Full Disk Encryption for Windows 7 Using TrueCrypt

Lawrence E. Hughes
18 September 2012

In a previous white paper, I covered how to protect the contents of a removable drive (e.g. thumb drive
or USB external hard drive) using TrueCrypt. This is useful, but it is possible to encrypt an entire hard
drive including the boot and system tracks with TrueCrypt. When this has been done, if someone steals
your computer, without the boot passphrase, they cannot access any information on the computer (or
even boot the OS). Even forensic software that can recover files from a bare hard drive cannot recover
information once the drive had been protected this way.
When the system drive of a computer has been prepared in this manner, you must supply a passphrase
every time you boot the computer. This is used to create a key which is used to decrypt the boot sector
and system image. All data written to the drive (including virtual memory swap files, automatically
backed up documents, etc) will be encrypted on-the-fly before it is written, and decrypted on-the-fly
after it is read. This does not protect you against network based attacks against a running computer, but
it is quite effective in preventing access to data at rest (the information on a powered-down
computer).
Many companies and government agencies now encourage or even require users to protect their
computers (especially notebook computers) with full disk encryption. There are several good quality
commercial packages that can be used to protect computers, some of which have been certified to meet
various government criteria (e.g. WinMagic). Microsoft provides a good, free full disk encryption utility
called BitLocker, but they chose to include this only with the Ultimate and Enterprise versions of
Windows 7.
Unless you are required to use a specific full disk encryption product, or one certified for use in
particular situations, the free open-source TrueCrypt software package provides excellent protection
and is quite easy to use. It even has advanced features such as support for USB and Smartcard security
tokens. Any on-the-fly disk encryption product will add some overhead to all disk reads and writes, but
with current processors, the overhead from TrueCrypt is really minimal. You will typically never notice
the reduced performance compared to the same system prior to protection.
TrueCrypts full disk encryption will work with Windows 7 (32-bit and 64-bit), Windows Vista SP1 or later
(32-bit or 64-bit), Windows XP (32-bit or 64-bit), Windows Server 2008 R2, Windows Server 2008 (32-bit
and 64-bit) and Windows Server 2003 (32-bit and 64-bit). It will work with any version of the above,
including Home versions, etc.
When encrypting a non-system drive (including USB removable drives), it is possible to encrypt data in
place, but this is quite slow, so if it is possible, it is much faster to backup any information on the drive to
be encrypted, encrypt the drive, then reload the information onto the encrypted drive from the backup.
When encrypting a system drive, this is not possible. You must encrypt the system drive in place (which
will take a while).

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 1

This tutorial will deploy full disk encryption on a newly installed Windows 7 Professional computer (that
happens to be running in VirtualBox, to simplify capture of screen images). It is possible to deploy this
on any Windows computer (running a supported OS), regardless of how long it has been in use or what
is currently installed on it (except for other software that intercepts the boot process, such as other full
disk encryption software). You should definitely back up everything important on the computer before
deploying full disk encryption, just in case.
Obtain and install TrueCrypt on the computer to be protected (if you need help with this, see the
tutorial on protecting external drives with TrueCrypt, or the TrueCrypt website or User Guide). I assume
that you have backed up everything and installed TrueCrypt.
Note: you must be able to burn a CDROM or DVDROM during this process or you will not be able to
complete it. Have a blank CDROM ready. If you are installing on VirtualBox you may need to install the
Guest Additions and use an external USB connected CD/DVD burner.
1. Launch TrueCrypt. In the menu bar, click on System and select Encrypt System Partition/Drive

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 2

2. In the Volume Creation Wizard, select System Encryption type as Normal. Click Next.

3. For Area to Encrypt, select Encrypt the whole drive. Click Next.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 3

4. If your system keeps things in a hidden partition at the end of the drive, and these must be
accessible before the system boots (e.g. RAID drivers or configuration, etc), do not encrypt the
Host Protected Area. Most notebook computers do not do this, so the usual answer is Yes. You
can use Disk Manager to see if there is an extra partition at the end of the drive. If there is no
such partition, it doesnt matter what you select here. If in doubt, select No.

5. You will be asked if it is ok for TrueCrypt to make changes to the hard drive. Click Yes.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 4

6. TrueCrypt will try to detect hidden sectors at the end of the drive. When it is done, click Next.

7. Specify whether this is a Single-boot or Multi-boot configuration. In this case, there is only a
single copy of Windows 7 installed, so it is Single-boot. If your computer can boot multiple OSes,
select Multi-boot. Click Next.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 5

8. Select the Encryption Options. In most cases, AES is the right choice. The only hash algorithm
supported for full disk encryption is RIPEMD-160. Click Next.

9. Enter the password (passphrase). It is very important that you select a strong one that you can
remember, but nobody else is likely to guess. You should use one of at least 20 characters on a
production system. You can change it later if you need to. If you forget it, your computer will be
unusable. Enter it and confirm it, then click Next. Note this is a short passphrase, and
TrueCrypt will complain. You can override this and use any passphrase you like. You cannot use
keyfiles for full disk encryption.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 6

10. TrueCrypt will collect random data from mouse movements move your mouse around for a
minute, then click Next.

11. Windows will ask if it is OK for TrueCrypt to make changes to your hard drive. Click Yes.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 7

12. TrueCrypt will generate the encryption keys and display a part of them. Click Next.

13. TrueCrypt will now create the ISO image of a Rescue Disk. This will be needed if something
happens to your boot image, and it needs to be restored. You can also boot from this Rescue
Disk to start your computer if needed. It will create it in your Documents folder by default. Click
Next.
14. TrueCrypt will automatically launch the Windows Disk Image Burner program to write this image
to a blank CDROM. TrueCrypt will not lot your proceed without burning a disk and verifying it.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 8

15. Select the drive to burn the image to. Load a blank CDROM and click Burn.

16. After the disk is burned, TrueCrypt will verify the disk. When this is done, click Next.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 9

17. You can now select how the existing drive will be wiped clean of any trace of the original
unencrypted data before the encrypted data is written. In this case, there was nothing sensitive
on the existing hard drive, so select None. Click Next.

18. TrueCrypt will now do a pretest to make sure everything is working. Until you do this, nothing
has been changed on the hard disk. Click Test.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 10

19. TrueCrypt will display some instructions as to what to do if your system will not reboot. You may
wish to print these out. When done, click OK. When it asks if it can restart your computer, click
Yes.
20. Your computer display will ask you to enter the boot passphrase. You will need to enter it
exactly the way you entered it. It is case-sensitive and spaces must be exactly the same. Enter it
now followed by Enter.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 11

21. If everything went well, and you entered the correct passphrase, your computer will now
reboot. Login as usual. TrueCrypt will automatically restart and display the following. Click
Encrypt. It will display some more instructions in the event things dont work. Read and/or print
them, then click OK. Windows will once again confirm that you want to allow TrueCrypt to make
changes to your hard disk. Take a deep breath and click Yes. TrueCrypt will show the progress
while it encrypts your drive, with an estimate of how long it will take. The 25GB virtual disk here
took about 40 minutes.

22. If necessary, you can pause this process for a short time, or even defer completion of encryption
until later. You can actually continue using your computer while its system drive is being
encrypted. However, your information is not fully protected until the entire drive is encrypted. If
you click on More information, it will surf to the TrueCrypt home page, which has extensive
additional information on how all this works. If you have additional drives on your computer,
you may wish to encrypt them as well. You can still use encrypted removable drives just as you
can with an unprotected computer. If for any reason you want to unprotect your computer, you
can decrypt your drive(s) and remove the TrueCrypt boot manager. If you format the hard drive,
all information will be lost as usual (and the new install will not be encrypted, unless you go back
through this entire procedure.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 12

If you back up your data, you should do so to an encrypted removable drive, as otherwise the
backup will not be encrypted, and if someone can obtain your backup drives, they can retrieve
the information (unless your backup system has cryptographic protection as well).
TrueCrypt provides no protection for information being sent or received via network, serial
communication lines, backup drives, etc. It also does not prevent a hacker from obtaining access
to your running computer if you connect to the Internet and dont provide adequate network
protection. On the other hand, if someone steals your computer when its powered down, your
data is really quite safe (unless they can somehow guess or obtain your passphrase). However
there is nothing preventing them (or you) from destroying your data by formatting your drive.
Keep your Rescue Disk in a safe place, as someone can use that to obtain access to your data! If
you lose it, as long as your computer is functional, you can always generate another one.
23. When the entire drive is encrypted, you will see the final page. Click Finish. You can dismiss the
TrueCrypt program.

Contents Copyright 2013, Lawrence E. Hughes All Rights Reserved

Page 13