Hello all. I would like to use DiskCryptor to encrypt my Windows 7 hard drive. However, I'm wondering if I can use it in a way where my decryption key is located/stored on a USB thumb drive so that when the PC is booting up, USB drive has to be inserted to unlock the hard disk? I do not necessarily want the bootloader located on the USB thumb drive, just the decryption key. If that's possible, how do I set it up? Thanks for the assistance.
You can use a keyfile instead of or in addition to a password. You could put the keyfile on a flashdrive. You can locate bootloaders on both the thumb drive and local hard drive. Set the computer to boot from thumb drive by default so it'll boot the encrypted system if the drive is present, and otherwise it could boot another (maybe decoy) system from the local hard drive. I did something like this, see here. However, whatever you do, I'd test it out first on a virtual machine. It's been a while since I used that system, so I don't remember the exact steps anymore.
I would not leave this key on just one thumbdrive. In my experience they can just 'go' for no apparent reason leaving you without data. So if you choose to do this, have a readily available backup of your key to suit all circumstances that you might find yourself in. Have a second thumbdrive with it on. As with everything else, backup, backup, backup. Even with cd/dvd, if it's important, I always make more than one.
OK, I tried installing the bootloader and the key file on a USB thumb drive, and I encrypted my hard drive using that configuration. However, when I restart my PC now with the USB thumb drive plugged in, I get the error message "bootmgr is missing" and I cannot boot into windows. I did all that on my old PC, so no important data has been lost. Why am I getting that error message? I did change the boot order in BIOS and I put the USB drive #1, followed by CD/DVD, and then hard drive.
depending on your setup, you may need to copy bootmgr and boot directory to your encrypted partition (from the boot partition). for example, to C: if that's your encrypted system drive and the DiskCryptor flash drive tries to boot that partition as opposed to the 100 MB boot partition. later you can use the 100 MB boot partition to boot some other decoy system. this of course assumes you have the typical windows 7 setup with a 100 MB hidden boot partition with boot files on it and then C: for system drive and maybe other data partition that you can also encrypt.
OK, thanks, I will do some further testing, using different configurations. Just one quick question: do I need to keep the keyfile itself on the USB thumb drive once I've created and configured the bootloader on that thumb drive? Or can I delete it afterwards?
the keyfile can be anywhere where it can be read during the boot sequence, and of course you should have a backup of it some place. but it's convenient to keep on the flash drive used for booting, so that the owner of the flash drive can boot an encrypted system automatically without needing a password (or maybe just using a short password that's quick to type in addition to the keyfile).