Advice Request Guidance please, or links, to encrypt my laptop, HDD's and USB sticks

[Chigwells]

Hi all, I have to secure my devices as a 'nosy neighbor' is moving in. Just wanted to make sure I do it correctly and securely.

Have a couple of laptops, ThinkPad T470s W11 Pro 500GB SSD, and a ThinkPad T440s W10 Pro 250GB SSD, with a couple of 2TB external HDDs and various USB sticks.

My Android phone I use the fingerprint reader, which I like and feels secure

Am I on the right track here:

1. I need to set a password on the UEFI, after I make sure the boot sequence is set in the right order, so it can't be booted to a bootable USB
2. Full laptop encryption, Bitlocker I guess. I read that encryption can slow things down? In both laptops there is only the single partition with system and personal files all together
3. I'm not sure what Secure Boot is, guess I need to learn. BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11
4. I've tried to grasp what Virtualisation and Hyper-V, but don't really get it
5. The external HDDs and the USB sticks I would encrypt with Veracrypt
6. I store all my passwords in Bitwarden

Here's some screenshots, which I don't really understand but believe they are relevant

Many thanks for all suggestions, Chig

 

[Trident]

I need to set a password on the UEFI, after I make sure the boot sequence is set in the right order, so it can't be booted to a bootable USB

Ideally, yes.

Full laptop encryption, Bitlocker I guess. I read that encryption can slow things down? In both laptops there is only the single partition with system and personal files all together

Encryption will slow read/write speeds. Even on a relatively cheap SSD this performance hit is most likely to be noticed mainly when installing large software (like Adobe creative software) which is not a day-to-day operation. Since you are looking to protect your data, you will have to accept this performance impact. Bitlocker is your best option and is already included in your license.

I'm not sure what Secure Boot is

Secure boot prevents malicious code from being ran during startup, before security components and procedures have been fully loaded. Starting early will allow it to hide itself or remove security measures. It works by allowing only trusted publishers to add to the startup sequence. The bypass you shared was patched long time ago.

I've tried to grasp what Virtualisation and Hyper-V, but don't really get it

Hyper-V provides features necessary for you to run additional OS within an OS which can be useful for testing software you suspect is malicious. More information can be found here.
You will have to check Intel/AMD website to find out if your CPU supports that.
Points 5 and 6 are up to your preference really.

 

[Chigwells]

Thanks @Trident

Since you are looking to protect your data, you will have to accept this performance impact

Yup, Bitlocker it is!

Hyper-V provides features necessary for you to run additional OS within an OS which can be useful for testing software

Thanks, so Hyper-V isn't really what I need here.

Have another question. I take it I use the UEFI password, and Bitlocker encryption together. I mean I'm sure I do, but Thinkpads have four levels of passwords (great!): UEFI/BIOS (supervisor), hard drive password (two levels), power-on password, and 'Windows' password, phew!

So just wanted to check, I use Bitlocker (password) together with UEFI password and all all the other passwords? Sorry if I'm sounding lame lol

 

[MrMr]

If you want to encrypt it for your "nosy-neighbor" using windows or default encryption is fine. I would advice using USB as a key method because even if its "old fashion", USB gone? Device not booting. For external devices you can have auto unlock enabled because they're not getting into your main OS anyway.

If you want more privacy on your HDDs then Veracrypt is a solid solution. That's encrypt and good luck decrypting it even with a Quantum Computer but it's less easy to use (still not hard), TPM not required, I'd even avoid it.

USB encryption is, like SSD, a hit and miss because manufacturers don't use default read and write (this explains a little about TRIM when enabled but there are more issues VeraCrypt - Free Open source disk encryption with strong security for the Paranoid. )
However an encrypted SSD is significally harder to access than an one that is not encrypted.

Do not use Biometrics on android, it's a nightmare. A 6 digit code is more secure at this point in time but there are a lot of people that are for Biometrics. Imo they fail to keep you secure too often..

I personally do not like bitwarden but that's personal preference, I rather have my own database with keepass.