TL;DR
Using Bitlocker (Windows) or FileVault (macOS) with VeraCrypt adds extra security, but it’s not a simple ‘stacking’ of protection. It can be done safely if you understand the order of operations and potential pitfalls. It’s most useful for defence-in-depth against specific threats, like key compromise or vulnerabilities in one system. Don’t expect huge gains from simply running both.
Understanding the Layers
Think of it this way:
- Full Disk Encryption (FDE): Bitlocker/FileVault encrypts the entire drive, including the operating system. It requires a password or TPM to unlock at boot.
- Container Encryption: VeraCrypt creates encrypted ‘containers’ (files) that act like virtual drives. These require a separate password to open *within* an already unlocked OS.
You’re essentially adding a layer inside the already secured drive.
How to Set it Up Safely
- Install and Configure Bitlocker/FileVault First: This is crucial. Get your full disk encryption working reliably before touching VeraCrypt. Make sure you have backups of your recovery keys!
- Create a VeraCrypt Volume: Once your OS drive is encrypted, install VeraCrypt and create an encrypted container (a file). Choose a strong password for the VeraCrypt volume.
veracrypt -c /path/to/your/container.vc - Mount the VeraCrypt Volume: After booting into your unlocked OS, mount the VeraCrypt volume. You’ll need to provide its password.
The GUI is easiest for this, but you can also use the command line:veracrypt -m /path/to/your/container.vc /mountpoint - Use the Volume: Store sensitive data within the mounted VeraCrypt volume.
- Dismount When Not in Use: Always dismount the VeraCrypt volume when you’re finished with it. This prevents unauthorized access if your session is compromised.
Important Considerations
- Boot Security: Bitlocker/FileVault protects against offline attacks (someone stealing your drive). VeraCrypt doesn’t help with this; it only works when the OS is running.
- Key Management: You now have two sets of keys to manage! Losing either one means losing access to your data. Store recovery keys securely, separately from each other and from the encrypted drives themselves.
- Performance Impact: Both FDE and container encryption add overhead. Running both will likely slow down disk operations more than running just one.
- Vulnerability Surface: You’re relying on the security of both Bitlocker/FileVault and VeraCrypt. A vulnerability in either system could compromise your data. Keep both updated!
- TPM Considerations (Bitlocker): If using a TPM, ensure it’s properly configured and secured. A compromised TPM can bypass Bitlocker protection.
When is this useful?
- Defence in Depth: If you’re concerned about a specific attack vector (e.g., key compromise), adding VeraCrypt provides an extra layer of security.
- Multi-Boot Systems: If you dual-boot different operating systems, VeraCrypt can protect data that needs to remain secure across all OSes.
- Specific File Protection: You only need to encrypt certain files or folders, not the entire drive.
When is this overkill?
- Basic Data Security: If you just want to protect your data from casual theft, Bitlocker/FileVault alone is usually sufficient.
- No Specific Threats: If you don’t have a specific threat model in mind, adding VeraCrypt may not be worth the complexity and performance impact.