Fundamental changes in PCs, including UEFI and Secure Boot, can interfere with classic security techniques such as whole-disk encryption.
But a simple, free, two-step process provides extremely reliable data and system-boot security for all Windows versions, on virtually all PC hardware.
The gold standard for local PC data and system security for years, whole-disk encryption offers two main benefits. First, it can provide robust, virtually uncrackable security for all the files on your hard drive. Without the correct password, anyone snooping through your files sees only gibberish.
Second, some whole-disk encryption tools can password-protect the entire system. Without the correct password, an unauthorized user can’t boot the PC from its hard disk.
There are, however, limitations and drawbacks to encrypting an entire hard drive.
Many Vista, Win7, and Win8 PCs sold within the past decade — and virtually all sold within the past few years — include some form of Unified Extensible Firmware Interface. UEFI is essentially an enhanced replacement of the venerable BIOS. (For more on this topic, see the Jan. 19, 2012, Top Story, “Say goodbye to BIOS — and hello to UEFI!”)
On newer systems, UEFI can provide boot-time security to prevent malware (rootkits, bootkits, and so forth) and other unauthorized software from meddling with the way a PC starts up. In fact, UEFI is the foundation for Win8′s Secure Boot feature, which is enabled by default when Win8 is installed on a UEFI-equipped PC.
Some whole-disk encryption tools require low-level access to the PC early in the boot process. These tools can fail on PCs that make use of UEFI’s advanced security features.
TrueCrypt, for example — which might well be the world’s most popular open-source, whole-disk encryption tool — currently doesn’t work on Win8 systems using Secure Boot. This situation will most likely change in the future; but today, some TrueCrypt users who upgraded from Win7 to Win8 have run into severe trouble, such as losing access to the entire contents of their hard drives.
Another popular encryption tool, DiskCryptor, doesn’t officially support Win8. But some users have made it work — in a limited fashion on individual partitions. They installed the application as a service on the desktop side of Win8. On the other hand, other DiskCryptor users have lost access to all their encrypted files.
Even if these tools are eventually patched to work with UEFI and Secure Boot, they’re still working at some level against UEFI’s low-level security features. Today’s systems simply aren’t meant to allow third-party tools to insert themselves deeply into the boot process.
Fortunately, you can choose better and safer ways to provide reliable data protection and boot security on just about any PC. The tools and methods are free, and they work without interfering with UEFI, Secure Boot, or any other existing security features or functions.
Safer alternatives to whole-disk encryption
No matter how old or new your PC is, and regardless of what Windows version you’re running, you can have extremely reliable data and boot security using two free alternatives to whole-disk encryption.
Data security: Although whole-disc encryption can be problematic, file-and-folder encryption is rock-solid. There are many tools available, but perhaps the most popular is the open-source 7-Zip (site) application. It’s free for personal and business use, and it can scramble any file, folder, or group of folders with essentially uncrackable 256-AES encryption (more info). Even if a hacker gains access to your hard drive, your encrypted files should remain completely safe, secure, and unreadable.
Note: Although this article focuses on encryption, 7-Zip also compresses files, so they occupy less disk space. The amount of compression varies with file type, but it’s not uncommon for file size to shrink by around 50 percent. Compression can be an important added benefit if you have a small, traditional hard drive or a solid-state drive (SSD). So 7-Zip can simultaneously encrypt your data and shrink the size of your folders and files.
Below, I’ll show you the basics of using 7-Zip to encrypt and compress files and folders you select. (Selective file/folder encryption and compression gives you more control than does whole-disk encryption. For example, there’s little reason to encrypt or compress music, video, and image files. More on that below.)
Boot security: Virtually every PC in use today lets you set one or more low-level, pre-boot passwords. One type of password protects the system as a whole; the password must be entered before the system will boot. Many PCs also offer a separate supervisor password to prevent unauthorized changes to the basic system settings. And some PCs let you set a password to protect the hard disk or SSD from unauthorized access.
The passwords can be used singly or in combination, depending on how much security you want or need. Later in this article, you’ll see how to access and set whatever passwords your system offers.
Combine data and boot security, and your data is protected from almost all malicious threats. A pre-boot password will keep hackers from accessing your system with separate bootable media. And if a hacker gets past that barrier, encryption will prevent access to sensitive files and folders. Whether you combine file/folder data security and boot security or use one of the two alone, you won’t run into problems with UEFI, Secure Boot, or any other of your PC’s security features.
Getting started with file and folder encryption
The first step in implementing file and folder encryption is to figure out what really needs to be encrypted.
There are many, many files on our hard drives that simply aren’t all that special, unique, or sensitive. They just don’t need to be encrypted!
For example, it’s sort of silly to encrypt your copy of Notepad, Paint, Calculator, Solitaire, or any of the other system files (.exe, .msc, .dll, and so forth) that came with your original Windows setup. Most of Windows’ core operating system files are similar from system to system, varying only by Windows version and local hardware. They typically don’t contain any sensitive information. So it’s wasted effort to encrypt them (as they would be with whole-disk encryption).
Most add-on software doesn’t need encryption, either. Your copy of Word, Excel, Skype, Photoshop, or whatever is, for the most part, like any other.
That also holds true for files you acquire through public sources. Your “Dead Skunk” MP3 and that downloaded “National Lampoon’s Vacation” video are likely identical to everyone else’s. What’s to be gained by encryption? Even your digital photographs probably don’t contain anything truly sensitive.
On the other hand, many of the files you create — within Word, Excel, or other applications — could contain sensitive information. Those are the files that need protection and should be encrypted!
In most cases, securing potentially sensitive information means selecting specific files and folders. For example, you probably don’t need to encrypt your Music folder, but you almost surely want to protect Documents and its subfolders — plus any other locations that might have information you want to keep private. Consider reorganizing your documents into sensitive and nonsensitive folders. You most likely don’t need to encrypt your collection of old family recipes.
Once you’ve decided what you need to encrypt, make a full system image or backup. Or at least make separate backup copies of the files you intend to encrypt. Although file-and-folder encryption tools are usually extremely reliable, accidents and user errors can happen. So it’s best to play it safe — make backups!
Next, download and install the file/folder encryption tool of your choice. A quick Web search will produce numerous options. I use 7-Zip for this article because — again — it’s reliable, well regarded, open-source, and free for both personal and business use.
Step by step: Encrypting data with 7-Zip
If you don’t have 7-Zip already installed, head over to 7-zip.org and download the version with the correct bittedness for your PC — the 64-bit 7-Zip for 64-bit systems, and the 32-bit 7-Zip for 32-bit systems.
- Select the files/folders you want to include, such as those in your Documents folder. Right-click on the group of selected files/folders; you’ll see 7-Zip on the context menu, as shown in Figure 1.
- Click 7-Zip in the menu, and then select Add to archive as shown in Figure 2.
- When the Add to Archive dialog box opens (see Figure 3), enter a secure — long, complex, and hard-to-guess — password where indicated.
The rest of the Add to Archive default choices are usually fine. 7-Zip will automatically generate an archive name based on the selected folder(s), a file’s name, or the selected files’ containing folder. The default archive format will be .7z, which typically offers 2–10 percent better compression than the classic .zip format. I recommend leaving the defaults alone — at least until you’re familiar with 7-Zip.
Click OK when you’re ready.
Note: I recommend using a good password manager to help generate and remember your passwords. For more information, see the Jan. 9 Best Software story, “Why and how to use an open-source password manager,” and “Stepping up to a standalone password manager” in the Oct. 17, 2013, Top Story, “Protect yourself from the next big data breach.”
- Enter your password and click OK; 7-Zip will then compress and encrypt the selected files. As a safety feature, 7-Zip creates archived copies of your files, leaving the originals intact. In Figure 4, the files are placed in an archive called Documents.7z.
Your archive is now complete!
Your next step is to test the archive to make sure that encryption and compression worked properly. If it did — and that’s almost always the case — you can then delete the original files, so that only the encrypted archive remains.
- To open an archive, simply double-click it (Documents.7z, in this example). When the password dialog box opens (Figure 5), enter the password you gave that particular archive. You might use different passwords for different archives. (Keep those passwords safe! Obviously, if you lose a password, you’ve effectively lost the encrypted files and/or folders.)
- With the proper password entered, 7-Zip File Manager opens and displays the contents of the archive (Figure 6). Click on any listed file or folder; it should open normally and work just like any nonencrypted file. When you save and close an archived file, it’s automatically compressed and encrypted with the archive’s original password.
- Check that the archived files are accessible and saved correctly, then delete the originals so that only the encrypted archive remains, as shown in Figure 7. (For complete security, be sure to empty the Windows trash.)
The 7-Zip File Manager is the key to easily using your archives. Leave it open as you typically might the standard Windows/File Explorer — then view, access, or edit any files in the archives just as you do nonarchived files. 7-Zip’s File Manager also lets you quickly add files to an archive.
That covers the bare-bones basics of using 7-Zip, but there’s a lot more to the software, including ways to extract files and folders from the archive and to add files and folders without using the 7-Zip File Manager. For complete information on using 7-Zip, check out its built-in Help file or see these online resources:
- 7-Zip support site
- Video tutorials at ShowMeDo
- Video tutorial at Top Windows Tutorials.com
- Tutorial by expert user Gürdal Ertek (autoloading video)
Enabling pre-boot security passwords
As mentioned above, using a pre-boot password can be an excellent security precaution. Most current PCs have some kind of BIOS/UEFI-password option built in. There can be multiple types of passwords, and they typically appear immediately after a system powers on and before the operating system loads.
The number and password options and their capabilities vary from vendor to vendor. In a moment, you’ll see how to determine what password options your PC offers.
Some passwords lock down the entire system; without the proper password, the system won’t boot at all — either from the internal hard drive or from any bootable media! Other passwords help to protect the hard drive from unauthorized access. And still other passwords let you set an administrator/supervisor password to prevent unauthorized changes to the BIOS/UEFI settings.
As Figure 8 shows, the BIOS/UEFI might offer more than one type of password.
Using one or more of these low-level passwords can help lock your system down tight, making it extremely secure against any unauthorized access.
Of course, make sure you remember the BIOS/UEFI passwords — or you might be unable to access your own hardware!
The various brands and models of PCs use different methods to access and change the BIOS/UEFI-password settings. The information below is a general guide, but for specific information for your brand and model of PC — or if the following instructions don’t work for you — visit your PC vendor’s online support site and search for BIOS/UEFI access. Use search terms such as access BIOS, access UEFI, enter BIOS, enter UEFI, edit BIOS, and/or edit UEFI.
► BIOS/UEFI access for Win8.1 PCs (Win8.0 is similar):
- Save any open files and exit all running programs.
- Open the Charms bar, click the gear icon (Settings), and then click Change PC settings at the bottom of the bar.
- On the PC settings page, select Update and recovery.
- Click Recovery and then, under Advanced startup, click Restart now. (Despite the terminology, your PC will not immediately restart! This is normal.)
- On the Choose an option screen, click Troubleshoot and then click Advanced options.
- If a UEFI Firmware Settings option appears, select it. (It might be called something slightly different, such as Change UEFI Settings.) If no such option exists, skip the rest of these steps.
- On the UEFI Firmware Settings screen, select Restart.
- Your PC will restart and run the built-in UEFI setup utility.
- Explore the UEFI setup utility’s tabs and dialog boxes to find the password settings. They’re often found on a tab labeled Security, or something similar. (See Figure 8, above.)
► BIOS access for non-UEFI PCs
You’ll find detailed information on accessing traditional BIOSes in the Jan. 9 Top Story, “The best of LangaList Plus from 2013.” Skip down to the subhead, “Using multiple layers of security — an update.” Then look for the subsection, “Protecting against local/physical threats.”
Bottom line: Easy data and system security for any PC, any Windows. In today’s era of UEFI PCs and Secure Boot, using low-level security tools such as whole-disk encryption is just asking for trouble. But you also don’t have to leave yourself vulnerable. Take some time to investigate your system’s boot-level password options. And if you don’t like 7-Zip, there are plenty of other file/folder-level encryption apps to choose from. They work on most versions of Windows and on any PC hardware.Better data and boot security for Windows PCs