Site search
Logo

VeraCrypt system drive encryption

By , winhelp.us logo. Last updated: 2018-08-21

How to encrypt or decrypt system drives with VeraCrypt in Windows XP, Vista, 7, 8, 8.1 and 10

While encrypted volumes are meant for protecting sensitive data, encrypting whole hard disk might be more useful in many cases. If you want to prevent unauthorized local (physical) access to your computer, VeraCrypt is the program you need. If you encrypt whole system drive (the drive where Windows is installed), no one can boot your computer or access any files on the encrypted drive without entering the correct passphrase and PIM.

Do reserve 2-20 hours for one-time encryption process, depending on your drive size and speed (SSD-s are way faster that traditional hard drives). You can pause and resume the process, but it will not help it finish sooner. The process will not delete any files or folders, everything will be encrypted on the fly.

Possible limitations of encrypting a system drive with VeraCrypt

Please do not use system encryption on computers that already feel sluggish - while there is no noticeable slowdown on PC-s that are up to 5 years old, system encryption will certainly affect negatively those ones that are already slow.

You cannot access your files on the encrypted drive if you boot from a CD, DVD or external drive, such as Windows installation/repair disc or Recovery Drive, Linux Live CD-s, etc. You can use Windows Advanced Boot Options after entering your decryption password, but recovering files using bootable media requires drive decryption first.

VeraCrypt system drive encryption officially supports 32-bit and 64-bit Windows on a drive with Legacy boot or MBR partitioning scheme, and only 32-bit Windows on a drive with UEFI boot or GPT partitioning scheme.
Windows XP does not support UEFI boot, so VeraCrypt system drive encryption always works.
In Windows Vista and newer, open Start, type cmd, right-click or tap and hold the result and choose Run as administrator. In the black Command Prompt window, type bcdedit and press Enter key once. If the Windows Boot Manager entry has something like EFI or .efi in the Path line, your device is set to UEFI boot. If not, your device certainly supports VeraCrypt system drive encryption.
To check if Windows is 32- or 64-bit, use keyboard shortcut Windows Key+Pause to open System information. Check the System type line.

Windows 8 and 8.1 cannot create Custom recovery images, because VeraCrypt locks the drive after system drive encryption is complete.

While VeraCrypt system drive encryption works fine in Windows 10, it might fail larger version/milestone upgrades (for example, from build 10166 to 10240). Windows 10 Pro users will probably be better off with the built-in BitLocker drive encryption.

Be aware that if you copy or move a file or folder from an encrypted system drive to some other disk or drive, the file will not be encrypted on the destination disk. If you copy an unencrypted file to an encrypted system drive, the file will become encrypted on that system drive.

Encrypting Windows system drive with VeraCrypt

Make sure you have a recent and valid full backup of your computer first! See, I warned you! Wink

Open VeraCrypt from Start menu/Start screen or by right-clicking its icon in Taskbar Notification Area (aka System Tray) and clicking Show VeraCrypt.
VeraCrypt Notification area icon, right-click menu. Choose 'Show VeraCrypt'.

In the program window, open System menu and click Encrypt System Partition/Drive.
VeraCrypt main window, System menu. Click 'Encrypt System Partition/Drive' to protect your Windows drive from unauthorized access.

In the Type of System Encryption screen of VeraCrypt Volume Creation Wizard, leave Normal selected and click Next.
VeraCrypt Volume Creation Wizard, Type of System Encryption. Click Next.

In the Area to Encrypt screen, select Encrypt the whole drive and click Next.

Please note that VeraCrypt does not support 64-bit Windows on a device with UEFI boot scheme. If your device is one of these, stop now and use your favorite search engine to learn about BitLocker drive encryption.

VeraCrypt Volume Creation Wizard, Area to Encrypt. Select 'Encrypt the whole drive' and click Next.

Always select No in the Encryption of Host Protected Area window. There might be some required recovery tools or drivers in the area.
Click Next.
VeraCrypt Volume Creation Wizard, Encryption of Host Protected Area. Select 'No' and click Next.

Select the correct option in the Number of Operating Systems dialog.
If you have only one version of Windows installed on the disk you want to encrypt (and no additional operating systems), select Single-boot.
If you have several versions of Windows, or Windows and an alternate OS (Linux or Mac OS) installed on the drive, select Multi-boot.
Click Next.
VeraCrypt Volume Creation Wizard, Number of Operating Systems. Select 'Single-boot' if only one version of Windows is installed on the disk (true in most cases). If multiple OS-s are installed, select 'Multi-boot'. Click Next.

In the Encryption Options screen, leave defaults (AES and SHA-256) selected to ensure best performance. These algorithms are strong enough to protect from brute-force attacks.
VeraCrypt Volume Creation Wizard, Encryption Options. Default algorithms suite best. Click Next.

In the Password screen, create a strong password for the encrypted drive - and make the passphrase longer than usual (at least 20 characters). Just think of a sentence instead of a word or multiple words.

Please note that many PC-s use U.S. keyboard layout at boot-time - do not use special or international characters here if your device has a different layout!

Keyfiles are not supported for encrypted system drives, but new to VeraCrypt is the Use PIM option. Always enable the PIM option to make cracking and brute-forcing much harder. PIM-enabled system drive boot uses 10 to 20 seconds for passphrase verification, therefore it makes brute-force attacks pretty much useless. As a downside, you'll have to wait 10-20 additional seconds until Windows actually starts - but this is small price for better security.
Click Next.
VeraCrypt Volume Creation Wizard, Password. Type a strong and unique password, tick the 'Use PIM' check box and click Next.

In the PIM screen, leave the Volume PIM empty to use the default number for Personal Iterations Multiplier to get the best mix of security and boot speed (this refers to the time to wait after entering volume password and PIM, it has nothing to do with Windows startup speed). For more details, read the explanation on screen.
VeraCrypt Volume Creation Wizard, PIM. Leave the 'Volume PIM' empty for the best mix of security and boot speed. Then click Next.

If you specified a password shorter than 20 characters, VeraCrypt will warn you that such passwords are easy to crack. If your password is at least 15 characters long and you use default PIM, it is pretty safe to click Yes here.
VeraCrypt Volume Creation Wizard, WARNING: Short passwords are easy to crack using brute force techniques! Click Yes only if your password is at least 15 characters long AND you have enabled default PIM.

Move your mouse inside the Collecting Random Data window randomly until the Randomness Collected From Mouse Movements progress bar turns green. This will make VeraCrypt system drive protection stronger against brute-force attacks.
After this, click Next.
VeraCrypt Volume Creation Wizard, Collecting Random Data. Move mouse pointer inside the window until the progress bar turns green. Then click Next.

Click Next in the Keys Generated window.
VeraCrypt Volume Creation Wizard, Keys Generated. Click Next.

In the Rescue Disk dialog, click Browse first. Select the folder where to save the disc image (in ISO format) and specify a name for it.
VeraCrypt Rescue Disk (aka VRD) becomes very helpful in case some program or malware damages boot loader or critical data of VeraCrypt on the disk, or if Windows is unable to boot despite troubleshooting and you need to rescue your files and folders from the drive. If possible, back up the .iso file to a cloud service to have it available if a CD appears faulty. The Rescue Disk does not provide any access to the encrypted disk without correct password and PIM.

On devices that do not have a CD/DVD writer, you should back up the VRD image file to some cloud service (Tresorit is one of the most secure ones) and then tick the Skip Rescue Disk verification check box. You can later verify the integrity of the ISO file by opening VeraCrypt's System menu and choosing Verify Rescue Disk Image.
Next, create a bootable USB drive from the VeraCrypt Rescue Disk image file using a free tool called Rufus. You do need to create the drive now, before using VeraCrypt pretest!

On devices with an optical drive, you can use either Windows 7/8/8.1/10 Disc Image Burner or some free CD-burning software such as CDBurnerXP to burn the .iso file created in the previous step to a blank CD-R/CD-RW. You do need to create the disc now, before using VeraCrypt pretest!
Click Next.
VeraCrypt Volume Creation Wizard, Rescue Disk. Browse to the folder where you want to store the Rescue Disk image. Then click Next.

In Windows 7, 8, 8.1 and 10, VeraCrypt offers to start Disc Image Burner automatically. Click OK.
VeraCrypt Volume Creation Wizard, Rescue Disk Recording on Windows 7 and later. Click OK to launch Windows Disc Image Burner.

In Windows Disc Image Burner, enable the Verify disc after burning option and click Burn to create the Rescue Disk.
Windows Disc Image Burner. Enable the 'Verify disc after burning' option and click Burn.

After you've created the disc, leave it in CD/DVD device and click Next back in VeraCrypt Volume Creation Wizard.
This should open the Rescue Disk Verified screen. Click Next again.
VeraCrypt Volume Creation Wizard, Rescue Disk Verified. Click Next.

In the Wipe Mode screen, leave the default value, None (fastest) selected and click Next.
You should enable wiping here only if the drive contains extremely sensitive data.
VeraCrypt Volume Creation Wizard, Wipe Mode. Click Next.

After this, VeraCrypt needs to perform a test to verify that its new boot loader works correctly. Click Test in the System Encryption Pretest screen.
VeraCrypt Volume Creation Wizard, System Encryption Pretest. Click Test.

Read the useful information about using the Esc key for bypassing VeraCrypt boot loader, or using the VeraCrypt Rescue Disk in case the test goes very wrong.
Do you have a recent and valid backup of your system drive? If yes, then click OK.
VeraCrypt, using Rescue Disk. Read the info before clicking OK.

To start the System Encryption Pretest, your computer must be restarted. Click Yes.
VeraCrypt Volume Creation Wizard, Your computer must be restarted. Click Yes.

If everything works fine, VeraCrypt Boot Loader appears after your computer restarts. Type the password you specified and press Enter key. If you chose to use the default PIM, press Enter again; if not, type your custom PIM and press Enter.
Please note that verifying VeraCrypt password and PIM takes 10-20 seconds and nothing happens during this time. This is expected, do not turn off your device! This wait also helps to fight off brute-force password hacking attempts.
Windows should start after about 20 seconds.
VeraCrypt Boot Loader, authentication screen. Type your password and PIM and press Enter.

In case you did not care about the warning that most PC-s use U.S. keyboard layout at boot-time, here's the layout if your password turns out to be wrong.
Please note that pressing the F5 key reveals what you are typing - this can be helpful in verifying that all characters appear as expected.
Standard U.S. keyboard layout

If you cannot remember the password you specified, you can press Esc key to boot to Windows anyway - nothing is encrypted yet.
If you do not see VeraCrypt Boot Loader and Windows will not start, boot your computer from VeraCrypt Rescue Disk and restore original boot loader. Verify that your computer is set to boot from USB or CD first.

After the pretest passes (Windows starts and you can log in), VeraCrypt Volume Creation Wizard appears automatically. Click Encrypt in the Pretest Completed window.
VeraCrypt Volume Creation Wizard, Pretest Completed. Click Encrypt.

Another set of useful instructions for VeraCrypt Rescue Disk appears. Read or print it and click OK.
VeraCrypt, How and when to use Rescue Disk. Read the info before clicking OK.

And the long encryption process begins. You can use the Pause/Resume and Defer buttons to stop the process temporarily, but you can actually use your computer while VeraCrypt encrypts the drive.
If you accidentally restart your computer, the process continues automatically.
After the system drive has been encrypted, click OK in the success dialog.
VeraCrypt Volume Creation Wizard, The system partition/drive has been successfully encrypted. Click OK.

Then click Finish in the Encryption screen.
VeraCrypt Volume Creation Wizard, Encryption. Click Finish.

From this point on, you can only start Windows after you enter the correct password and PIM in the VeraCrypt Boot Loader screen. No unencrypted data will be written to the system drive - VeraCrypt encrypts all unencrypted data in memory (RAM) and only then writes it to the disk.

Changing system drive encryption password and PIM in VeraCrypt

If you want to specify a different password and/or PIM for your encrypted system drive later, open VeraCrypt main window as usual. Then open the System menu and click or tap Change Password.
VeraCrypt main window, System menu. Click 'Change Password' to set a different password for encrypted system drive.

The Change Password or Keyfiles window opens. Type your present system encryption password and PIM in the Current section and set different ones in the New section.
Then click OK. As said before, system encryption does not support keyfiles.
VeraCrypt, Change Password or Keyfiles. Type your current password. Then specify and confirm a new passphrase. Click OK.

Again, move your mouse randomly inside the VeraCrypt - Random Pool Enrichment dialog until the progress bar turns green. Then click Continue.
VeraCrypt - Random Pool Enrichment. To complete password change, move your mouse randomly until the progress bar turns green. Then click Continue.

Click OK in the success dialog.
VeraCrypt, Password and/or keyfile(s) successfully changed. Click OK.

But the password change is not yet complete! Your system drive can still be decrypted using the VeraCrypt Rescue Disk you created earlier (with the old password and PIM).
Click Yes to start creating a new Rescue Disk.
VeraCrypt, Do you want to create a new VeraCrypt Rescue Disk? Click Yes.

Click OK to store the new .iso file in the folder you want.
After saving the new disc image file, click OK and burn it to a blank CD using Windows Disc Image Burner or free CDBurnerXP; or create a bootable USB drive with free Rufus instead.

After the verification passes, click OK again.
If possible, back up the new .iso file to a cloud service to have it available if a CD or a USB stick appears faulty. The Rescue Disk does not provide any access to the encrypted disk without correct password and PIM.

Also, please do not forget to destroy or securely overwrite the old VeraCrypt Rescue Disk!

Decrypting a system drive with VeraCrypt

If you need to discard VeraCrypt full disk encryption for some reason (maybe you're selling your PC, or Windows 10 upgrade fails), open VeraCrypt from Start menu or Notification Area icon.
Open the System menu and click or touch Permanently Decrypt System Partition/Drive.
VeraCrypt main window, System menu. Click 'Permanently Decrypt System Partition/Drive' to remove protection from system drive.

VeraCrypt will confirm the action. Click Yes.
VeraCrypt, Are you sure you want to permanently decrypt the system partition/drive. Click Yes.

VeraCrypt will open the final warning that all your data will be unprotected. Click Yes.
VeraCrypt, Are you really sure you want to permanently decrypt the system partition/drive. Click Yes.

The decryption process starts - this is usually quite a bit faster than the encryption process. You can use your computer normally during this, or use Pause/Resume button to free system resources temporarily. If your reboot your computer, the decryption process will continue automatically after you log in the next time.
After the process is complete, click OK in the success notification.
VeraCrypt Volume Creation Wizard, The system partition/drive has been successfully decrypted. Click OK.

As usual, you must restart your computer to complete the decryption process. Click Yes in the prompt.
VeraCrypt Volume Creation Wizard, Your computer must be restarted. Click Yes.

Using VeraCrypt Rescue Disk for troubleshooting

If you run into trouble with encrypted system drives or partitions, VeraCrypt Rescue Disk (aka VRD) is your best friend.
First, make sure you set your computer to boot from USB or CD/DVD drive.
Second, you cannot use VeraCrypt Rescue Disk from another computer - each disc is unique to the specific device.

After your PC successfully boots from the USB or CD/DVD drive, VeraCrypt Rescue Disk menu appears instead of VeraCrypt Boot Loader.

First of all, you can boot your device from the VRD if VeraCrypt boot loader has been damaged. This helps you to test if Windows is able to start properly. For this, type in your password and PIM.

If you are using Rescue Disk due to failed System Encryption Pretest, you should press Esc key here to load Windows and let VeraCrypt restore the original bootloader. Do not fill in the password or PIM!

In case of major failure, do not type your password or PIM, but press the F8 key to access VeraCrypt's Repair Options.
VeraCrypt Rescue Disk. If System Encryption Pretest failed, press Esc key. If you see no boot loader or Windows is not able to start, press F8 key.

The Available Repair Options menu appears.
In case your computer does not start at all due to a failed hard drive firmware upgrade or some nasty malware (VeraCrypt Boot Loader does not appear anymore and you see a blank screen), press 2 to Restore VeraCrypt Boot Loader.
Press Y to execute the command.
After the process is complete, reboot your PC without VeraCrypt Rescue Disk and see if the correct Boot Loader appears.
If not, boot from the VRD again, press F8 and choose option 3 to Restore key data (volume header).
VeraCrypt Rescue Disk, Available Repair Options. To restore VeraCrypt Boot Loader, press 2. Then press Y key to modify drive. Reboot your computer and see if VeraCrypt Boot Loader appears.

If you see VeraCrypt Boot Loader, but Windows is not able to start despite extensive troubleshooting, the last resort is to decrypt the system drive.
Press 1 to Permanently decrypt system partition/drive and enter your encryption password and PIM.
VeraCrypt Rescue Disk, Available Repair Options. If Windows is unable to start and you need to recover files, press 1 to decrypt system partition or drive. Then enter encryption password and PIM.

VeraCrypt will warn you that the decryption process is much faster in Windows. Press Y to start decrypting the drive.
The process will probably take many hours. VeraCrypt displays the progress for better overview. Do not reboot or power off your computer without pressing Esc key first for safe interruption of the process, because you might lose all data on the drive!
After the "Drive decrypted" message appears, restart your computer without VeraCrypt Rescue Disk.


 

Ctrl+F searches in the contents







Next: Enhancing Windows performance
Previous: Create and use VeraCrypt volumes