CIO

You can encrypt your hard drive, but the protection may not be worth the hassle

Encryption could impact other computer activities, and it could also make file recovery harder. Here's how to encrypt without regrets.

Phil has "a client who needs to encrypt her hard drive," and asked me for some advice.

A single encrypted folder is good enough for most people, but a completely encrypted drive provides the strongest protection. Windows can leave bits of encrypted files in places like the swap file. A thief or fence wouldn't take the time to find them, but a sufficiently skilled, motivated, and well-funded hacker might.

[Have a tech question? Ask PCWorld Contributing Editor Lincoln Spector. Send your query to answer@pcworld.com.]

But that level of security comes at a cost. Encrypting the entire drive can brick your PC. Make an image backup first, and make sure you have emergency repair drives for both the encryption software and your image backup program.

That's not all. Should your computer or hard drive crash, your chances of successfully recovering lost files drops considerably. Even a Windows reinstall can leave your files inaccessible if you didn't take proper precautions.

If the PC is using Windows 7 Ultimate or Enterprise, or Windows 8 Pro or Enterprise, you can use BitLocker, which comes with these versions of Windows. But you have to know what you're doing.

BitLocker works best in an environment where a professional IT department serves users who may not know what the word encrypt means. You can set it up so that the user doesn't even know that the drive is encrypted. When they log into Windows with their password, they get access to the encrypted files. If they log into another account, or boot with another OS, the files are unreadable.

What's more, if you need to reinstall Windows, or restore the files from a backup, you'll need a special digital key that's created when you encrypt the drive. That key has to be stored elsewhere and someone has to know where to find it. That's where IT comes in.

Third-party encryption programs are more straightforward. When you boot the PC, you have to enter the encryption password before Windows can load. Because the password is used on a daily basis, it's unlikely to get lost.

The free and open-source VeraCrypt does a good job. The wizard to set up drive encryption is long, but reasonably intuitive.

But VeraCrypt has its limitations. For instance, it won't work on PCs using the newer GUID partition table.

Your choices, unfortunately, are limited.