- This article supersedes my other TrueCrypt-centric “Syncing a cloud drive to an encrypted virtual drive” article on this site.
- BitLocker is only available for Windows 8.x Pro and Windows 8.x Enterprise, not for regular Windows 8.x
- For other options for TrueCrypt, see this article: “5 Best TrueCrypt Alternatives to Safeguard Your Data”
As you might know, on May 28, 2014, the open source TrueCrypt project was abandoned. So, it is recommended that people find some other solution for drive encryption. For me, this meant transitioning my approach for securing my cloud drive storage to a new technology.
Imagine your laptop is stolen.
That’s bad! But what’s worse if that you have OneDrive, Google Drive, DropBox, Copy, etc – all syncing ALL of your files to C:UsersPersonDocuments for example. “But you’d have to know my Windows password!”, you exclaim. No, I can pull the hard drive from your laptop, hook it up to a second system and now I can see ALL of your files from ALL of those synced cloud drive locations.
Yikes. That is really, really bad!
What if you had a virtual hard drive which was only mounted while you were logged in, AND you needed a password to unlock it. Now imagine, if THAT is where all of your cloud drives sync their data!
Now, if I pull your actual hard drive, I might run across your encrypted, virtual “drive” on your C: drive somewhere, but if I tried to mount it, I’d need to have the password. This is much better. Not only is your data not immediately available to the thief, even if they do find your virtual hard drive file, they would need to break into – which is difficult/almost-impossible.
How to do it:
I previously wrote about how to do this with TrueCrypt. However, with that product going away, here is how you can achieve nearly the same thing using BitLocker, which is a built-in feature in Windows (Pro and Enterprise editions).
STEP 1: Create a Virtual Hard Drive (VHD)
A VHD is a file that you store on your hard drive, with a .vhd or .vhdx file extension, which can be mounted to a drive letter. For example, you can create C:DataTest.vhd and mount that to your G: drive. When you read and write data to this virtual G: drive, it’s actual reading/writing data to the C:Datatest.vhd file, behind-the-scenes.
So, we want to create a VHD big enough to store all the data that is stored on our cloud drives. To do this, right-click on My Computer and choose Manage:
Within this Computer Management app, navigate to the Storage –> Disk Management node. Right-click on it and choose “Create VHD”:
You will be presented with some options. The main things are: where do you want to store the virtual drive, and how big should it be:
When you click OK, the window goes away and the only indication that something is happening is down in the status bar (I didn’t see this, at first):
Once complete, this drive will now show up as an uninitialized disk – similar to if you added a physical, unformatted disk to your computer:
Right-click on the drive to initialize it:
For our purposes, you can choose either partition-table format – but note that older versions of Windows don’t support GPT. So, if you will ever need to move this VHD to another computer on an older version of Windows, you may want to choose MBR. Either will work in Windows 8.x though.
Once you click OK, right-click on the unallocated disk and create a simple volume:
and just follow the Wizard:
when you click Finish, you should see your newly-created VHD, mounted to a drive letter and ready to use:
STEP 2: Enable BitLocker on this new disk
You can do this a couple of ways. First, you can go into Control Panel and manage BitLocker from there:
Or, perhaps the simpler way is to simply right-click on the new drive letter, T: in my case, and launch BitLocker from there:
this brings up a prompt for how you want to secure this drive. At the very least, set a password – or ideally, you have a smart card and you can use that too:
WARNING:This is the password that will allow someone access to your drive which has all of your private files. This is not the time to use “password” or “fido1234”. This should be a good, strong password. If you need help figuring out a good one – take a look at this article on creating good passwords.
When you click next, you MUST use one of the following options for establishing a recovery key. If you ever forget your password, this will be the only other way to unlock the drive.
Arguably, for the purposes of what we are doing here, it doesn’t matter if we lose access, because it’s simply holding an offline version of what is on our cloud drives. Also, again, this recovery key should be kept extremely secure too – because a thief/attacker can gain access to your virtual drive with it!
After you choose a mechanism for your recovery key, click Next:
You now have a secure drive that you need to type a password for, and/or use a SmartCard to gain access.
STEP 3: Move your cloud storage folders to the new drive letter
Now that my T: drive is up and running, I need to move my SkyDrive, DropBox, Google Drive, Copy, etc – so that the sync folder is on my T: drive. There are typically two ways you can do this.
First, if you right-click on the cloud storage folder, you may have a “Location” tab like the following:
if you do, you simply click the “Move” button and that will properly move the sync folder location.
Alternatively, in the System Tray, you can right-click on the icon for your cloud storage, then click and choose options/settings/preferences:
and in those screens, there is an option to move the sync folder location:
The whole idea here being that OneDrive, Copy, Google Drive, Dropbox, etc – will now all have their sync folder on T: (in my case), which is my BitLocker-protected virtual drive.
STEP 4: Turn off the cloud storage clients ability to “Start with Windows”
One important thing to understand is that your virtual hard drive will NOT be mounted automatically when you reboot your computer. When I restart, my T: drive will not be there (yet). So, it’s important to go into the cloud storage client settings/preferences and turn off the “Start with Windows” option.
When that is left turned-on, most of the clients “freak out” that the T: drive isn’t there – and want you to go through a wizard to point to a new location. Instead, if that option is turned off, you can mount the drive, then launch the clients, and they just work per normal. They have no idea that the T: wasn’t there a minute ago!
So, the purpose here is to reduce the number of errors you’ll get, and buttons you’ll have to click.
STEP 5: Startup/Login procedures going forward
As mentioned in Step 4, the T: drive will not be automatically mounted whenever you reboot the computer. So, how do you mount it? That’s actually easy – you can either right-click in Windows Explorer on the VHD that is on your hard drive and choose Mount:
Or you can simply double-click the VHD file in Windows Explorer. Either way, you’ll see a toast notification in the top-right of your screen:
click it, and put in your password – or enter the recovery key:
Now that your encrypted, virtual drive is mounted and available – just hit the Windows Key and type: dropbox, one drive, copy, etc – to launch the sync clients for each of the cloud storage providers that your use.
Going forward, you only have to do this one step when you first login, and in exchange for that – you can feel pretty secure that your cloud storage sync folders won’t be compromised if your computer is ever lost or stolen.