# How to encrypt an entire drive?



## Alex Ethridge (Apr 10, 2000)

I used to use TrueCrypt for this purpose. It would encrypt an entire drive easily, all partitions. One had to enter a password or the system would not boot.

I have a tablet with a 2TB SSD divided into five partitions, one WinRE, one 260-meg empty, and three others that are C, D, and E. I tried TrueCrypt and it returned the following error:

"Your system drive has a GUID partition table (GPT), Currently, only drives with MBR pasrtition table are supported"

I tried BitLocker but I see no way to encrypt the entire disk.

I tried DiskCryptor and same problem.

I want this system locked down, or at least C, D, and E, in the event it is lost or stolen as there is sensitive information on it and I don't want to have to unlock each partition separately.

Truecrypt works so well for this purpose but, alas, this is not an MBR drive. Truecrypt would present a password screen prior to starting the Windows boot process and I would like to have that kind of function again.

Can GUID be converted to MBR safely?


----------



## 2twenty2 (Jul 17, 2003)

https://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/

and scroll down page to
How to Encrypt a Drive with BitLocker


----------



## Alex Ethridge (Apr 10, 2000)

2twenty2 said:


> https://www.howtogeek.com/192894/how-to-set-up-bitlocker-encryption-on-windows/
> 
> and scroll down page to
> How to Encrypt a Drive with BitLocker


Thanks but I see instructions there for locking a drive which when taken in context is clearly partition. I want to lock all three of C, D, and E like I did with Truecrypt, and still could if the it were an MBR system.

Am I missing something?


----------



## zx10guy (Mar 30, 2008)

How large is this data you're keeping on your laptop? I make it a policy to never keep sensitive data on my laptop and to copy it off onto other media or onto my fileserver at home.

For sensitive data I absolutely have to protect, I use one of these:

https://www.apricorn.com/aegis-secure-key-3

It's validated to FIPS 140-2 level 3 which is what many Federal agencies are requiring for security. It'll also do an automatic wipe of the data if there are certain number of attempts with incorrect PINs that you can configure.


----------



## Johnny b (Nov 7, 2016)

I don't have the need, but that is impressive.


----------



## Alex Ethridge (Apr 10, 2000)

The objective is also to render the tablet unusable to a thief.


----------



## zx10guy (Mar 30, 2008)

We're talking about a tablet now?

Outside of an actual BIOS boot up password requirement which is hardware based and not software, even if you encrypt the drives with Truecrypt, it's not going to prevent a thief from just wiping the drive and installing what ever software they want on it. Data encryption which is what Truecrypt is does not do anything about hardware security. Apple is implementing this with their latest hardware where the hardware is registered to a person's iCloud account. If the hardware was stolen and resold, you can't reuse it unless you have the iCloud login credentials to unlock the device or you get the original owner to unregister the device from their account. All of this is being handled at the hardware level with their T2 chip.

For PCs, you can get TPM for some client devices.


----------



## Alex Ethridge (Apr 10, 2000)

zx10guy said:


> We're talking about a tablet now?
> 
> Outside of an actual BIOS boot up password requirement which is hardware based and not software, even if you encrypt the drives with Truecrypt, it's not going to prevent a thief from just wiping the drive and installing what ever software they want on it. Data encryption which is what Truecrypt is does not do anything about hardware security. Apple is implementing this with their latest hardware where the hardware is registered to a person's iCloud account. If the hardware was stolen and resold, you can't reuse it unless you have the iCloud login credentials to unlock the device or you get the original owner to unregister the device from their account. All of this is being handled at the hardware level with their T2 chip.
> 
> For PCs, you can get TPM for some client devices.


I understand that but most thieves aren't smart enough to understand how to make the system work via a wipe and reinstall to factory settings. If the computer is stolen, I understand I will never get it back. What I'm trying to do is come as near as possible to making his "work" unprofitable. And in addition, protect my data. There isn't a week that passes I don't read about a major data breach in a different major company, so for that reason, I think storing data in "the cloud" is foolish. All I know is what I read and what I read is not good.

Now, back to the original question: Is there a way to encrypt the drive in a way that the data is encrypted on C, D and E so that the OS will not boot without a password.

Truecrypt has such a feature but will work only on MBR partitions, not GUID. I'm looking for something that will work the same but on GUID.


----------



## Alex Ethridge (Apr 10, 2000)

By the way, this is not an ordinary tablet. It has full-blown laptop power squeezed into a tablet size. It has an 8th-generation i7 processor, 8 gigs of RAM and a two-terabyte SSD and runs as fast as any laptop I've seen.


----------



## zx10guy (Mar 30, 2008)

You assume too much about the intelligence level of thieves. Many are much smarter than you give them credit for. As I said, the only true way to prevent them to do anything with the hardware is to have one with a hardware lock out built in. Just as you come on sites such as this or do online searches, a thief who isn't sure what to do with the hardware could figure out around any password challenge from a software lock out by just doing a Google search. But if it makes you feel better such as hiding an SSID on a wireless network, that's your prerogative.


----------



## Alex Ethridge (Apr 10, 2000)

Truecrypt has such a feature but will work only on MBR partitions, not GUID. I'm looking for something that will work the same but on GUID.

Can we address this question?


----------



## Johnny b (Nov 7, 2016)

Just pointing out....even if the hard drive is impossible to access, all a thief has to do is buy a new hard drive.


----------



## Alex Ethridge (Apr 10, 2000)

Truecrypt has such a feature but will work only on MBR partitions, not GUID. I'm looking for something that will work the same but on GUID.

Can we address this question?


----------



## Johnny b (Nov 7, 2016)

Have you tried a search?

But it would also have to address the point I made.


----------



## Alex Ethridge (Apr 10, 2000)

Johnny b said:


> Have you tried a search?
> 
> But it would also have to address the point I made.


Not relevant to the question.

Truecrypt has such a feature but will work only on MBR partitions, not GUID. I'm looking for something that will work the same but on GUID.

Can we address this question?


----------



## Johnny b (Nov 7, 2016)

Wouldn't that be Bitlocker?


----------



## Alex Ethridge (Apr 10, 2000)

Thanks but I see Bitlocker instructions for locking a drive which when taken in context is clearly locking individual partitions. I want to lock all three of C, D, and E like I did with Truecrypt, and still could if the it were an MBR system.

Am I missing something?


----------



## Johnny b (Nov 7, 2016)

https://docs.microsoft.com/en-us/wi...ation-protection/bitlocker/bitlocker-overview



> In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.


----------



## zx10guy (Mar 30, 2008)

Johnny b said:


> Just pointing out....even if the hard drive is impossible to access, all a thief has to do is buy a new hard drive.


They don't even have to do that. Just boot off a rescue CD/USB or a Windows OS install medium and the would be thief has access to the drive to load what ever they want on it. Data encryption is to protect the data. Not the hardware.


----------



## Alex Ethridge (Apr 10, 2000)

Unsubscribed


----------



## Macboatmaster (Jan 15, 2010)

I realise you have unsubscribed from the topic.
I have read the topic and I do not think it has been mentioned that TRUECRYPT is unsupported and has been since 2014
http://truecrypt.sourceforge.net/

*Please do read the warnings on the page in case you are still using TrueCrypt on another device.*

*The replacement* is VeraCrypt which does cater for UEFI and is largely based on TrueCrypt from whom the developers of Vera Crypt inherited the basic licence

VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. Brought to you by *IDRIX *and based on TrueCrypt 7.1a.

https://www.veracrypt.fr/en/Home.html


----------



## Triple6 (Dec 26, 2002)

BitLocker can be used to encrypt all the partitions, you just have to encrypt them individually. Then you enable Auto Unlock on the partitions other than C and when you unlock your C drive with a TPM or password/pin the rest can get unlocked with it. 

TrueCrypt/VeraCrypt or BitLocker won't make the tablet/computer unusable though, a thief simply has to wipe the drives to use them again. You might however be able to put a password on the BIOS/UEFI or the drive to lock it down further if the tablet/computer supports it.


----------



## Macboatmaster (Jan 15, 2010)

I suspect that Alex is not returning to the topic as per his post 20, when he took his bat and ball home.
In addition to posting the update to TrueCrypt - I sent him a Personal conversation in case he had decided to unwatch his topic as here



> https://forums.techguy.org/threads/how-to-encrypt-an-entire-drive.1237495/page-2
> You having unsubscribed from the topic, if you really have then of course you will not be notified of my post so I have sent you this personal message
> Macboatmaster


on the same day as I posted - my 21


----------



## zx10guy (Mar 30, 2008)

Triple6 said:


> BitLocker can be used to encrypt all the partitions, you just have to encrypt them individually. Then you enable Auto Unlock on the partitions other than C and when you unlock your C drive with a TPM or password/pin the rest can get unlocked with it.
> 
> *TrueCrypt/VeraCrypt or BitLocker won't make the tablet/computer unusable though, a thief simply has to wipe the drives to use them again. You might however be able to put a password on the BIOS/UEFI or the drive to lock it down further if the tablet/computer supports it.*


And this was what I kept telling him but he wouldn't hear it. He had to do it his way regardless of whether it is wasted effort. Oh well...the whole you can lead a horse to water...blah blah blah.


----------



## Macboatmaster (Jan 15, 2010)

I agree, however his original opening post dealt with TrueCrypt and its inability to cater for UEFI and therefore GPT 


> Truecrypt works so well for this purpose but, alas, this is not an MBR drive. Truecrypt would present a password screen prior to starting the Windows boot process and I would like to have that kind of function again.
> Can GUID be converted to MBR safely?


Whilst alternatives were suggested and Alex appears to have misunderstood the situation, the answer to his question was VeraCrypt, based on TrueCrypt, as per my post 21, but by then he had of course decided to leave the topic.


----------

