We have tested products from 5 vendors offering whole disk (really partition) encryption for Windows 7 in a UEFI (EFI) based motherboard. UEFI is a replacement for the traditional IBM compatible BIOS and is currently vigorously promoted by Intel and Microsoft. The results are disappointing, but see the letter at the end of this page for a promising possibility.
The OS was Windows 7 Ultimate SP1. Because Windows defaults all user files to the boot drive, it is essential to us that this partition be subject to full disk encryption. Various schemes to move user default directories to other locations are documented on the web, however all are unsupported by MS, quite complicated and online complaints about subsequent difficulties are rife.
These tests were conducted on January 5-8, 2012. The OS was reinstalled for each test.
If you try this you might be disturbed as encryption starts to find that your drive is suddenly full. This will gradually subside as the drive is encrypted. Once encrypted we were unable to convert to dynamic or mirror the volume. No doubt there are procedures to do these things, but the usual menu items were grayed out.
In summary, Bitlocker was the only package able to encrypt user files, however storing keys on a USB drive seems unsafe to us. We would be pleased to hear of any alternatives, or effective updates to the packages listed above.
On September 6, 2012 I received an interesting email from email@example.com saying that "DriveCrypt Plus Pack has had UEFI support since last december . We still have to resolve Secure Boot; at this time it needs to be disabled."
On April 17, 2013 I received the following message out of the blue from Jetico, in Finland. I haven't tested the software, but it would be worth looking at. There is a free trial download available. If you try it out, please tell me how it works out. Note that "two-factor" authentication mentioned in the message would not really qualify as two factors, rather it is more like two passwords.
Date: Wed, 17 Apr 2013 14:31:23 +0300 From: "[iso-8859-1] Kari Hyt?en"
To: 'Daniel Feenberg' Subject: RE: Jetico Solution Hello Daniel, Yes our product can encrypt both boot and System volumes. We create our own bootloader that is used to do the end user verification. Also our bootloader can also reside on a USB stick that allows two factor authentication where any user needing access to the hard drives would require to have a USB stick/token at the time of boot and they need to enter a correct password to be able to start up the system. More information about the System and Boot volume encryption: http://www.jetico.com/web_help/bcve3/html/04_usage/01_volume_encryption/03_s ystem_boot_volumes.htm (the whole help file: http://www.jetico.com/web_help/bcve3/) Regards, -- Kari Hyt?en Technical Sales Manager