When you really need to keep your files safe and secure, you need encryption. We've covered the basics before, and even rounded up your favourite encryption tools, but today we're putting two of the most popular options for Windows head to head to see which one is the best at keeping your sensitive data safe.
Image by JohnWilliamDoe.
Choosing two encryption tools for this comparison wasn't easy. Should we consider two similar tools, or two of the most often-used tools? We opted for the latter in this case, and decided to focus on Windows, since -- beyond it being the most popular OS in use -- it lets us narrow our focus to the two big apps most people would actually choose from, even if there are tons of options with different features available. Don't worry, if your favourite encryption app or platform isn't included here, we'll get to you soon. Now, with that said, let's take a look at our two big contenders:
- Bitlocker: Microsoft's own baked-in encryption tool is very popular, partially because it's effective and built-in to the OS you're already using (assuming you're using Windows 7 Ultimate or Enterprise, Windows 8 Pro or Enterprise, or Windows 10 Pro or Enterprise.) Bitlocker supports AES encryption, and while it's primarily used for whole-disk encryption to lock down your entire computer and not just specific files, it also supports encrypting other volumes or a virtual drive that can be opened and accessed like any other drive on your computer. If you're looking to encrypt specific data and not everything on your PC, that's the way to go. When I asked publicly what encryption tools people were using, Bitlocker made more than a few appearances.
- VeraCrypt: Free, open-source (mostly,) and cross-platform, VeraCrypt can handle almost anything you throw at it. It's a fork of TrueCrypt, which melted down and ceased development back in 2014, but since then it's been updated, improved its own security, and gotten a lot faster. VeraCrypt supports AES, TwoFish, and Serpent encryption ciphers, and supports the creation of hidden, encrypted volumes within other volumes. VeraCrypt also supports full-disk encryption, including system disks. This makes the tool flexible enough to do both on-the-fly file and volume encryption to keep specific files and data safe, or to encrypt entire systems so they're only accessed by authorised users. It also doesn't hurt that VeraCrypt is fast, free, and available on just about any computer you may need it -- or your encrypted data -- on.
Both options are solid, and you absolutely could (and, if you're serious, should) use both. We'll get into the nitty gritty in a moment, but Bitlocker is great for seamless, don't-even-know-it's-happening full disk encryption, and VeraCrypt is excellent at encrypting volumes, drives, containers, or specific files for storage or on-the-fly security. If we had to make an early recommendation, we'd say use both that way.
Still, Bitlocker and VeraCrypt are very different tools, and who each one will be best for depends heavily on the type of user you are, and what you have access to. Let's run down some of the big differences.
VeraCrypt Wins on Availability
The biggest difference between VeraCrypt and Bitlocker is the most obvious one: Who can actually use it.
Not everyone has access to the Pro or Enterprise versions of Windows, which makes Bitlocker a non-starter for a lot of people. If you're running Windows 7, 8, or 10 Home, you can't even think about using Bitlocker unless you uplift to Pro. While we generally prefer the Pro versions ourselves, if you went out and bought a computer today, you'd probably get something with the Home version of Windows installed. On that front, VeraCrypt is a clear winner, since it's available to anyone on any version of Windows (and of course, on other OSes.)
Similarly, the fact that a Trusted Platform Module (TPM) cryptoprocessor is required to use Bitlocker with your computer (or jump through a bunch of hoops to set it up otherwise) further narrows the field a bit -- but not much. TPM uses hardware to integrate encryption keys into your device, and makes encryption and decryption transparent to you. It also has its own issues, more on that later.
Of course, most modern computers support TPM and have one installed, and if you're a PC builder, you're probably going to get a motherboard that has one too, whether you plan to or not. People with older hardware may have more difficulty, but anyone with modern devices will be fine -- but it's still a constraint VeraCrypt users won't have to worry about on any platform, and it's also something that keeps Bitlocker from adoption beyond Windows, not that Microsoft is terribly concerned with security beyond its own operating system.
Bitlocker Is Easier to Use, but It's Not Like VeraCrypt Is Difficult
When it comes to ease of use, things are a little more contentious. As with any security product, the fastest way to get people to adopt your tool is to make it either on by default or so easy to enable that people will flip a switch and not think about it again. To that point, using Bitlocker to encrypt your whole hard drive is as easy as opening its Control Panel and enabling it.
To that point, full-disk encryption is the easiest way to secure all of your data. This means if your laptop is stolen or lost somewhere with sensitive data on it, and even if the drive is removed, you can trust that whoever ends up with it may get your hardware, but they won't get your software and data, and you don't have to manage containers to protect your files. Bitlocker excels at this, which is the reason so many businesses enable it by default. If you're a power user, you can go further and encrypt partitions and additional volumes, or just turn it on for simple full-disk encryption while you use something else for specific files and folders.
All that said, it's not like VeraCrypt is hard to use. You do have to install it and set it up -- but that barrier is enough to keep some away from it, especially non-tech savvy, non-tinkerers. Using it for full-disk encryption is not a difficult process, but it is more involved than toggling a checkbox. You'll need to make a recovery disk in case everything goes south, but you'll also get the benefit of creating a decoy operating system so if you have to decrypt, you can decrypt the OS but not your data. It's an example of the trend here: VeraCrypt is powerful, but you do need to be willing to dive in and really use it, and comfortable with a little more than turnkey effort.
VeraCrypt Wins on Security
An encryption tool is only as good as the security it provides, and while VeraCrypt isn't perfect, it's definitely more robust than Bitlocker. Most users probably won't notice the difference, but it is important to point out there's a gap between them.
VeraCrypt supports more encryption methods and types than Bitlocker does, stronger keys, a better encryption and decryption method (CBC vs XTS, although neither are perfect), and of course, is open source and open to audit. That's something Microsoft likely would never allow, since Bitlocker is a proprietary product (and we all know how well security through obscurity works.) Best of all, the developers behind VeraCrypt took the results from TrueCrypt's security audit and used their notes to improve their own product (and have begun to edge out closed TrueCrypt code from their own product.)
Like we mentioned though, VeraCrypt isn't perfect. The Security Concerns section of its Wikipedia article sums up most of the big ones (although many of those, especially malware and other physical access concerns, also apply to Bitlocker) and are worth considering if you're debating the two based on security. Plus, while VeraCrypt's developers have worked to resolve many of the issues brought up in TrueCrypt's audit, VeraCrypt has yet to go through its own full audit (although we hope it will begin later this summer.)
For its part, Bitlocker is no slouch. It's not like it's weak -- it's just not as robust. Bitlocker keeps things simple (largely to boost adoption), and doesn't bog itself down with power-user features that, depending on who you are, you need or want to see to take the tool seriously. Its AES (128 and 256-bit) encryption is strong enough for the vast majority of people worried about losing their sensitive data in the back of a cab or someone snooping around their system -- but if you actually have an intelligent adversary who wants your data, you're not vulnerable per se, but you may want to strengthen your hand a bit.
The big -- and still contentious, even today -- issue around Bitlocker is whether or not Microsoft has backdoored the encryption software to make it easier for law enforcement and government agencies to access encrypted data. There's no way we can settle that debate here. To be fair, most people won't have "the man" on their tails, so it won't really matter, but we've already established that any backdoor -- if it exists -- is a bad one, because the door doesn't care whether it's the "good guys" or the "bad guys" (or the "bad good guys") using it. Still, there's no hard evidence -- just a lot of suspicion, conjecture, and debate -- that Bitlocker is backdoored, but there are more than a few good reasons to trust open source software over closed source, proprietary stuff anyway.
Then there's the question of whether or not TPM is secure. The developers of VeraCrypt (and a number of other open source security tools) refuse to support TPM, for good reason. TPM has been compromised before, although it required incredible effort to do so, but the truth is it's good at one thing, but it's not very good at protecting the system from malware or other attack vectors that could grant an intruder access to sensitive data.
At the end of the day, both products are strong, but VeraCrypt is just stronger and more flexible, even if it's not turnkey. The average user won't even notice the difference, and the fact that VeraCrypt is stronger shouldn't keep you from using Bitlocker (just configure it properly) if you want a seamless, transparent full-disk encryption option.
Bottom line: Unless you're planning to also use VeraCrypt for full-disk encryption, these two tools actually fit together better than they replace each other. Use Bitlocker for simple, full-disk encryption at the push of a button. Then fire up VeraCrypt and make some encrypted containers, hidden volumes, and leverage use all of the great benefits of the app. If you don't want full disk encryption but do want to encrypt and decrypt specific files or containers, VeraCrypt is your best, fastest, most flexible bet.
If you're a power user, or you don't trust Microsoft (but you're still using Windows), you could ditch Bitlocker entirely and go with VeraCrypt for everything, that's fine too. The bar is a little higher for you when it comes to setup and configuration, but not so high it's difficult to get over.
Either way, whatever you use, use something. Encryption is easier to embrace now than it's ever been.