Encrypting your documents protects them from prying eyes if your computer becomes lost or stolen. However, you shouldn’t stop at just encrypting your sensitive documents. A thief can recover passwords and other sensitive information stored by Windows. Even if you password-protect your Windows account, your system files can still be easily accessed, for example, from a Linux-based LiveCD.
To see just how easy it is to recover passwords from Windows, check out the free utilities from NirSoft. You’ll find utilities to recover passwords for email clients (Outlook, Thunderbird, etc), dialup connections (VPN and internet connections), network shares, and wireless network keys. They also offer tools to view passwords saved by AutoComplete in your Web browser and to reveal passwords saved behind asterisks.
When you encrypt your entire Windows drive, you must enter your password at boot before the drive is unlocked and Windows can load. Thus, the privacy of your entire system drive is ensured if your computer gets into someone else’s hands. No one will be able to access your personal documents, passwords, or system files unless they have your encryption password.
The problem with whole disk encryption of system drives is that most encryption utilities require you to format the drive and start from scratch. This is a major pain if you want to encrypt a used computer, and is even troublesome when setting up a new system. However, DiskCryptor is one encryption tool that enables you to encrypt your Windows drive with data in place. You can quickly and easily protect your entire system drive, keeping Windows and all your files.
In this tutorial, I’ll show you how to prepare for and encrypt a Windows Vista or Windows 7 computer with DiskCryptor. Encrypting most systems is painless, but you might experience issues with multi-boot systems loaded with GRUB or rEFIt. Just in case the encryption process prevents you from booting into Windows afterwards, I’ll include recovery steps.
Creating a bootable Windows Vista or Windows 7 disc with DiskCryptor
Before encrypting your Windows drive, you should create a bootable Windows disk loaded with DiskCryptor. This way, if Windows doesn’t boot up after encrypting the drive, or if booting becomes corrupted later in the future, you won’t lose everything. You’ll be able to boot to the disc, access the DiskCryptor utilities, and mount and/or decrypt the drive via the command line.
We’re going to discuss the process of integrating DiskCryptor onto the Windows Vista or Windows 7 installation DVD. If you’re working on a computer with Windows XP or earlier, you should refer to the instructions on the DiskCryptor site. Once completed, you’ll be able to insert your custom disc into the drive, restart the PC, and access DiskCryptor from the command prompt that is accessible from the “Repair your computer” menu.
You’ll need the original Windows Vista or Windows 7 install disc, a blank DVD, and a PC loaded with Windows Vista or Windows 7 and a DVD burner. You’ll also need to download and install Windows Automated Installation Kit (WAIK) for Windows 7, which also works with Windows Vista SP1 and later. Plus you need download and install DiskCryptor before continuing.
Once you have WAIK and DiskCryptor installed, follow these steps in Windows Vista or Windows 7 to create your custom install/rescue disc:
- Create a new directory: C:WinSetupDVD. Then copy all the files of the Windows Vista or 7 install DVD into this directory.
- Create another new directory: C:WinSetupDVD-Servicing.
- Open a Command Prompt: click Start, type cmd, and hit Enter.
- Mount the Windows boot image with the following command:
“C:Program FilesWindows AIKToolsx86ServicingDism.exe” /Mount-Wim /WimFile:C:WinSetupDVDsourcesboot.wim /index:2 /MountDir:C:WinSetupDVD-Servicing
- Move to the DiskCryptor directory with the following command:
cd C:Program Filesdcrypt
- Copy some DiskCryptor files into mounted image with the following two commands:
dcapi.dll, dccon.exe, dcrypt.exe → C:WinSetupDVD-ServicingProgram Filesdcrypt
dc_fsf.sys, dcrypt.sys → C:WinSetupDVD-ServicingWindowsSystem32drivers
- Leave the Command Prompt window open.
Next, we need to modify the registry of the Windows Vista or Windows 7 install DVD:
- Open the Registry Editor: click Start, type regedit, and hit Enter.
- Click on the HKEY_LOCAL_MACHINE hive.
- Click File > Load Hive, and then open the following file: C:WinSetupDVD-ServicingWindowsSystem32configSYSTEM.
- When prompted for the name, enter WinSetupDVD.
- Leave the Registry Editor open.
Now, you must create a registry file you’ll run to modify the registry. Bring up Notepad: click Start > All Programs > Accessories > Notepad. Copy and paste the following into Notepad and then save with the filename WinSetupDVD.reg:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINEWinSetupDVDControlSet001Servicesdcrypt]
“Type”=dword:00000001
“Start”=dword:00000000
“ErrorControl”=dword:00000003
“ImagePath”=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,64,00,63,00,72,00,79,00,70,00,74,
00,2e,00,73,00,79,00,73,00,00,00
“Group”=”Filter”
[HKEY_LOCAL_MACHINEWinSetupDVDControlSet001Servicesdcryptconfig]
“Flags”=dword:00000082
“Hotkeys”=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
“sysBuild”=dword:00000000
[HKEY_LOCAL_MACHINEWinSetupDVDControlSet001Servicesdc_fsf]
“Type”=dword:00000002
“Start”=dword:00000000
“ErrorControl”=dword:00000003
“ImagePath”=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,
72,00,69,00,76,00,65,00,72,00,73,00,5c,00,64,00,63,00,5f,00,66,00,73,00,66,
00,2e,00,73,00,79,00,73,00,00,00
“Group”=”Filter”
[HKEY_LOCAL_MACHINEWinSetupDVDControlSet001ControlClass{4D36E965-E325-11CE-BFC1-08002BE10318}]
“UpperFilters”=hex(7):64,00,63,00,72,00,79,00,70,00,74,00,00,00,00,00
[HKEY_LOCAL_MACHINEWinSetupDVDControlSet001ControlClass{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
“LowerFilters”=hex(7):64,00,63,00,72,00,79,00,70,00,74,00,00,00,66,00,76,00,65,
00,76,00,6f,00,6c,00,00,00,00,00
Now double-click the WinSetupDVD.reg file. On the prompt, click Yes to continue.
Go back to the Registry Editor, click on the WinSetupDVD entry, click File > Unload Hive…, and then close the Registry Editor.
Go back to the Command Prompt window and commit the changes and unmount the image:
C:Program FilesWindows AIKToolsx86ServicingDism.exe” /Unmount-Wim /MountDir:C:WinSetupDVD-Servicing /commit
Now you can create the new Windows Vista or 7 setup DVD image file:
“C:Program FilesWindows AIKToolsx86oscdimg.exe” -n -m -bC:WinSetupDVDbootetfsboot.com “C:WinSetupDVD” “C:WinSetupDVD-custom.iso”
Finally, burn the WinSetupDVD-custom.iso image file to a blank DVD and keep in a safe spot in case you run into problems after encrypting the drive.
Encrypting the system drive
Now that you have a rescue disc prepared, you can encrypt the system drive. Bring up the DiskCryptor application, select the system drive (usually C:), and click Encrypt.
Then follow the prompts to configure the settings. You’ll probably want to keep the default encryption and boot settings. When creating a password, you should make it as complex as possible. Make it long, mixed case, and mixed character. Depending upon the size of the drive, encrypting it can take an hour or more—don’t disturb the process.
Once encryption is completed, the status of the drive in DiskCryptor should say mounted.
When you restart the computer, you should be prompted to enter your encryption password and then Windows should boot up like normal.
Decrypting and recovering your system drive
If you find Windows won’t boot up after applying encryption, get out that custom Windows disc you created and follow these steps:
- Insert the disc and restart the computer. Your computer should boot up the custom Windows install DVD.
- On the first Windows install screen, choose your language, time, and keyboard settings, and then click Next.
- On the bottom of the window, click the Repair your computer link.
- Once it searches for and finds the Windows installation, you’ll see a recovery menu. Click to open the Command Prompt.
- Move to the DiskCryptor directory:
cd x:Program Filesdcrypt
- Mount the system drive:
dccon –mount C: -p yourencryptionpassword
- Decrypt the system drive:
dccon –decrypt C: -p yourencryptionpassword
- Wait for it to decrypt the drive, which takes about the same amount of time it took to encrypt it.
- Remove the bootloader:
dccon –boot –delmbr C:
- Reinstall MBR for Windows:
bootsect.exe /nt60 ALL /mbr
Now it should boot into Windows with no problem, however, the drive isn’t encrypted anymore.
Getting further help
If you run into issues, also check out the DiskCryptor FAQ and forum. If you’re having booting problems, you might want to reference the console commands. Once you have it working, consider setting the bootloader options.
Eric Geier founded NoWiresSecurity, which helps small businesses quickly and easily protect their Wi-Fi with enterprise-level security. He’s also a freelance tech writer and author of many networking and computing books, for brands like For Dummies and Cisco Press.
