Is there a way to make my hard drive inaccessible to everyone but me?



Let me give you some backup story first: A computer technician challenged me to give him my laptop and ask him for any piece of information that I wanted to "hide" in my hard drive. He claimed that he would be able to retrieve anything, no matter what I do to hide it.

Since I do not appreciate absolute statements like: "and there is nothing you can do about it", I started thinking about this in my head. I realized that a very secure Operating System would not cut it, since he does not need to boot from this specific hard drive in order to find things in my hard drive.

The generic question here is:

Is there a way to completely secure all data in a hard disk? (I do not need detailed explanation on how to do it, I just need you to point me to a direction; I can read more about it myself)

Specifically, I suspect that I may need:

  • An Operating System that is very secure and possibly encrypts all the data that it stores (no idea if such thing even exists).

  • If the above does not exist, is there a way to manually encrypt the data in my hard drive and still be able to boot from that hard drive?

In general, I want to make the hard drive as least accessible as possible to anyone that is not me (= knows a specific password/key), so any solutions are welcome.


Posted 2012-04-26T09:35:36.673

Reputation: 779

35Encrypt it and require a strong password or an encryption key that you have on a USB stick to decrypt. He just lost the game. You could probably just create a password protected RAR file with a strong password. Sorry to say, but I can smell his naïve adolescent attitude from here. – Daniel Andersson – 2012-04-26T09:42:28.067


It's a trick! If he is worth to be called a computer technician, then he probably just wants to prepare some pranks

– None – 2012-04-26T10:25:33.753

14, and – LawrenceC – 2012-04-26T12:26:36.840

@ultrasawblade That's what the Truecrypt hidden partition is for ;) – Bob – 2012-04-26T12:32:07.400

3implant it in your body and have it vibrate uncomfortably when it's in use... – ratchet freak – 2012-04-26T18:03:53.340

3Give him a laptop with a completely randomized hard drive data and challenge him to find the secret message hidden within. If you can derive a message from this stream of bits and some secret key, this is technically encryption (feasible with OTP as well as any stream cipher), and has the advantage of being somewhat subpoena resistant, as you can keep a dummy key which will decrypt to something harmless. – Thomas – 2012-04-26T20:41:29.737

I would say to him "Go ahead. Make my day!" :) – Mayank – 2012-04-27T04:20:21.757

1@F1234k - I'm very curious to know what you eventually did and how it turned out. That kind of blanket statements remind me of me... 20 years ago :) – Lieven Keersmaekers – 2012-04-27T06:31:41.843

@F1234k Tell him to retrieve the file which states what you want him to retrieve. – Pacerier – 2012-04-27T07:44:16.370

Your associate is a threat to national security and must be reported to the authorities. – Lee Kowalkowski – 2012-04-28T11:57:14.383



It's enough to encrypt most sensitive files. A ZIP file encrypted with AES 256-bit and a good long password is nigh impossible to get into without the password. (Avoid using the legacy ZIP encryption known as PKZIP stream cipher/ZipCrypto - it is known to be weak.)

It's also possible to encrypt a whole partition, hiding everything in it. Truecrypt is kind of the de facto standard program for home (and some business) partition/image encryption. Probably the best thing about Truecrypt compared to tools built-in to the operating system is it's portable: there's a version for Windows, Mac OS X and Linux, which makes up the vast majority of consumer operating systems.

If you want to hide everything, you can encrypt the every partition in your system, including the one you boot from. It is not possible to read data from an encrypted drive without knowing the password/key. Thing is, the Windows operating system doesn't always support booting from an encrypted hard drive.* Truecrypt has what it calls system encryption. They've summarised it pretty well:

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.

So the Truecrypt boot loader will load before your OS and prompt you for your password. When you enter the correct password, it will load the OS bootloader. The hard drive is encrypted at all times, so even a bootable CD won't be able to read any useful data off it.

It's also not that hard to encrypt/decrypt an existing system:

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

*Various other operating systems support system drive encryption. For example, Linux kernel 2.6 and newer have dm-crypt, and Mac OS X 10.7 and newer have FileVault 2. Windows has such support with BitLocker, but only in Enterprise/Business/Server editions, and only in Vista and newer. As stated above, Truecrypt is more portable, but often lacks the integration necessary to encrypt system drives, Windows being the exception.


Posted 2012-04-26T09:35:36.673

Reputation: 51 526

4True crypt is what I have used and very happy with it – Rippo – 2012-04-26T14:50:35.210

4One caveat when encrypting an existing unencrypted drive: if it's solid state, it may not be re-writing over the same sectors, because it varies them to extend the disk's life. So data on a solid state drive is really only safe if it was encrypted from the start. – Nathan Long – 2012-04-26T18:40:15.510

13"Thing is, most operating systems don't natively support booting from an encrypted hard drive." -- that isn't even remotely true. Windows has BitLocker, Mac has FileVault 2. – josh3736 – 2012-04-26T18:53:56.287

9@Josh: Those are the operating systems with the most users, not most operating systems. – Ben Voigt – 2012-04-26T22:14:09.373

2@josh3736 while I did overlook those, BitLocker is only available for Enterprise and Ultimate 7, and Server 2008. That's leaving out Home, Professional and XP. That makes up a large proportion of users and operating systems. Macs may have actually done this properly. – Bob – 2012-04-26T22:33:08.860


@BenVoigt, that's a bit of a ridiculous argument to make. "Sure, the OSes used on 3/4 of desktops natively support FDE, but BeOS doesn't!"

– josh3736 – 2012-04-26T22:41:02.637

@Bob, it's true you need the top-end edition of Windows 7 (or Vista) to use BitLocker, but the point is the OS does support FDE, it's just not enabled in the down-level editions. (I believe the down-level editions can mount BitLocker drives in read-only mode, however.) – josh3736 – 2012-04-26T22:45:42.910

Can you still have a dual-boot system (Windows and Linux) if you use Truecrypt system encryption? Is there a webpage out there that addresses this specific question? – Eugene Seidel – 2012-04-27T08:55:25.520

@EugeneSeidel They would have to reside on different drives if you are using full disk encryption, and you would have to somehow get the Linux bootloader (GRUB) to chainload the Truecrypt one. The Linux drive would have to be encrypted separately, since Truecrypt doesn't have system encryption support on Linux (silly me, I did not notice before answering). Linux does offer native encryption, however. You should ask another question, or perhaps try this thing.

– Bob – 2012-04-27T09:32:20.963

@josh3736 Yea, I didn't actually do all the research at the time of answering. It's been corrected now (Windows is probably in the minority in not offering full native support, and I count "just not enabled" as not having it, since you can't use it). Read only is useless in terms of full system encryption. – Bob – 2012-04-27T09:34:19.633

@Bob Thank you for replying. The Askubuntu answer is... well, terrifying (to me at least) but I will revisit there occasionally to look for updates. – Eugene Seidel – 2012-04-27T10:24:35.017


One phrase - Full Disk Encryption, preferably with a a nice, long, non dictionary key. You might also look at systems that do this with an external keyfile. Basically, since the entire system other than the bootloader is encrypted, short of a direct memory access attack - that is to say use a firewire or other device that has DMA to get memory contents and or to use a cold boot attack to get information. Twarting this is simple - just make sure the system is switched off, and battery removed just before you hand over the system. If its just a hard drive, both these attacks are improbable

I'd probably just give truecrypt a shot, use a VERY long, random password (length makes brute forcing harder, and randomness prevents a dictionary attack), and let him go to town with it. Alternately, some versions of windows have bitlocker - which is a strong FDE option built into windows. Likewise there's solutions for linux like luks and dmcrypt.

Or fill a disk with random data... and see how long before he figures it out ;)

Journeyman Geek

Posted 2012-04-26T09:35:36.673

Reputation: 119 122

70+1 Or fill a disk with random data. oh yes – Tog – 2012-04-26T10:00:37.377

1Ah, random data :D Just like that bit in Cryptonomicon (more detailed reference not included cause it'd spoil one of the fun bits..) – tanantish – 2012-04-26T19:31:27.270


Don't fall for any tricks like, "give me the password so I can check the results".

A security conference I went to asked for passwords at the beginning. Halfway through and the presenter said the biggest security risk is YOU, as most people had given out their password feeely.

(And yes, just encrypt the relevant data.)


Posted 2012-04-26T09:35:36.673

Reputation: 296


You could "hide" the file within an image? This might throw him off - or at least take him a little bit of time to figure out. Possibly.


Posted 2012-04-26T09:35:36.673

Reputation: 121


Or even inside program binaries

– Dan D. – 2012-04-26T10:09:53.603

18This is otherwise known as steganography. – Chad Harrison – 2012-04-26T15:26:17.733

4Or security through obscurity? – vsz – 2012-04-27T11:35:24.583


I agree with the other TrueCrypt answer. However, I have one important point to add - the plausible deniability feature of TrueCrypt. What that means is that TrueCrypt doesn't leave any positively identifiable signatures on the disks/files it encrypts. So, nobody can prove whether a set of bits on disk are random bits or encrypted data. This is so important that it had implications in a recent court case.


Posted 2012-04-26T09:35:36.673

Reputation: 619

I would be interested to know what court case that was. – Chad Harrison – 2012-04-27T17:17:49.973


Here's the link Gist: TrueCrypt users cannot be compelled to divulge their passwords. 5th amendment applies.

– slowpoison – 2012-04-27T17:41:44.370


Many of the answers posted are good answers.

As an addition, you may want to look at an asynchronous asymmetric encryption tool like GnuPG. It's a bit more complicated than encrypting within a ZIP file because you are dealing with public and private keys. I think I might of heard of some University in Europe cracking this type encryption with very special circumstances. You would still want to put the passwords and keys on a usb drive, or somewhere other than the drive you will be giving the challenger.

Additionally, I once had a professor tell me that if you want something absolutely hidden, re-encrypt the encrypted file with a new set of keys. That way, if the first level encryption is somehow decyphered, the attacker wouldn't know it because everything would still appear encrypted.

Hope this helps.

Chad Harrison

Posted 2012-04-26T09:35:36.673

Reputation: 5 759

4"I once had a professor tell me that if you want something absolutely hidden, re-encrypt the encrypted file with a new set of keys." is wrong for most cryptosystems. Consider ROTn. Encrypting ROTn(ROTm(x))=ROT{m+n}(X). The attacker won't even realize you did ROTn(ROTm(x)) but instead directly try to figure out m+n. There is no added security. – emory – 2012-04-26T15:45:55.530

1@emory Interesting to note. Guess professors are people too. I think I understand what you are getting at. I'll check into that. – Chad Harrison – 2012-04-26T16:13:15.990

GnuPG is not asynchronous, it's assymetric (in its default mode). It also supports conventional (symmetric, same-key) encryption. – a CVn – 2012-04-27T07:53:59.653

3Also, I imagine that the professor was referring to encryption algorithms a little more sophisticated than simple substitution ciphers. If you take a plaintext P, then encrypt it with (say) AES first with key K1 and then encrypt the resulting ciphertext with AES and a different key K2 (C = AES( AES(P,K1), K2 ), K1 ≠ K2) the resulting ciphertext will not have any resemblence to, say, the output of AES(AES(P,K2),K1) (key order reversal). This property does not hold for simple substitution ciphers such as ROTn. – a CVn – 2012-04-27T07:57:21.317

@MichaelKjörling Thanks for the correction on asymmetric. I knew it was a-something, and sometimes I struggle my recall. ;) – Chad Harrison – 2012-04-27T12:35:25.510


Interesting that the word hide has to be put in quotes by many people, since they seem to know that nothing is actually being hidden in their suggestions. I wonder if that computer technician held his hands in the air and made the hand motions associated with quotation marks when he said "hide" as well.

I doubt it. While encrypting things can prevent access, having an encrypted zip file sitting on your desktop called "" isn't really hiding anything.

Some laptops come with the ability to password protect the drive, where once it is enabled through the bios you have two options... enter the password or format the drive. Dell is one of those companies that includes this function. Ok. You can ALSO call Dell after you have put in the wrong password 3 times, and you can give them the challenge code presented on your screen and they will give you the response code to bypass the password... but they also charge for that service if your warranty has expired. Again... this is not hiding anything.

There is a world of difference between allowing someone access to a room so they can search for something tucked out of sight (hiding), and just barring them from entering altogether (encryption).

Since I do not appreciate absolute statements like: "and there is nothing you can do about it"

No. You did not like this technician essentially telling you that he knew something you did not, and/or that he was better than you at something. This is why you immediately tried to think of how to better this technician, instead of actually realizing that what he was saying means nothing! It would not have hurt you in the least to have admitted right there and then that maybe he actually could FIND any file you had HIDDEN. Of course, you would have needed to have him define what hiding means in this context... since (again) it seems that "hidden" apparently means different things to different people. Regardless, your issue with his challenge has nothing to do with his boast, and everything to do with your inability to accept the possibility that he might actually be better than you at something. This is why you could not leave the challenge alone. This is why you do not appreciate absolute statements like that. Because the truth is, there are times when things will happen in your life and there WILL BE NOTHING YOU CAN DO ABOUT IT.

You want a way to keep files you access regularly from being found? Keep them off your computer. How about that? Store them on a flash drive. Then, you can keep the files on your person at all times, and no one can access your laptop to get them when you are not near your laptop. Who made the stupid rule that all your files have to stay on your laptop at all times? I'm not talking about this technicians childish boasting and whatever game you have turned this into. Once you encrypt the file, or hide it in an image, or remove it from your computer onto a flash drive, then his game is over. Why? Because you did not get the parameters of this challenge defined... and I can guess what they are.

  • The file has to be somewhere accessible.
  • You need to play the role of the ignorant fool who thinks that just sticking a file in some directory off the beaten path is the extent of being able to be hidden.

Once you step away from either of these, the game is over, and you "did not understand what he meant".

Bon Gart

Posted 2012-04-26T09:35:36.673

Reputation: 12 574

4But if you lose the flash drive or leave it behind somewhere? Oh dear... By the way, he said hide information, not files.. subtle difference, since encrypted information is essentially hidden. And it's theoretically possible to break any encryption. – Bob – 2012-04-26T12:40:24.597

1Someone says I can find you anywhere you hide if we play Hide and Seek... and this pisses you off so much that you have to change the game to TAG where they need to touch you in order to win. What if your hard drive crashes... Oh Dear. And encrypted information is locked away, not hidden. If you need a key, it is locked. If he found the encrypted file, does that mean he found the information? Did he ever say he had to be able to VIEW the information, or just FIND it? – Bon Gart – 2012-04-26T12:56:54.640

3A piece of information != a file. Information would be gained by reading the contents of a file. Having the file but not being able to read it means the information inside is still hidden. – Yamikuronue – 2012-04-26T13:34:36.043

I get it that you and Bob feel that "information" does not equal "file". Tell me. What exactly did the computer technician in this question think information meant? Did he mean to say "file"? Does he equate the two? You don't need super encryption. You could simply break this "information" down into small chunks, convert it to hex, and create directories in C:\Windows named those hex chunks. If you make them 32 characters long, they will appear to be normal directories. Only you know that if you translate the names back you have your information. – Bon Gart – 2012-04-26T18:15:00.633

But since the TITLE of the question is "Is there a way to make my hard drive inaccessible to everyone but me?" then for the purpose of this discussion, information DOES EQUAL file. – Bon Gart – 2012-04-26T18:15:57.200

Better yet, remove the hard drive before giving it to the computer technician. If you give the hard drive along with the laptop there is no way to guarantee that you can access the hard drive which is part of the title premise. – emory – 2012-04-26T20:50:40.503

@BonGart If your hard drive crashes, you've lost the data. If you leave your flash drive behind (unencrypted), you've lost the data and someone else might have it. – Bob – 2012-04-27T12:38:11.317


Alternate data streams are a funny thing to throw at him.


Posted 2012-04-26T09:35:36.673

Reputation: 203

Also Volume Shadow Copies

– dc5553 – 2015-06-12T18:41:43.087


I use TrueCrypt virtual drives that are secured by both very long passwords, and keyfiles stored on a usb. I also initiate timeouts on open virtual drives when activity is absent for a given time. Been using this type of security for years. I process very large databases with within those virtual drives without any performance issues.


Posted 2012-04-26T09:35:36.673

Reputation: 31

Are you using a CPU with hardware support for AES, such as intel Sandy Bridge? – drxzcl – 2012-04-29T08:47:42.953


Then take the challenge, someone already told you, create a file, put the file you want to "hide" inside a RAR or 7-Zip file, with full encryption so he can't check which files are inside the compressed file. Use a strong password with numbers, alphabet and symbols. Then erase the original file with some tool like Secure Delete (or a similar tool).

Done, now he can't do almost nothing to do.


Posted 2012-04-26T09:35:36.673

Reputation: 21


Ubuntu provides home drive encryption which is quite secure.. I had to struggle to recover my own data even though I knew my own key.. information about home drive encryption can be found here :

Osama Javed

Posted 2012-04-26T09:35:36.673

Reputation: 121


Encryption is useless against subpoenas and/or torture. All computer tech has to do is allege perhaps anonymously that the file that is full of kiddie porn. The FBI will seize it from his shop and demand the password. He will tell them it is your computer.

There will be some legal maneuvering. You will either wind up in jail or remain free. Either way, computer tech has learned something interesting about your secret file.

Alternatively, he could allege some problem with the laptop that needs an $x repair. Your authorization or lack of authorization of the repair will tell him something about the economic value of to you.


Posted 2012-04-26T09:35:36.673

Reputation: 121


Looks like the 5th amendment in the US might protect you from not giving out your password this one specifically mentions TrueCrypt

– Matthew Lock – 2012-04-27T04:09:15.093


If you want the highest level of security, something even governments can't legally force you to address, look at TrueCrypt. With TrueCrypt you can actually turn empty space into a mounted partition. As such, if the system is inspected it should just look like old data headers, something you would see on every hard drive out there that has ever deleted data. Since there is no evidence of data there that's usable, legible, or recoverable, you are not legally obligated to provide access to said data. It also utilizes encrypted passwords of many levels and substantial performance too.


Posted 2012-04-26T09:35:36.673

Reputation: 1 981