Anyone who has physical access to your Windows machine can plug in and boot to a live USB drive which allows them to see/edit/copy your entire filesystem — all images, documents, applications, etc. — without logging in. All this can be prevented by just encrypting your file system.


Microsoft doesn't value your security. Their proprietary encryption software BitLocker is only available for paying Windows Pro and Enterprise users (and even then, it isn't enabled by default 🤔). And, if for some reason you're paying (extra) for Windows, you still shouldn't use BitLocker. Microsoft practice security through obscurity: like Windows, BitLocker code is proprietary meaning there's no way to vet it's security or verify there are not backdoors for any of the alphabet boys which Microsoft has done before — from what's been made public, Microsoft has helped the NSA to circumvent their own encryption, backdoored pre-installed disk encryption, informed the NSA of bugs in Windows before fixing them, and there's a secret NSA key in Windows, whose functions we don't know.

The alternative to proprietary software is open source software: anyone can verify an open source project's legitimacy and contribute improvements of their own. For Windows, the open source encryption software I'd recommend is VeraCrypt.


You can download the latest installer of VeraCrypt here. Once you install it, the process of encrypting your drive(s) is fairly trivial. For encrypting your storage device with the operating system, you start by going selecting System > Encrypt System Partition/Drive... and following the creation wizard. The default AES + SHA-512 is more than enough. Once you get to "Collecting Random Data", shake your mouse around — VeraCrypt gathers random data from your mouse's position because (somewhat unintuitively) it's hard for computers to generate unpredictable random numbers on their own.

Rescue Disk

Later, when prompted to, I'd recommend that you create a rescue disk — this is allows you to unlock your drive if one day Windows can't boot or the VeraCrypt bootloader get damaged (unlikely, but possible). All you have to do is grab a USB drive, create a folder called EFI, and add copy the generated Rescue Disk. If something ever does go wrong and you want to decrypt your drive outside of Windows, all you have to do is plug in and boot to the USB then enter your decryption password. Because you still need to have your password, you don't need to keep this USB especially secure (but hey, it can't hurt!).


You'll also be able to optionally write wipe the drive of all unencrypted data from the drive. Multiple passes is an urban legend (doesn't improve security), wears the drives down, and can take a very long time. One pass is sufficient and doesn't take too long (compared to no passes).


After selecting the number of passes, you should be prompted to test that the boot loader works before VeraCrypt proceeds with encryption and the wipe(s). Once you restart, you'll be be prompted with the VeraCrypt boot loader before the Windows login screen. Here, you enter your password (and pin if you opted for one; if you didn't leave it empty). Once you get back into Windows, VeraCrypt will open and prompt you to actually encrypt your data and fulfill the wipe(s). When that completes, you're done!