party programs to take actions before Windows boot).
Thought I know some functions, like disk partitioning is available during pre boot, so maybe there's some possible way (but difficult).
Actually just before my previous response, I made this post to address this question:
https://security.stackexchange.com/questions/202858/what-program-can-decrypt-specific-a-folder-files-during-windows-boot-loading-w
I had asked for an alternative other than BitLocker, haha.
I'll definitely do this right away, thank you!
I'll do so, thanks!
I actually upgraded today (a bit of a coincidence, didn't know a new version was just released).
Just some quick feedback:
I think it would be good if just a little work was done on the VeraCrypt website design:
https://www.veracrypt.fr/en/Home.html
When I first visited it recently this week, I was wondering if the design was broken (I refreshed to check if stylesheet didn't load correctly), and even slightly wondered if it was the official website.
I'm usually super busy, but if you're interested, I could find a couple of hours (hopefully this week) to do a quick CSS design for the website (voulenteer for free).
We shouldn't need to change any code for the site, I can improve the design from just one CSS file, so that the site has a modern, professional look, and probably even mobile ready (responsive) if I have the time.
You'll just need to insert/overwrite the new CSS code
(update: https://www.veracrypt.fr/en/styles.css),
and that should be it.
(I'm a professional website developer, now migrating into other more lucrative fields.)
Thank you Andew for the very gracious offer and good luck in your new career endeavors!
@Mounir,
See Andrew's style change improvements the website design in the post above for
https://www.veracrypt.fr/en/Home.html website.
You've very welcome, and thank you!
I'll go ahead and attempt to work on a CSS style improvement for the VeraCrypt website during this week.
I'll show the owners/Mounir the proposal, then they can decide from there if you would like to keep the design or not (as you can't make much decision without anything to look at). :)
I'll be off site for now, but have taken note, and will follow up with a design for the site during this week.
Kind regards!
Hi again. :)
After much consideration and also based on some feedback from the StackExchange post I made, I am now once again considering doing full OS disk encryption using VeraCrypt.
(This was my original plan, but after reading about issues with the Windows update, I became concerned, and created these posts).
I can see that based on your recent development updates, this particular problem may be resolved now.
https://sourceforge.net/p/veracrypt/discussion/general/thread/1aa241dcfc/
I have a specific question:
What constitutes as a "Major Windows 10 Update",
or more importantly,
"How often should I expect a possible Major Windows 10 Update?"
From what I read, the major updates are more than simply "patches", where lots of files are being re-writed. It's similar to a re-install of sorts.
If these updates are generally infrequent, I could probably take the chance of going full 100% encryption with VeraCrypt alone, and trust that the Win10 update bug is fixed, and if there are complications otherwise, at least it won't be a very frequent that I have to apply a fix/workaround.
I decided to also look myself, instead of just asking.
https://en.wikipedia.org/wiki/Windows_10_version_history
Version Codename Marketing name Release date
1507 Threshold 1 N/A - July 29, 2015
1511 Threshold 2 November Update - November 10, 2015
1607 Redstone 1 Anniversary Update - August 2, 2016
1703 Redstone 2 Creators Update - April 5, 2017
1709 Redstone 3 Fall Creators Update - October 17, 2017
1803 Redstone 4 April 2018 Update - April 30, 2018
1809 Redstone 5 October 2018 Update - November 13, 2018
1903 19H1 April 2019 Update - April, 2019
It would appear that these "Major Windows 10 Updates" happen 1-2 times every year?
https://www.zdnet.com/article/flaws-in-self-encrypting-ssds-let-attackers-bypass-disk-encryption/
https://www.us-cert.gov/ncas/current-activity/2018/11/06/Self-Encrypting-Solid-State-Drive-Vulnerabilities
Lately, Microsoft has been performing Windows 10 major upgrades twice a year. However, there are rumors that Microsoft will reduce the major upgrades to once a year due to the very buggy October 2018 release that caused people to lose data. Also, companies are unable to certify all their applications work properly with each upgrade occurring twice a year due to the time consuming effort.
Very important! Make sure you test being able to boot the VeraCrypt Rescue Disk to help resolve being "stuck" in a Windows boot repair loop by restoring the VeraCrypt bootloader or decrypting the VeraCrypt OS drive.
If you have other data partitions on the OS drive, my recommendation is to perform system encryption only on the OS partition and then encrypt the other data partitions using the same password and PIM values. You can automatically mount other partitions using System Favorites during Windows boot-up.
If you perform system encryption by selecting the entire drive option instead of just the C drive, if you have to decrypt the system encryption and the process fails due to bad blocks on the OS drive, then you will be unable to access the other encrypted partitions on the OS drive to get your data by putting the drive in another machine as a secondary drive then mounting them in VeraCrypt.