A few months ago bought a new computer, and, in the midst of all the swapping around hard disks, realised it would be an opportune moment to enable full-disk encryption.
Whenever enabling encryption, it’s important to have an idea of who you think you’re protecting yourself against, in order to determine what quality of encryption you really need. In my case, it’s opportunist thieves, and (more realistically) for peace of mind following any theft.
The new PC itself has a straightforward single OS, UEFI-based installation (albeit with multiple drives and partitions). Fortunately, VeraCrypt (the free, open source successor to TrueCrypt) recently added UEFI support, so I thought I’d give it a go (n.b. a lot of online tutorials were written before this change). Installation went smoothly, as did a quick test run with a file container. Onto the system partition proper.
Then, I added in the other drives as “system favourites”, ensuring they are decrypted (or rather, the relevant authentication is performed) at boot time. The process was similar and again went with a hitch. Overall, I’ve been very impressed with the experience.
However, there’s not much point having one encrypted PC if you have the same files stored on a different device: in my case an aging Toshiba laptop. Unfortunately, this proved a lot more complicated because I was dual booting Ubuntu on the laptop. Such configuration are unsupported by the current version of Veracrypt, and while I did manage to get it working for a while (somehow), I ended up corrupting my entire installation and having to reinstall from scratch. RIP dual-booting, and yay for (secure) backups…
While my (now single boot) configuration is much more stable, there is one frustration I haven’t been able to fix. Specifically, my laptop runs ‘legacy’ BIOS rather than EFI. That means the system resources available to the VeraCrypt bootloader are significantly capped. As a result, decryption (and therefore boot times) are much slower on the laptop than the desktop.