VeraCrypt

Documentation >> System Encryption

System Encryption

VeraCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots.
System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted (even when power supply is suddenly interrupted). Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted as well.
System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the VeraCrypt Boot Loader, which resides in the first track of the boot drive and on the VeraCrypt Rescue Disk (see below).
Note that VeraCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a VeraCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.
The mode of operation used for system encryption is XTS (see the section Modes of Operation). For further technical details of system encryption, see the section Encryption Scheme in the chapter Technical Details.
To encrypt a system partition or entire system drive, select System > Encrypt System Partition/Drive and then follow the instructions in the wizard. To decrypt a system partition/drive, select System > Permanently Decrypt System Partition/Drive.
Because of BIOS requirement, the pre-boot password is typed using US keyboard layout. During the system encryption process, VeraCrypt automatically and transparently switches the keyboard to US layout in order to ensure that the password value typed will match the one typed in pre-boot mode. Thus, in order to avoid wrong password errors, one must type the password using the same keys as when creating the system encryption.

Note: By default, Windows 7 and later boot from a special small partition. The partition contains files that are required to boot the system. Windows allows only applications that have administrator privileges to write to the partition (when the system is running). VeraCrypt encrypts the partition only if you choose to encrypt the whole system drive (as opposed to choosing to encrypt only the partition where Windows is installed).

 

Next Section >>

ef='#n89'>89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 
/*
 Derived from source code of TrueCrypt 7.1a, which is
 Copyright (c) 2008-2012 TrueCrypt Developers Association and which is governed
 by the TrueCrypt License 3.0.

 Modifications and additions to the original source code (contained in this file)
 and all other portions of this file are Copyright (c) 2013-2016 IDRIX
 and are governed by the Apache License 2.0 the full text of which is
 contained in the file License.txt included in VeraCrypt binary and source
 code distribution packages.
*/

#include "System.h"
#include "Main/GraphicUserInterface.h"
#include "Main/Resources.h"
#include "DeviceSelectionDialog.h"

namespace VeraCrypt
{
	DeviceSelectionDialog::DeviceSelectionDialog (wxWindow* parent)
		: DeviceSelectionDialogBase (parent)
	{
		wxBusyCursor busy;

		list <int> colPermilles;

		DeviceListCtrl->InsertColumn (ColumnDevice, LangString["DEVICE"], wxLIST_FORMAT_LEFT, 1);
		colPermilles.push_back (447);
#ifdef TC_WINDOWS
		DeviceListCtrl->InsertColumn (ColumnDrive, LangString["DRIVE"], wxLIST_FORMAT_LEFT, 1);
		colPermilles.push_back (91);
#endif
		DeviceListCtrl->InsertColumn (ColumnSize, LangString["SIZE"], wxLIST_FORMAT_RIGHT, 1);
		colPermilles.push_back (153);
#ifdef TC_WINDOWS
		DeviceListCtrl->InsertColumn (ColumnName, LangString["LABEL"], wxLIST_FORMAT_LEFT, 1);
		colPermilles.push_back (307);
#else
		DeviceListCtrl->InsertColumn (ColumnMountPoint, LangString["MOUNT_POINT"], wxLIST_FORMAT_LEFT, 1);
		colPermilles.push_back (396);
#endif

		wxImageList *imageList = new wxImageList (16, 12, true);
		imageList->Add (Resources::GetDriveIconBitmap(), Resources::GetDriveIconMaskBitmap());
		DeviceListCtrl->AssignImageList (imageList, wxIMAGE_LIST_SMALL);

		DeviceList = Core->GetHostDevices();

		foreach_ref (HostDevice &device, DeviceList)
		{
			if (device.Size == 0)
				continue;

			vector <wstring> fields (DeviceListCtrl->GetColumnCount());

			if (DeviceListCtrl->GetItemCount() > 0)
				Gui->AppendToListCtrl (DeviceListCtrl, fields);

#ifdef TC_WINDOWS
			fields[ColumnDevice] = StringFormatter (L"{0} {1}:", _("Harddisk"), device.SystemNumber);
			fields[ColumnDrive] = device.MountPoint;
			fields[ColumnName] = device.Name;
#else
			fields[ColumnDevice] = wstring (device.Path) + L":";
			fields[ColumnMountPoint] = device.MountPoint;
#endif
			fields[ColumnSize] = Gui->SizeToString (device.Size);
			Gui->AppendToListCtrl (DeviceListCtrl, fields, 0, &device);

			foreach_ref (HostDevice &partition, device.Partitions)
			{
				fields[ColumnDevice] =
#ifndef TC_WINDOWS
					wstring (L"      ") +
#endif
					wstring (partition.Path);

#ifdef TC_WINDOWS
				fields[ColumnDrive] = partition.MountPoint;
				fields[ColumnName] = partition.Name;
#else
				fields[ColumnMountPoint] = partition.MountPoint;
#endif
				fields[ColumnSize] = Gui->SizeToString (partition.Size);
				Gui->AppendToListCtrl (DeviceListCtrl, fields, -1, &partition);
			}
		}

		Gui->SetListCtrlWidth (DeviceListCtrl, 73);
		Gui->SetListCtrlHeight (DeviceListCtrl, 16);
		Gui->SetListCtrlColumnWidths (DeviceListCtrl, colPermilles);

		Fit();
		Layout();
		Center();

		StdButtonsOK->Disable();
		StdButtonsOK->SetDefault();
	}

	void DeviceSelectionDialog::OnListItemActivated (wxListEvent& event)
	{
		if (StdButtonsOK->IsEnabled())
			EndModal (wxID_OK);
	}

	void DeviceSelectionDialog::OnListItemDeselected (wxListEvent& event)
	{
		if (DeviceListCtrl->GetSelectedItemCount() == 0)
			StdButtonsOK->Disable();
	}

	void DeviceSelectionDialog::OnListItemSelected (wxListEvent& event)
	{
		HostDevice *device = (HostDevice *) (event.GetItem().GetData());
		if (device)
		{
			SelectedDevice = *device;
			StdButtonsOK->Enable();
		}
		else
			StdButtonsOK->Disable();
	}
}