How to replace BitLocker with VeraCrypt for more secure encryption on Windows 11

• VeraCrypt is a free, open-source disk encryption tool and successor to TrueCrypt.
• It can encrypt a virtual container, a partition, or the entire Windows 11 system drive.
• Unlike BitLocker, it works on Home, Pro, Linux, and macOS.
• Supports AES, Serpent, Twofish, and combinations for advanced cryptographic flexibility.
• Does not require TPM and does not automatically back up recovery keys to a cloud account.

On Windows 11, instead of BitLocker, you can use VeraCrypt for device encryption, and in this guide, I’ll outline the steps to complete this configuration.

What’s VeraCrypt?

VeraCrypt is a free, open-source drive encryption software. It is a “fork” (a modern successor) of the famous TrueCrypt project. It works by creating a secure “vault” for your files or by locking down your entire hard drive so that nothing (not even the Windows 11 login screen) can be seen without a password.

Using the solution, you can create a single file that acts like a virtual hard drive. You “mount” it with a password, put files in, and “dismount” it to lock them away.

It can encrypt your entire Windows 11 partition, requiring a password before the computer even starts booting.

You can even use it as a solution to hide a volume inside another volume. If someone forces you to give up your password, you give them the “decoy” password, and they see harmless files while your real data remains invisible and mathematically impossible to prove it exists.

What’s the difference with BitLocker?

VeraCrypt and BitLocker both provide robust data protection, but they approach security with very different philosophies. BitLocker is available only on Windows 11 Pro, Enterprise, and Education editions, while VeraCrypt works on all Windows versions as well as Linux and macOS.

BitLocker is closed-source, relying on trust in Microsoft’s implementation. It integrates seamlessly with hardware, using the TPM chip for convenient “set it and forget it” encryption. However, it only supports the AES algorithm.

VeraCrypt, on the other hand, is open-source and community-maintained. It does not require TPM, allowing users to use software-based keys. It also supports multiple encryption algorithms, including AES, Serpent, Twofish, or combinations, giving users greater cryptographic flexibility.

BitLocker prioritizes convenience and integration, while VeraCrypt emphasizes transparency, control, and advanced security options, though it comes with a steeper learning curve.

Why choose VeraCrypt over BitLocker?

VeraCrypt “benefits” users who feel Microsoft’s ecosystem is too restrictive. For example, BitLocker often automatically backs up your recovery key to your Microsoft Account (Cloud). If you don’t want your keys in the cloud, VeraCrypt gives you a way out.

In this guide, I’ll outline the steps to ditch BitLocker and encrypt your system drive using VeraCrypt.

Set up VeraCrypt drive encryption on Windows 11

After creating the highly recommended backup, you will have to disable BitLocker and delete the recovery key from your Microsoft account. Also, you’ll have to disable Fast Startup, as this encryption solution may cause issues if the feature is enabled, and then you can proceed with the setup.

Install VeraCrypt

To install VeraCrypt on Windows 11, follow these steps:

1. Open Start on Windows 11.

2. Search for Command Prompt (or Terminal), right-click the top result, and choose the Run as administrator option.

3. Type this command to install VeraCrypt on your device and press Enter:

   winget install --id IDRIX.VeraCrypt

   

4. Type Y and press Enter to accept the terms.

After you complete the steps, the tool will install on your computer, and you can proceed to disable conflicting features, such as BitLocker and Fast Startup.

Disable BitLocker

To disable BitLocker on Windows 11, follow these steps:

1. Open Settings on Windows 11.

2. Click on Privacy & security.

3. Click the Device encryption setting.

4. Turn off the Device encryption toggle switch.

   

5. Click the Turn off button.

These instructions should apply to Windows 11 Home and Pro, but if you have configured Device Encryption with the BitLocker settings, you can use the instructions.

Disable Fast Startup

To disable Fast Startup on Windows 11, follow these steps:

1. Open Start.

2. Search for Control Panel and click the top result to open the app.

3. Click on Hardware and Sound (in the “Category” view).

4. Click on Power Options.

   

5. Click the “Choose what the power button does” option from the left pane.

   

6. Click the “Change settings that are currently unavailable” option.

7. Clear the “Turn on fast startup” option to disable the feature.

   

After you complete the steps, the feature that allows the operating system to boot faster will be disabled, and you can continue setting up the VeraCrypt settings app.

Configure VeraCrypt

To encrypt your computer’s hard drive using VeraCrypt, follow these steps:

1. Open the VeraCrypt app.

2. Click the Create Volume button.

   

3. Select the “Encrypt the system partition or entire system drive” option.

   

4. Click the Next button.

5. Select the Normal option.

   

6. Click the Next button.

7. Select the “Encrypt the Windows system partition” option.

   

8. Click the Next button.

9. Choose the Single-boot option if the device is only running Windows 11 and no other operating system is configured in a dual-boot configuration.

   

10. Click the Next button.

11. Select the encryption algorithm, for example, AES, and use the default configuration.

    

    Quick note: For most users, the AES option should be enough. This is the same algorithm used by BitLocker. Only choose another encryption algorithm if you understand it.

12. Click the Next button.

13. Confirm the encryption password to unlock the drive during boot.

    

    Quick note: Since you’ll be using a third-party encryption solution, no information will be stored inside Secure Boot, so you’ll have to enter the decryption password every time your computer starts.

14. (Optional) Select the Use PIM option.

15. Click the Next button.

16. Click the Next button one more time.

17. Drag the mouse pointer in the “Current pool content” to generate the encryption keys using random data.

    

18. Click the Next button after randomness collected from mouse movements has reached its total.

19. Click the Next button one more time.

20. Click the Next button to create the VeraCrypt Rescue Disk.

    

    Important: If you lose this rescue disk, you won’t be able to access the drive if you lose your password.

21. (Important) Extract the contents of the “.Zip” file containing the VeraCrypt Rescue Disk file onto a USB flash drive formatted as FAT32.

22. Click the Next button to verify the rescue disk.

23. (Optional) Choose the Wipe mode option.

    

    Quick note: When using VeraCrypt, deleted data won’t be encrypted, but you can use the wipe mode to secure erased data by writing a bunch of zeros over it to make it unrecoverable.

24. Click the Next option.

25. Click the Test button to test the encryption process before the actual encryption.

    

26. (Important) Confirm the notes, as they include information on what to do if you cannot start the computer after it’s encrypted.

    

27. Click the OK button.

28. Click the Restart button.

After you complete the steps, the computer will reboot, and you’ll be presented with a login prompt before booting into Windows 11.

Once in your account, VeraCrypt should start automatically confirming the test completely successfully, and then you have to click the “Encrypt” button to proceed with the actual drive encryption.

However, be aware that interrupting the encryption process due to power loss or a system crash will cause data corruption or loss.