Windows has a built in feature to fully encrypt your hard drives using AES encryption (Default) and it's called BitLocker.
Required OS:
Windows 7 = Ultimate or Enterprise
Windows 8 or later = Pro or Enterprise
Since BitLocker is built into Windows all you need to do is turn it on.
Here are the steps for a multi drive system:
- Open Manage BitLocker
- Turn on BitLocker for Drive C
- Restart PC to turn on the TPM
- Check the box to do the security check
- Select "Encrypt the entire drive"
- Save your recovery key to text file or print it off
- Restart PC to start encryption (Took around 30 minutes for a 240 GB SSD
- Open manage BitLocker
- Turn on BitLocker for drive D
- Select the option to "automatically unlock this drive on this computer"
- Save your recovery key to text file or print it off
- Restart your PC to start the encryption (Took around a couple hours for a 1TB SSD)
Note that you have not created any additional password and upon restarting the PC you will not have to enter one. BitLocker by default is invisible to the user as the TPM hardware module on the motherboard stores the encryption keys.
If a drive is removed from the machine it will require the recovery key to gain access to it.
If the entire machine was to be taken and someone tried to access it BitLocker relies on the security of your Windows password to protect it. Although this seems rather weak as Windows passwords have been known to be easy to crack that is because programs that do this work on the fact that they can read the password on a non-encrypted drive. Now that the drive is encrypted this cannot be done and the password is only vulnerable to a brute force password attack as is any password.
You can as an additional level of protection use a GPO to make BitLocker also require a either a PIN or a special USB flash drive to be present.
