Tutorials Using VHDs and BitLocker to protect your files using Windows 10 without external software . (Windows tricks you might not know)

[Cyler]

A small guide to have higher protection for our valuable files without extra software.

My idea is, to provide some simple solutions to everyday problems that us PC users might face. In some cases I will try to avoid using external software as in several cases it may not be possible to download and/or use and so my solutions are mostly relying on windows itself. It's a common misunderstanding that windows are not powerful enough (or secure) and actually, Windows can be used in several cases in the place of other types of software, for example as a file server, virtual host, Encryption, etc, something that we will see in the future.

Windows don't have a straight forward way of protecting files or folders with a password but we can use a simple "trick" to create such a function. What we will do is create an encrypted and password-protected area that we can store our files and info that we want to keep private and additionally, it offers mobility as we can use that private storage in other PCs too, without the risk of exposing our info after we leave. At the same time, it does provide some level of protection from Ransomware and malware since they can't access the area unless its first was unlocked by you, using your password, assuming that you follow the steps below. Needless to say, this (and any) solution is as good as the way we use it. Use it right and it will be a very good additional line of security and protection for you.

As I said above, windows don't offer a way of protecting files/folders with a password. The main reason is that that the account itself is normally protected from unauthorized access. I'm sure tho there will be cases that people will feel more secure if they could password-protect their personal photos and documents from 3rd eyes or even malicious software. In windows, we can do that by using a combo of a Virtual Hard disk and Bitlocker and all without the need for third-party tools or complicated scripts, which are probably not as secure as using the Windows 10 built-in encryption feature. Please keep in mind that my screenshots might be a bit different than yours as in my test bench PC I use windows 10 LTSB (2016) and some things might be different.

1. Open Start.
2. Search for Disk Management and click the top result to open the app.

When Disk Management is open,
1. Click the Action menu.
2. Click the Create VHD option.

- Click the Browse button to select a location to store the virtual disk.
- Specify a name for the drive you like, for example, TheVault.
- Click the Save button.

- Under the "Virtual hard disk size" section, specify the amount of space that you want to reserve for storage, for example, 8GB, but you can use any amount based on the content that you want to protect.

Now some explanation about the options here. Under the "Virtual hard disk format" section, we have 2 options.
1. VHD which is best in case you want to use your protected disk on older PCs and also with 32 bit systems (win 7 etc)
2. VHDX which can only be used with 64 bit systems and offers greater potential capacity but more important,
its resilient to power failures and random shutdowns which helps a lot with securing your valuable files.
My recommendation is for VHDX but it's up to your specific needs.

Select the Dynamically expanding option so the storage will only grow as you save files.
Click the OK button.

After that, you will see a new disk in Disk management and so we need to initialize and format it. Right-click on the new Disk called unknown (the number may be different for you as it depends on the number of disks you already have), select Initialize Disk and then from the PopUp window, select the right Disk and choose MBR. Select GPT ONLY if you plan to make a greater than 2TB locked Disk (which I doubt). Click OK.

Right-click the "Unallocated space," and select the New Simple Volume option.
Click the Next button.
Use the default settings for the volume size.
Click the Next button.
Use the "Assign the following drive letter" drop-down menu to select a letter for the new drive.
Click the Next button.
Use the "File system" drop-down menu, and select the NTFS option.
Use the "Allocation unit size" drop-down menu, and select the Default option.
In the "Value label" field, type a descriptive name for the drive. For example, TheVault.
Check the Perform a quick format option.
The option about file compression is up to you and what kind of files you plan to store. Document files spreadsheets and databases as well as pdf etc, tend to compress nicely but JPG and MP3s don't. In general, I would have it enabled, but it's your decision.

Click the Next button.
Click the Finish button.
Once you complete the steps, you'll end up with a virtual hard disk that you can soon use as a password-protected drive by using BitLocker.

To set up BitLocker on a virtual hard disk on Windows 10, follow these steps:

Open Control Panel.
Click on System and Security.
Click on BitLocker Drive Encryption.
(Alternatively, press start and search for Bitlocker and then click on the Icon)
Under the "Fixed data drives" section, select the TheVault drive.
Click the Turn on BitLocker option.

Check the Use a password to unlock the drive option.
Create a password to protect your folders inside the drive (don't use 123456 ).
Click the Next button.

Click the Save to a file button.
Select a location to store the recovery key.
IMPORTANT: If you forget the password or lose the recovery key, you won't be able to recover your files, so make sure to keep this file in a secure place.
Click the Save button.
Click the Next button.

Select the Encrypt used disk space only option.
Click the Next button.
Select the Compatibility mode option if you plan to use the VHD on other, older PCs, or the New Encryption mode if the drive will be used on, up to date Windows 10 PCs, or your PC only.
Click the Next button.

Click the Start encryption button.
If everything goes well you should see this :

Click the Close button once the encryption has finished.

Once you created a virtual drive and configured BitLocker, you'll need to know a few steps to lock and unlock your files and folders.

Locate the VHD (or VHDX) file we just created and right-click and select Mount. Then you will see it, with a Gold Locker Icon (BitLocker) and the leter we chose on the steps above

After that, select the drive and you will be prompted to give the password

Once we give the right password we can use it as a normal drive to view, update, copy and manage our files anyway we want. Alternatively, you can also create a shortcut of the VHD file to your desktop for easier mounting.

Once done, right click on the drive and select Eject. The drive will be removed from the drive list (dismounted) and will be inaccessible to any person or program till such time you reopen it with your password. Files will stay protected and away from other peoples eyes.

Personally I use this way a lot for 2 reasons.

1. It allows me to have a secure location for files that must be protected both from other people and malicious software. Bitlocker encryption if implemented well is virtually unbreakable (so far) when it comes to VHDs cause there is no other vector to approach like cracking the hibernation files or reading Ram (google for more info). Even if one chooses to use brute force, the algorithm is so slow that even with a GPU (assuming you are using a good password) will take ages.

2. It allows me to store the Virtual Drive (VHD) to an external USB stick (or disk) and use it at other PCs (mount, copy files, dismount) and so I can work on remote locations.

With some imagination, this "trick" can be used in several other cases. My favorite one is to have the drive shared over the network but only my team has the password and so they can mount/unmount from any location on the network and get or update the files they need. No other person has access unless they have the password. If you need to send files securely, make a small vhd (minimum size is 8mb) and add the files you want, apply BitLocker and send that vhd. The benefit is that the drive once mounted can keep its original folder/file structure and the recipient, won't have to decompress and recompress, just click and mount, unlock, update, dismount and send back.

I understand that mounting and ejecting the VHD can be bothersome somehow (remember you can also create a shortcut for easier access) but the benefits of one of the best protections I think it's worth it.

Feel free to share your thoughts and I hope you find it useful.

--------------------------------------------------------------------------------------

Other Guide

You must be registered for see links

​

 

[vdogeek]

Wow!... I will most certainly play with this at home... Thanks for this Tutorial @Cyler

 

[Cyler]

Wow!... I will most certainly play with this at home... Thanks for this Tutorial @Cyler

Anytime and ty too for the help with the tags. Let me know what you think.

 

[backup4taiwo]

Fantastic

 

[SiteWizard]

@Cyler Nice and good tutorial
usefull for every /Any boddy

 

[Cyler]

@Cyler Nice and good tutorial
usefull for every /Any boddy

Thank you, and I agree with you, it can be helpful in a few situations. Hope you find it useful too.

 

[Cyler]

Fantastic

Glad you like it and hope you will find it useful.

 

[devup]

I use Winrar to simply compress and encrypt critical files because it seems simple, fast and has deep encryption. What would be the advantage of using Bitlocker and VHD schema instead?

 

[Cyler]

It depends on the situation, to be honest. If it's just about few files a .rar (not zip, it can be decoded easier) will do the trick but so will a cloud-based storage or even a USB stick or other similar ways.

The benefits of this method are multiple which and some examples are:

a. You can work on it as a normal drive, with the ability to control on the fly (add/remove/rename etc) the directory structure and files, something that you cant do in a normal RAR without 1st extracting and recompressing the entire thing.

b. You can execute programs right from the VHD without the need of extracting the entire content (a lot of programs need the dlls as well as the executable). You can also update files/programs if need be something that is anything from tedious to simply impossible to do for a RAR unless you extract, add/update/remove etc, and recompress.

c. With multiple PCs you can actually have 1 VHD file that you can work over the network concurrently, something that cant be done with a RAR file.

d. You can work with multiple VHDs at the same time (will appear as multiple drives) and can freely copy, update from one to another. Think of it as having clients that each one has its own personal vault. You can use one as "template" etc. Another way of looking at it you can keep archives per year.

e. Searchable content. Let's say you have a few thousand files in there and you want to find the documents that contain a specific word (a name for example) or find all the spreadsheets that were created or modified during a range of dates. Hard/impossible to do in a rar, easy to do on a mounted VHD.

f. Security. When you decompress a RAR file on a PC even if it's just for viewing (especially PC that is not yours) RAR leaves your files in a temp folder on the system disk and if you forget or unable to delete them, others will have access to them, long after you leave that PC.

g. Size: You need at least 3 to 10 times the size of the RAR in storage to be able to operate. Example, let's say you have a 1gb RAR. You need 1 GB to store it, 1.5 to 4GB to uncompress it (depends on the compression ratio) and another 1 to 2 GB for temp space to recompress. With the VHD you can simply place it even on a USB stick or external disk and it doesn't need additional space. You work live straight from the Compressed file and all decoding and compression happens on the fly.

h. MultiMedia usability. With a VHD, if one needs to store images, videos or sounds, its easy to view them, use them and even edit them without the need of decompressing.

I can name few others too, but seriously imagination is the limit. Everything tho comes down to each individual person and their needs. If the above is something you are looking for and will help your work, then VHD/Bitlocker is a great solution and most of all free. If you just need to store a few files that you will never update then RAR is also a great way too.

Hope it helped.

I would also like to add about how secure is Bitlocker.

To my knowledge, Bitlocker can't be craked or brute-forced. The methods that currently exist rely on breaking a portion of Bitlocker that is bound to Windows account password (or the sync with the MS account from web) if the user used that option (suggestion: DONT), or rely on an exploit that the cracking software can read the password from the RAM/Hybranation files assuming that windows are still running and you did type the password already. Windows stores temporarily that password in RAM in a very specific location.

Keep in mind that the BruteForce approach is not really viable and only dictionary-based attacks can be used which means if you use a random char password (bgx@#Rt for example) you will be much safer.

From ARS Technica: Talking about Passware Bitlocker Decrypt
"As pointed out in the comments, this isn't exactly a "Medicines" for BitLocker. Like most similar digital forensics analysis software, Passware Kit Forensic requires access to a physical memory image file of the target computer before it can extract all the encryption keys for a BitLocker disk. If a forensics analyst or thief has physical access to a running system, it is possible to take advantage of the fact that the contents are in the computer's memory. Other drive encryption programs have similar issues. "

Note that they need the system to be on and running and the drives to be unlocked in order to recover the key.

 

[MniawY]

Thanks @Cyler

 

[Skip1]

Thank you @Cyler this is great information

 

[orion999]

Nice tutorial and thanks for the share.

I personally use Bitlocker on W10 for all my external drives. Simply plug them, right click them and select "Turn on Bitlocker" from the submenu. Add a password and you're done.

Thanks again

 

[dzoslite]

Very well explained
Thanks for sharing this tutorial.
After a ransomware attack and lose a big part of my important data, You saved my life.
I will try this tricks as I can see it comes from some one Pro.

 

[sandyss18]

Oh man such a great tutorial.
So well explained along with all the pics.
Great and thanks for such an effort

 

[sommarmyr]

Great tutorial! Thanks... just a personal note...
To be 100% safe you should use Veracrypt... Bitlocker is fine for most people (incl. me) but if you are serious about encryption and protection use Veracrypt.
Cheers /

 

[1ntr0v3rt3ch]

thank you so much for this great tutorial! is this safe from formatting if someone format the vhd drive that is mounted?

 

[Cyler]

Great tutorial! Thanks... just a personal note...
To be 100% safe you should use Veracrypt... Bitlocker is fine for most people (incl. me) but if you are serious about encryption and protection use Veracrypt.
Cheers /

Tho at first glimpse those 2 products might seem the same, they function in a bit different way (you can actually use both together for the ultimately paranoid full tin foil hat, the-nsa-spy-on-me encryption). Tho a lot can be said about which is better, I won't go into that debate for a simple reason. Both are uncrackable if used right (big if) and after that all comes down if one needs the particular extra features that each program has. If you need Cross-System compatibility, you have to use Veracrypt, if you need TPM support, you need BitLocker, and so on. Of course, there might be other considerations like speed (Bitlocker is faster when both use AES-XTC to compare apples to apples), or network integration (BitLocker can be remotely managed by Domain controllers) with all the advantages such us upgrading an OS, which you cant easily do with Veracrypt.

But I don't agree with the notion that Bitlocker is not 100% safe. Both are 100% safe if used right. Both use the same encryption AES-XTC after all and to my knowledge with the exception of fishing keys from ram which both products aren't immune from (but show bad system design on the user part), none has been broken so far, especially on their latest versions each.

A little-known fact is that you can use both. Encrypt a volume using Bitlocker and create containers inside using Vera and good luck to anyone who ever tries to break this.

Also, note that the main reason I choose Bitlocker for this project is that users can encrypt and send/read files on any Windows PC without the need for additional software which is in the title of the thread "Using VHDs and BitLocker to protect your files using Windows 10 without external software", something that obviously can't happen with Vera.

thank you so much for this great tutorial! is this safe from formatting if someone format the vhd drive that is mounted?

If the volume is mounted and you leave your PC, yes it can be formated/erased by someone else who might sit and use your PC. For 100% protection, you only mount when you want to use it, and dismount as soon as you are done or leave the PC unattended.

 

[1ntr0v3rt3ch]

If the volume is mounted and you leave your PC, yes it can be formated/erased by someone else who might sit and use your PC. For 100% protection, you only mount when you want to use it, and dismount as soon as you are done or leave the PC unattended.

i see. thanks for the info. is there a way that we can protect the vhd from deletion (not mounted) from someone else using the same pc if leave unattended?

 

[Cyler]

i see. thanks for the info. is there a way that we can protect the vhd from deletion (not mounted) from someone else using the same pc if leave unattended?

Not really but that is a windows issue. No matter what you use for encryption, someone can always format the drive for example if they use your admin account. The only way I can think is to make a different normal (NON-admin) account for them and have them log in with that account when they want to use the PC. You can restrict what files/folders they can see, and what programs they can run. That way they can't access the VHD you own unless they use... tricks. If you let them log with your administrator account, not much can be done. Additionally, you can store the VHD on an external disk/thumb drive and just take it with you.

You can also store it in the cloud and access it via WebDAV (if possible) or the cloud app you use (for example google stream for Gdrive) but you need decent download/upload for that to happen, depending on the size of the files you want to store.

 

[Mr Grimbahir]

Mr @Cyler
When you write down about any topic, I should gather all my attention because there is going to a flux of useful information. A pen and piece of paper is essential. Thanks for your apparent hard work in which you deeply put you heart.