How do i secure my external Hard Drive?

[IR76]

I'm going to make a copy of years of family photos (I'm pretty sure there is no sensitive info but just in case) onto an external hard drive and give to to a trusted family member to store but I want to ensure its locked/encrypted whatever the official terms are but my question is what is the best way to do it and if its not just on my windows pc features then where? Thank you very much. 

[Eigenvektor]

Depends on which Windows variant you have. On the pro variants Bitlocker would be an option. Just be aware that using TPM to store the encryption key will bind that drive to your current motherboard. If that is toast, for whatever reason, you won't be able to access the data unless you have your recovery keys (and have backups of those, just in case).

 

If you don't have pro, there are free alternatives: https://technologyadvice.com/blog/information-technology/truecrypt-alternatives/

 

I assume the USB disk is intended as a backup and you have at least one other copy of the data somewhere else?

[da na]

If you have Windows 7 Enterprise or Windows 10/11 Pro/Workstation/LTSC, you can use the built-in Bitlocker feature to encrypt the drive.

The encryption key is stored in the TPM of the computer upon which the drive is encrypted, so if you wanted to use it on another computer you'd have to type quite a long recovery key.

[OhioYJ]

Vearcrypt

 

That's easiest, and best way honestly. I would recommend making two partitions. Make one that the is entirely encrypted. Then one that is not encrypted. This unencrypted on you can store things on, like veracrypt for example, and other useful utilities.

 

Veracrypt will work in Windows, Linux, and Mac, so from any OS. Also note, that Veracrypt has a portable version that does not need to be installed.

 

Other things parts of Veracrypt you may want to look into (hidden volumes, definitely):

 

Hidden Volume

 

This one you can read up on, but I wouldn't recommend, as if you lose your keyfile, you are screwed. You will not get your data back.

 

Keyfiles

[OhioYJ]

I'll point out that, Truecrypt (no longer an active project) and Veracrypt (the successor to Truecrypt) have both had security audits completed on them. These are available for review.

[IR76]

14 minutes ago, Eigenvektor said:

Depends on which Windows variant you have. On the pro variants Bitlocker would be an option. Just be aware that using TPM to store the encryption key will bind that drive to your current motherboard. If that is toast, for whatever reason, you won't be able to access the data unless you have your recovery keys (and have backups of those, just in case).

 

If you don't have pro, there are free alternatives: https://technologyadvice.com/blog/information-technology/truecrypt-alternatives/

 

I assume the USB disk is intended as a backup and you have at least one other copy of the data somewhere else?

Seems a pretty big flaw in bitlocker so ill probably look at the others mentioned. Yes ive got copies. 

[Eigenvektor]

27 minutes ago, IR76 said:

Seems a pretty big flaw in bitlocker so ill probably look at the others mentioned. Yes ive got copies. 

It's not so much a flaw as it is a security improvement. Storing the encryption key in the TPM chip effectively makes it unrecoverable by anyone. But yes, it has its drawbacks, increasing security almost always has.

 

No matter what tool you use to encrypt your drive, backing up your encryption key is a must. Having a backup copy of your data is a must. If you lose the key, the data gets corrupted or the drive dies, your data is most likely unrecoverable.

[johnt]

36 minutes ago, IR76 said:

Seems a pretty big flaw in bitlocker so ill probably look at the others mentioned. Yes ive got copies. 

It’s not a flaw at all. You need to keep your key or else it’s toast. It’s only tied to your MB to make life easier for you. But once you connect the drive to another PC and enter the code, it works just the same. You don’t lose anything if you have the key. 

[kokosnh]

6 hours ago, da na said:

The encryption key is stored in the TPM of the computer upon which the drive is encrypted, so if you wanted to use it on another computer you'd have to type quite a long recovery key.

what do you mean? 
It's external HDD, not OS drive, so you encrypt it in bitlocker by password, and it just works on any modern windows without installing anything (you only need the pro windows version for encryption, reading, anbd writing files can be done on any version of windows, even home)