hard disk encryption (on laptop)

I know some things about Windows, but when it comes to the functionality of hard disk encryption, this all sounds a bit unknown for me.
A certain organization says it's better to have "hard disk encryption" on your laptop ... yet the laptops they deliver don't seem to have just that. Or, so I thought, because I thought that hard disk encryption (of the Windows OS drive) would always mean there's a pin code to enter on device startup (PC or laptop). But, that is not necessarily the case, anymore.

So, for my OWN laptop, I'm thinking of adding some disk protection. This is what I understand it should do: if a given device is not under my control (stolen, lost, etc.) and a person has the Windows password, it would still be UNABLE to read the system disk, and ANY other internal disk. That would be my requirement. Currently, any device I have is just protected by a Windows password.

I don't need a list of tools that does that, I'd like to hear the preference tool that anybody having knowledge on this subject, would propose in my case - which is really not that weird of a request. It must not be free software, but also not company style of licenses.

I'll update my specs, haven't done so.
It's Pro, by the way

You're probably thinking of an ATA password. ATA passwords are a password applied to the hard drive at the hardware level and is done with BIOS/UEFI. This was something typically found in laptops.


Breaking ATA Password Security | UT Austin Information Security Office

F22 Simpilot said:

You're probably thinking of an ATA password. ATA passwords are a password applied to the hard drive at the hardware level and is done with BIOS/UEFI. This was something typically found in laptops.


Breaking ATA Password Security | UT Austin Information Security Office

That sounds perfect to me, but that depends largely on the BIOS. The laptop in question is Lenovo medium spec machine, not too old. Thinkpad series.
A password or pincode is acceptable.

It's OK if it isn't the perfect safe solution, but I do like something that is harder to break than no protection ...

- - - Updated - - -

dalchina said:

If you are using Pro (Specs don't say) then the obvious choice would be Bitlocker.

If you're considering whole disk encryption, in particular your entire system disk, that's the 'obvious' one.

If you're considering providing an encrypted space- a vault- for certain data - that's another.

Depends what you wish to achieve. If you don't have Pro or better, your options are more limited.

As you know a windows password provides no protection from someone who, say, boots your PC from an external disk, or removes the drive and connects it to another PC.

Only encryption provides such security.

You don't want suggestions for programs, so.. also see:
Enable or Disable NTFS File Encryption in Windows
How to Check if Device Encryption is Supported in Windows 10
(ref. Bitlocker)

Encrypt Files and Folders with EFS in Windows 10
(Pro up only)

I have to pass on Bitlocker: for me, any good solution to protect Windows, cannot be delivered from Windows itself.

1. It will be the most used, and thus the most tried to be broken.
2. No offence, but I don't trust Windows enough for something important like that. They make a mess of much simpler things, so my trust in MS for delivering something that is ace, I don't dig it. Unless they bought it from somebody else (as they do with good software), but then there is the problem in point 1.

Read the ENTIRE Veracrypt or Truecrypt manual.

I prefer Truecrypt, but it's quite old and has some minor potential caveats if you don't already know how to secure them. An ATA password is one. I can get away with using Truecrypt because I use a legacy BIOS and not UEFI. If your motherboard is UEFI only then you'll need to use Veracrypt. Problem with Veracrypt is it's extraordinarily slow on boot up. Both encryption solutions will halve your hard drive speed. I wouldn't use a cascade of ciphers as that too will REALLY slow you down. AES with a very long password is all you need. There are exceptions of course. Like if you work for the CIA or something... Then it becomes waaay more evolved and beyond the scope of this discussion.

Truecrypt and Veracrypt can be broken. One way is with Hashcat. That is why the password needs to be long and complicated. Another is an image of RAM where the key is located. Another is a TEMPEST attack which is where your wireless (wireless) keystrokes are captured or the screen is somehow read. So OPSEC (operational security) is needed...

Tip:

If you need to clone and encrypted HDD, Clonezilla will do it. BUT! Read the ENTIRE Truecryupt or Veracrypt manual. I can not stress that enough.

With security or privacy comes cumbersomeness and learning. You just can't take the easy way and expect everything to be all well. If you're not willing to learn and your Windows version supports it, then just use Bitlocker and be done with it.

dalchina said:

You need to make it clear in your question as to what solutions are acceptable to you.

For example, if you had STATED you would not accept a MS-based solution I could have saved my time, couldn't I?

Most people take the OPPOSITE view- that they don't want a 3rd party solution.

Indeed, you specifically stated it had to be free.

Ever heard of Veracrypt?
I'm out.

Pretty hard to discuss possible solutions if these possible solutions are unknown.

Also to consider the fact I'm wanting to protect my disk, not my Operating System. I think that is stated pretty clearly. So pursuing a solution from within Windows is too narrow.

I didn't state it must be free.

I heard of Veracrypt indeed, never tried it though.

I'm also not really interested in solutions based on "chosen by a lot of people". That's marketing BS. It says nothing to little about the product.

- - - Updated - - -

F22 Simpilot said:

Read the ENTIRE Veracrypt or Truecrypt manual.

I prefer Truecrypt, but it's quite old and has some minor potential caveats if you don't already know how to secure them. An ATA password is one. I can get away with using Truecrypt because I use a legacy BIOS and not UEFI. If your motherboard is UEFI only then you'll need to use Veracrypt. Problem with Veracrypt is it's extraordinarily slow on boot up. Both encryption solutions will halve your hard drive speed. I wouldn't use a cascade of ciphers as that too will REALLY slow you down. AES with a very long password is all you need. There are exceptions of course. Like if you work for the CIA or something... Then it becomes waaay more evolved and beyond the scope of this discussion.

Truecrypt and Veracrypt can be broken. One way is with Hashcat. That is why the password needs to be long and complicated. Another is an image of RAM where the key is located. Another is a TEMPEST attack which is where your wireless (wireless) keystrokes are captured or the screen is somehow read. So OPSEC (operational security) is needed...

Tip:

If you need to clone and encrypted HDD, Clonezilla will do it. BUT! Read the ENTIRE Truecryupt or Veracrypt manual. I can not stress that enough.

With security or privacy comes cumbersomeness and learning. You just can't take the easy way and expect everything to be all well. If you're not willing to learn and your Windows version supports it, then just use Bitlocker and be done with it.

That sounds interesting, I don't mind some learning curve.
Main objective is that it is secure enough to scare anybody with average skills.

What about Trellix Drive Encryption

It's McAfee really, so that doesn't sound much good, but you never know.

[QUOTE=F22 Simpilot;2578239]Read the ENTIRE Veracrypt or Truecrypt manual.

I prefer Truecrypt, but it's quite old and has some minor potential caveats if you don't already know how to secure them. An ATA password is one. I can get away with using Truecrypt because I use a legacy BIOS and not UEFI. If your motherboard is UEFI only then you'll need to use Veracrypt. Problem with Veracrypt is it's extraordinarily slow on boot up. Both encryption solutions will halve your hard drive speed. I wouldn't use a cascade of ciphers as that too will REALLY slow you down. AES with a very long password is all you need. There are exceptions of course. Like if you work for the CIA or something... Then it becomes waaay more evolved and beyond the scope of this discussion.
/QUOTE]

Truecrypt is totally obsolete. Nobody should waste time with it. Latest version of VeraCrypt (1.26.7) is not compatible with Truecrypt anymore, and only supports Windows 10+.

I am very skeptical about the Veracrypt speed claims in the quote, but I use only Veracrypt volumes (containers), which work very fast. Of course, the "hard drive" used with encryption should always be a SSD.

As for using "BIOS" (UEFI) defined passwords in Lenovo ThinkPad laptops, read carefully the documentation before using them. If you "lose" the password, there may be no recovery option except changing the mobo.