Windows 10: Help required in selecting the right encryption option for C drive

I'm running Windows 10 Pro x64 desktop PC with a Samsung Pro 850 256 as my main C drive. Other specs are 3770k and 16GB of DDR3. I also have a TPM chip installed on my mainboard. I've already encrypted all my secondary HDD's with BitLocker, but I'm still undecided which option I should take with C drive encryption? I was strongly leaning toward regular BitLocker with TPM enabled, but then I read about TrueCrypt, which apparently goes recommended by many. But by looking from Samsung Magician my SSD seems to support three types of hardware data security modes: Class 0, TCG Opal and generally named option "Encrypted Drive", which says its based on BitLocker. I like the idea of hardware encryption without any kind of performance hit, as well as best possible protection for my data in case my system gets lost to wrong hands.

I'd love to hear an opinion of an expert which way I should go? If one of those SSD hardware encryptions is a good choice, how do I enable it?

:)

 

Windows 10 Bitlocker will not enable on system drive (But will on other drives)

I just upgraded an older laptop to windows 10.

This laptop was a top of the line Toshiba that came with windows Vista and I have since upgraded it to windows 7 pro and now to Windows 10.

It runs quite well under windows 10, BTW (this machine is a beast with 2 physical HD)

However it does not have a TPM chip in it and I followed the procedure to go to gpedit.msc and allow bitlocker to run without the chip.

I successfully encrypted the 2nd drive with bitlocker!

However I am unable to encrypt the system drive (c-drive)

I get the same message that I need to select the option "require additional authentication at startup" policy

That setting is configured, and that is what allowed me to encrypt the D-Drive

So to my question.

Is there a way to encrypt my boot drive (C-drive).

Or is this just a case of "it should work but doesn't"?

Thanks for any help.

 

Drive not visible

I was on Windows 10 and I encrypted one of drive by bitlocker encryption, then for some project work I replaced Windows by Kali Linux, in that I wasn't able to access that encrypted drive even that was not visible in that os, that drive containing
important data then again I installed Windows to decrypt that drive, but now am facing that previously I had 4 drives C,D,E,F and now am unable to access any of drive instead C, even these drives are not visible to meEven i try to change the drive letters
in disk management but that also not providing the option to change, and showing the drives fully free

But when i boot it again to kali live, it shows all the data in drives instead encrypted drive that is not visible in that.

A geeky solution required for this unique problem...!!

 

I'd use bitlocker and set it up using the hardware encryption as you are offloading the encryption from the CPU to the SSD. You can only do this on a clean install though How to Enable BitLocker Hardware Encryption with SSDs Helge Klein

Make sure you follow the bit about RST drivers (see here Bitlocker turned itself off, Samsung Magician Says Encryption enabled - Windows 10 Forums )

Failing that (if you don't want to do a clean install and are willing to take the small performance hit) software based bitlocker would be preferable to TrueCrpyt as it isn't developed any more. Even TrueCrypt advise migrating to bitlocker TrueCrypt

There is an active branch of TrueCrypt called VeraCrypt. but as it doesn't support TPM I'd stick with bitlocker personally.

I use software based bitlocker (as my SSD doesn't support hardware based) and without TPM (as I don't have one) and I don't notice the performance overhead. MS says it "imposes a single-digit percentage performance overhead" whatever that means. Source

 

@lx07 Many thanks! What do you think should I use BitLocker with or without the TPM chip for C drive?*


*Gigabyte GA-Z77X-D3H (rev. 1.1) motherboard with Gigabyte GC-TPM rev. 1.0 TPM module

 

With TPM. I can't think of a reason not to use it and it is what MS recommend. I just don't as I don't have one.

I'm not sure but I think TPM 1.2 is required. Would have to hunt for some documentation on that though.

Edit: Yes, 1,2 is required - TPM recommendations (Windows 10)

You can check your TPM version by running tpm.msc and it will tell you if your chip is compatible.

 

I believe the chip should be TPM rev. 1.2. I think that rev. 1.0 is a Gigabyte internal revision for the chip.
*edit: Yep, Device Manager says it's a 1.2 chip. I actually have two chips. The first one (apparently TPM2.0) chip didn't work with my mobo (on the left) and Gigabyte send me a new compatible one (see here).

There's no way around that clean install? A possibility that comes to my mind is cloning the unencrypted drive to a file and then enabling the encryption and secure erasing the drive. After that you'd tag the USB mounted drive with the clone on a second system. Not possible?

 

I really don't know, sorry. It sounds as it would work but one of the comments in that guide above says this:

Don't know if replacing step 5 with "restore image" would work or not. You could try it - it wouldn't take long. If it didn't work you could perhaps clean install, then restore your image then activate bitlocker.