Well, this is intentional. We only recommend using Bitlocker on the OS drive, and we recommend Veracrypt for other drives, including external drives or your D: drive.
Maybe this is not clear and we could add a note about this to the site.
I would appreciate it if you also added an explanation why you wouldnât just encrypt everything with Bitlocker in the guide.
And IMHO yes, itâs totally unclear that I should encrypt the OS with Bitlocker and the drives with Veracrypt.
1 Like
I think the guide is already very clear in this point.
10 Oct 2023, 02:14 by discourse_at_privacyguides.org_huztsb32@duck.com:
I think additional context makes it clearer still:
For encrypting the drive your operating system boots from, we generally recommend enabling the encryption software that comes with your operating system rather than using a third-party tool. This is because your operating systemâs native encryption tools often make use of OS and hardware-specific features like the secure cryptoprocessor in your device to protect your computer against more advanced physical attacks. For secondary drives and external drives which you donât boot from, we still recommend using open-source tools like VeraCrypt over the tools below, because they offer additional flexibility and let you avoid vendor lock-in.
Also added this line to the Bitlocker on Home edition guide:
You may need to disable the non-Bitlocker âDevice encryptionâ functionality (which is inferior because it sends your recovery key to Microsoftâs servers) if it is enabled on your device already before following this guide.
I just want to add that encrypting each drive with a software means typing in the password twice each time the user turns on the computer.
It might not be that of an annoyance, but you might want to add this to the text you wrote (and add that if the reader doesnât want that, he can still use the same guide for drive D or other drives). I consider myself a privacy enthusiast and would still rather use Bitlocker, just because I donât want to type my password that often (I suppose even after sleep, the user would have to type it 2 times).
Thanks for your work Jonah!
2 Likes
quick update:
I encrypted my D drive with bitlocker (HDD, seperated from the SSD with drive C) using the same method and it worked.
The only problem was that I couldnât enable TPM for it. TPM can only be activated to the drive from which the OS boots (C Drive). So I had to delete the -TPM flag from the commands