How I can encrypt Windows if I use a SSD and HDD?

Question

I need to encrypt my Windows Disks with full disk encryption. Windows is already installed and all drives have data.

My Drives/Disks: 1 SSD - C: drive 1 HDD - D: drive and I have a drive where Linux is installed

I need to encrypt C: and D: drives so no one see my files in case they access my PC or use Live Boot CD to boot. I checked Veracrypt. It's open-source, but It allows to encrypt only my C: because Veracrypt System Encryption encrypt a partition or drive where Windows is installed and from which it boots. So my D: remains unencrypted. Then I checked Bitlocker. I can use it, because I use Windows Enterprise. It's closed sources, but I saw different articles like Crack Bitlocker, Remove Bitlocker while I was googling about Bitlocker. I don't know if that software works. Bitlocker will allow me to encrypt all my windows drives C: and D:. But I want to know is Bitlocker safe ? What encryption I should use in my case ? Maybe any other software to encrypt ?

Answer 1

Requests for product recommendations are off-topic on this site. However, taking the narrower question of "is Bitlocker safe", yes it is if you use it correctly. (Same caveat applies to Veracrypt, any other reputable full-volume encryption utility, and for that matter any reputable encryption utility of any sort at all). While it's true that it's closed source, it has been extensively audited by both internal and external (under NDA) security experts, and Microsoft stands to lose a tremendous amount (both directly monetarily, and indirectly due to lost trust) if the promises they've made are false.

With that said, there are limits.

• If you use Bitlocker with a PIN/password but without a TPM or other secure key store, then an attacker could potentially brute-force the PIN/password. This is a problem shared by literally every system that doesn't have a secure place to store the key. Microsoft applied the standard mitigations - the key derivation algorithm is extremely slow and computationally expensive so brute-forcing is also slow and hard to parallelize, and there's a default minimum length on the PIN/password which can be made even longer - but if you use a weak password there's no software solution in the world that can save you.
• If you use TPM-only mode (also known as transparent mode) - where the key is stored in a hardware security module and only "unsealed" when the machine has booted up following the expected code path (so, no booting from a live CD or flashdrive or whatever) - then the security boundary becomes the Windows login screen, and somebody who steals your whole computer can potentially steal the disk encryption key out of RAM using a hardware attack after the machine boots up but while it's sitting at the login screen.
• If you store the recovery "password" - a long and random string that is used as the last-ditch unlock method if the machine can't be booted otherwise - somewhere that is protected by a weaker password (such as in a cloud storage provider) or somewhere an attacker can physically access it when stealing your machine, they can potentially obtain the recovery password and then just enter it and have full access to the disk.
• If the attacker steals your machine while the decryption key is in RAM (because the system is either running or in suspend/sleep mode), the same kind of hardware attacks used against TPM-only/transparent mode can be used. You need to configure the machine to hibernate (not sleep) so that the key is purged from memory, and ensure it does this quickly enough that an attacker can't walk off with the machine while it's running.

Also, for what it's worth, Veracrypt does support automatic mounting of volumes (such as your data drive) after login. See https://www.veracrypt.fr/en/Favorite%20Volumes.html for more details. I haven't tried this myself, but it looks like it might work for you.