Windows encryption tool Syskey is being removed in the upcoming Windows 10 Fall Creators Update. The utility encrypts password information stored in system databases that are in turn stored in the Windows registry.
Its original purpose was to prevent unauthorized, offline password cracking attempts. However, scammers realized they could use the integrated utility to lock users out of their systems, forcing them to pay a ransom (pre-ransomware, but still in use in telephone scams — there are thousands of YouTube videos). In other environments, Syskey provides pre-boot authentication, where the user is challenged for a password before the operating system boots.
Microsoft is recommending BitLocker as a Syskey replacement. But what are your options? Let’s take a look.
If you have Windows 10 Pro, Enterprise, or Education, you have BitLocker installed. Unfortunately, Windows 10 Home doesn’t offer BitLocker as a standard feature.
I’ll say at this point: unless you’re considering upgrading to Windows 10 Pro (or have access to an Enterprise or Education edition), there are other, free Syskey alternatives that I’m going to list below. But if you’re already using Windows 10 Pro, BitLocker is worth considering.
BitLocker offers full disk encryption using either AES 128-bit or AES 256-bit. Both encryption strengths use a Diffuser algorithm to further protect against ciphertext manipulation attacks. An encrypted BitLocker drive is unlocked using either a hardware device (via Trusted Platform Module or TPM), a PIN, or a Startup key held on a separate removable media (such as a USB drive) — or a combination of all three.
You can find BitLocker options, including the BitLocker setup wizard by typing bitlocker in your Cortana search bar (press Windows key + S).
TPM Group Policy
When you attempt to Turn BitLocker on, you might meet the following message:
This means we need to alter the Group Policy setting.
Type gpedit into your search bar and select the best match.
Head to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. Then, select Require additional authentication at startup.
Next, select Enabled to allow policy editing. Then, under Options, select Allow BitLocker without a compatible TPM. Hit Apply, then OK.
Then, when you head back, your attempt to turn BitLocker on will be successful. For more details on the process, read our guide to hard drive encryption with BitLocker on Windows 10.
There are several free alternatives to BitLocker. Perhaps the best known is VeraCrypt, built from the ashes of depreciated encryption tool, TrueCrypt.
VeraCrypt offers a range of tools, including virtual encrypted disk creation and mounting, full drive or partition encryption, and pre-boot authentication (encrypted operating system partition).
Furthermore, VeraCrypt has advanced features, like hidden operating system encryption and other hidden volume tools.
VeraCrypt offers a wider range of encryption algorithms to users, including AES, Twofish, Serpent, and Camellia. In addition, users can select one of two hashing algorithms, SHA-256 or RIPEMD-160.
The takeaway for many is clear: if you’re not upgrading to Windows 10 Pro for $99, VeraCrypt is the way to go. In fact, there are many VeraCrypt users that use Windows 10, regardless of BitLocker, due to its expansive encryption options.
DiskCryptor is another open source full disk encryption tool. It was originally developed as a replacement for the enterprise-grade (and commercial product) DriveCrypt Plus Pack, which also features pre-boot authentication, but comes with a hefty price-tag (€125, or $149, at the time of writing).
DiskCryptor was initially started by a former TrueCrypt user, who goes by the handle “ntldr.” Versions 0.1 to 0.4 were fully compatible with TrueCrypt, using corresponding partition formatting, as well as encrypting with AES 256-bit. However, DiskCryptor 0.5 started a new partition format designed to encrypt drive volumes already containing data (TrueCrypt format originally only encrypted an empty or newly created drive volume).
DiskCryptor uses AES, Twofish, and Serpent encryption algorithms, all with 256-bit keys. In addition, DiskCryptor is particularly useful for those wishing to encrypt multi-boot systems, offering full compatibility third-party bootloaders such as GRUB and LILO (offering pre-boot authentication for each bootable partition).
From an excellent free option to one of the best paid encryption tools on the market. It can encrypt a wide-range of volume types, including RAID drives, and offers pre-boot authentication (with customizable text, no less).
In addition, BestCrypt supports TPM, as well as the option to boot encrypted volumes only from within a trusted network. The Volume Encryption tool uses four main encryption algorithms, all with 256-bit keys: AES, RC6, Serpent, and Twofish.
Jetico BestCrypt Volume Encryption is a premium tier encryption tool. Encryption expert Bruce Schneier even recommends it “even though it is proprietary,” which speaks volumes about the tool. However, premium products carry a premium price tag. BestCrypt Volume Encryption will set you back $119.99.
Which Syskey Alternative Will You Choose?
These are four excellent alternatives to the soon-to-be-depreciated Syskey.
Ah, good. Syskey is no longer included with Windows, and also cannot be run on its own anymore.
— Mohamed Al-Hajamy? (@monstertruck550) September 5, 2017
You might ask why there aren’t more options listed. Well, honestly, these are some of the best products on the market, for a few reasons.
For instance, BitLocker is integrated into the Windows 10 operating system. As such, it is free if you already have the correct license, and is extremely well supported (by both Microsoft and the wider technology community). If you have Windows 10, you have an extremely powerful full disk encryption tool at your fingertips.
Veracrypt and DiskCryptor are open source, completely open to third-party audit, and well maintained (read: actively worked on) by their respective teams. Again, they offer excellent, extremely powerful full disk encryption, entirely free.
Finally, Jetico BestCrypt may set you back a chunk of cash, but you are investing in your personal security.
Caught me a Microsoft Tech Support scammer tonight. He was quite sad to find out syskey is gone in Windows 10 RS3 :).
— Chris123NT (@Chris123NT) September 3, 2017
There are other options available on the market. Tools such as Sophos SafeGuard Easy and Symantec Drive Encryption are also excellent, but they carry a higher price tag. However, those readers in small-to-medium-sized businesses might consider them for the additional support offered.
You don’t have to spend big. In fact, you don’t have to spend at all to guarantee an additional layer of personal security. However, it is important to note that systems using Syskey as an additional or imperative security layer will not upgrade to the Fall Creators Update.