TrueCrypt

TrueCrypt system drive encryption

While encrypted volumes are meant for protecting sensitive data, encrypting whole hard disk might be more useful in many cases. If you want to prevent unauthorized local (physical) access to your computer, TrueCrypt is the program you need. If you encrypt whole system drive (the drive where Windows is installed), no one can boot your computer or access any files on the encrypted drive without entering a correct password.

Reserve several hours for one-time encryption process. You can pause and resume the process, but it will not help it finish sooner. The process will not delete any files or folders, everything will be encrypted on the fly.

You must have a CD/DVD-writer and a blank CD-R or CD-RW to complete the system encryption process - this is required to create a TrueCrypt Rescue Disk.

Please note that while TrueCrypt system drive encryption works fine in Windows 10, it might fail version upgrades (for example, from build 10166 to 10240).

Possible limitations of encrypting a system drive

Please do not use system encryption on computers that already feel sluggish - while there is no noticeable slowdown on PC-s that are up to 5 years old, system encryption will certainly affect negatively those ones that are already slow.

Remember, you cannot access your files if you boot from a CD, DVD or external drive, such as Windows installation/repair disc orRecovery Drive, Linux Live CD-s, etc. You can use Windows Advanced Boot Options after entering your decryption password, but recovering files using bootable media requires drive decryption first.

Windows 8 and 8.1 cannot create Custom recovery images, because TrueCrypt locks the drive after encryption is complete.

Be aware that if you copy or move a file or folder from an encrypted system drive to some other disk or drive, the file will not be encrypted on the destination disk. If you copy an unencrypted file to an encrypted system drive, the file will become encrypted on that system drive.

Encrypting Windows system drive with TrueCrypt

Make sure you have a recent and valid full backup of your computer first! See, I warned you... 

Open TrueCrypt from Start menu/Start screen or by right-clicking its icon in Taskbar Notification Area (aka System Tray) and clicking Show TrueCrypt.
In the program window, open System menu and click Encrypt System Partition/Drive.

In the Type of System Encryption screen of TrueCrypt Volume Creation Wizard, leave Normal selected and click Next.

In the Area to Encrypt screen, select Encrypt the whole drive and click Next.

Always select No in the Encryption of Host Protected Area window. There might be some required tools or drivers in the area.
Click Next.

Select the correct option in the Number of Operating Systems dialog.
If you have only one version of Windows installed on the disk you want to encrypt (and no additional operating systems), select Single-boot.
If you have several versions of Windows, or Windows and an alternate OS (Linux or Mac OS) installed on the drive, select Multi-boot.
Click Next.

In the Encryption Options screen, leave defaults (AES and RIPEMD-160) selected to ensure best performance. These algorithms are strong enough to protect from brute-force attacks.

In the Password screen, create a strong and unique password for the encrypted drive - and make the passphrase longer than usual (at least 20 characters).
Please note that most PC-s use U.S. keyboard layout at boot-time - do not use special or international characters here if you have a different layout!
Keyfiles are not supported on system drives, so click Next.

If you specified a password shorter than 20 characters, TrueCrypt will warn you that such passwords are easy to crack. If your password is at least 15 characters long, it is safe to click Yes here.

Move your mouse inside the Collecting Random Data dialog randomly for at least 2 minutes. This will make the protection stronger.
After this, click Next.

Click Next in the Keys Generated window.

In the Rescue Disk dialog, click Browse first. Select the folder where to save the disc image (in ISO format) and specify a name for it.
Rescue Disk becomes very helpful in case some program or malware damages boot loader or critical data of TrueCrypt on the disk, or if Windows is unable to boot despite troubleshooting and you need to rescue your files and folders from the drive. If possible, back up the .iso file to a cloud service to have it available if a CD appears faulty. The Rescue Disk does not provide any access to the encrypted disk without correct password.
Click Next.

This is the point where you need a CD-writer. You can use either CDBurnerXP or Windows 7/8/8.1/10 Disc Image Burner to burn the .iso file created in the previous step to a blank CD-R/CD-RW.
You can fool TrueCrypt here by mounting the .iso file as a virtual CD using free tools such as DaemonTools, but you will need a real CD/DVD reader if you want to use Rescue Disk at boot-time.
Click Next.

In Windows 7, 8, 8.1 and 10, TrueCrypt offers to start Disc Image Burner automatically. Click OK.

In Windows Disc Image Burner, enable the Verify disc after burning option and click Burn to create the Rescue Disk.

After you've created the disc, leave it in CD/DVD device and click Next back in TrueCrypt Volume Creation Wizard.
This should open the Rescue Disk Verified screen. Click Next again.

In most cases, select None (fastest) and click Next in the Wipe Mode screen.
If your Windows installation is on an SSD (Solid-State Drive) that has no hardware encryption, you should enable wiping here to prevent recovering unencrypted data.

After this, TrueCrypt needs to perform a test to verify that everthing works correctly. Click Test in the System Encryption Pretest screen.

Read the useful information about using TrueCrypt Rescue Disk in case the test goes wrong. Then click OK.

To start the System Encryption Pretest, your computer must be restarted. Click Yes.

If everything works fine, TrueCrypt Boot Loader appears after your computer restarts. Type the password you specified and press ENTERkey. Windows should start now.

In case you did not care about the warning that most PC-s use U.S. keyboard layout at boot-time, here's the layout if your correct password turns out to be wrong.

If you cannot remember the password you specified, you can press ESC key to boot to Windows anyway - nothing is encrypted yet.
If you do not see TrueCrypt Boot Loader and Windows will not start, boot your computer from TrueCrypt Rescue Disk and restore original boot loader. Verify that your computer is set to boot from CD first.

After the pretest passes (Windows starts and you log in), TrueCrypt Volume Creation Wizard appears automatically. Click Encrypt in thePretest Completed window.

Another set of useful instructions on Rescue Disk appears. Read it and click OK.

And the long encryption process begins. You can use the Pause/Resume button to stop the process temporarily, but you can actually use your computer while TrueCrypt encrypts the drive.
If you accidentally restart your computer, the process continues automatically.
After the system drive has been encrypted, click OK in the notification dialog.

Then click Finish in the Encryption screen.

From this point on, you can only start Windows after you enter a correct password in the TrueCrypt Boot Loader screen. No unencrypted data will be written to the system drive - TrueCrypt encrypts all unencrypted data in memory (RAM) and only then writes it to the disk.

Changing system drive password in TrueCrypt

If you want to specify a different password for your encrypted system drive later, open TrueCrypt main window as usual. Then openSystem menu and click Change Password.

Change Password or Keyfiles window opens. Type your present system encryption password in the Current section and set a different one in the New section.
Then click OK. As said before, system encryption does not support keyfiles.

Again, move your mouse randomly for at least 2 minutes in the TrueCrypt - Random Pool Enrichment dialog. Then click Continue.

Click OK in the success dialog.

But the password change is not yet complete! Your system drive can still be decrypted using the TrueCrypt Rescue Disk you created earlier (with the old password).
Click Yes to start creating a new Rescue Disk.

Click OK to store the .iso file in the folder you want.

After saving the new disc image file, click OK and burn it to a blank CD using CDBurnerXP or Windows Disc Image Burner (only available in Windows 7 and later).

After the new TrueCrypt Rescue Disk is ready, leave it in CD/DVD drive. Open System menu in TrueCrypt main window and click Verify Rescue Disk.

Click OK in the disk insert dialog.

After the verification passes, click OK again.

If possible, back up the new .iso file to a cloud service to have it available if a CD appears faulty. The Rescue Disk does not provide any access to the encrypted disk without correct password.

Decrypting a system drive with TrueCrypt

If you need to discard TrueCrypt full disk encryption for some reason (maybe you're selling your PC), open TrueCrypt from Start menu or Notification Area icon.
Open System menu and click Permanently Decrypt System Partition/Drive.

TrueCrypt will confirm the action. Click Yes.

TrueCrypt will give a final warning that all your data will be unprotected. Click Yes.

The decryption process starts - this is usually quite a bit faster than the encryption process. You can use your computer normally during this, or use Pause/Resume button to free system resources temporarily. If your reboot your computer, the decryption process will continue automatically after you log in the next time.
After the process is complete, click OK in the success notification.

As usual, you must restart your computer to complete the decryption process. Click Yes in the prompt.

Using TrueCrypt Rescue Disk for troubleshooting

If you run into trouble with encrypted system drives or partitions, TrueCrypt Rescue Disk is your best friend.
First, make sure you set your computer to boot from CD/DVD-drive.
Second, you cannot use TrueCrypt Rescue Disk from another computer - each disc is unique to the specific computer.

After your PC starts from the disc, TrueCrypt Rescue Disk menu appears instead of TrueCrypt Boot Loader.
If you are using Rescue Disk due to failed System Encryption Pretest, you should press ESC key here to load Windows and let TrueCrypt restore the original bootloader.
Otherwise, press F8 key to access Repair Options.

Available Repair Options menu appears.
In case your computer does not start at all due to a failed hard drive firmware upgrade or some nasty malware (TrueCrypt Boot Loader does not appear anymore and you see a blank screen), press 2 to Restore TrueCrypt Boot Loader.
Press Y to execute the command.
After the process is complete, reboot your PC without TrueCrypt Rescue Disk and see if the correct Boot Loader appears.
If not, use option 3 to Restore key data (volume header).

If you see TrueCrypt Boot Loader, but Windows is not able to start despite extensive troubleshooting, the last resort is to decrypt the system drive.
Press 1 to Permanently decrypt system partition/drive and enter your encryption password.

TrueCrypt will warn you that the decryption process is much faster in Windows. Press Y to start decrypting the drive.
The process will probably take many hours and TrueCrypt displays the percentage of completion. Do not reboot or power off your computer without pressing ESC key first for safe interruption of the process, for you might lose all data on the drive!
After the "Drive decrypted" message appears, restart your computer without TrueCrypt Rescue Disk.