Category Archives: Microsoft Windows

Hyper-v, PowerShell

Kapothi Scroll: Banishing the Ghost VM in Hyper‑V

Leave a comment

Kapothi Scroll: Banishing the Ghost VM in Hyper‑V

Kapothi — Sinhala slang for “getting into a big problem.” This scroll documents how we untangled one such haunting: a phantom VM that refused to die, flooding Event Viewer with endless errors.

🌀 The Symptom

Failed to load Hyper-V state for virtual machine 'MEGATRON-SVR-KAP-DSTN-04'
from the configuration: Unspecified error (0x80004005).
(Virtual machine ID 287FCA31-68ED-43C1-8B35-0452C2EDF743).
Hyper-V may not work properly. An attempt to reload the configuration will be made in a few minutes.

🔎 The Investigation Ritual

Check replication status

# PowerShell
Get-VMReplication -VMName "MEGATRON-SVR-KAP-DSTN-04"

→ Showed replication normal, so the issue wasn’t with Replica.

Try removing replication

# PowerShell
Remove-VMReplication -VMName "MEGATRON-SVR-KAP-DSTN-04" -Force

→ Command worked only with -VMName, not -VMId.

Search filesystem and registry

  • Looked under C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines
  • Checked registry keys under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization

→ No folder or key for the GUID found.

Inspect WMI repository

# PowerShell
Get-WmiObject -Namespace root\virtualization\v2 -Class Msvm_ComputerSystem |
Where-Object { $_.Name -eq "287FCA31-68ED-43C1-8B35-0452C2EDF743" }

→ Found the ghost entry still alive in WMI, status Degraded.

Check VM list

# PowerShell
Get-VM

→ VM showed as SavedCritical with “Cannot connect to virtual machine configuration storage.”

⚔️ The Cleansing Ritual

Remove ghost from WMI

# PowerShell
Get-WmiObject -Namespace root\virtualization\v2 -Class Msvm_ComputerSystem |
Where-Object { $_.Name -eq "287FCA31-68ED-43C1-8B35-0452C2EDF743" } |
Remove-WmiObject

Force remove VM object

Remove-VM -Name "MEGATRON-SVR-KAP-DSTN-04" -Force

or

Remove-VM -Id "287FCA31-68ED-43C1-8B35-0452C2EDF743" -Force

Purge leftover config files

  • Search for GUID‑named files (287FCA31-68ED-43C1-8B35-0452C2EDF743) under:
    • C:\ProgramData\Microsoft\Windows\Hyper-V\Virtual Machines
    • Replica storage paths (e.g., E:\Hyper-V\Replica\...)

Restart services

Restart-Service vmms

🌑 Final Cleansing (WMI Repository Reset)

If the ghost still lingers after all steps, reset the WMI repository:

net stop winmgmt
winmgmt /resetrepository
net start winmgmt

⚠️ Note: This is the last resort — it rebuilds the entire WMI repository, clearing any corrupted or stale entries.

✅ The Outcome

  • Event Viewer spam stopped.
  • Get-VM no longer listed the ghost VM.
  • Replication remained healthy for other VMs.

📜 Ritual Reflection

The ghost scroll wasn’t just in the shelves (registry) or archives (ProgramData) — it hid in the secret catalog (WMI). Hyper‑V kept trying to read it, failing each time. By purging the catalog entry, removing the VM object, and finally resetting the repository, the shrine keeper’s chant of errors was silenced.

✨ Kapothi Lesson: When Hyper‑V haunts you with “Failed to load state” errors, cleanse all three layers — filesystem, registry, and WMI. If the ghost still lingers, reset the repository to rebuild the shrine’s catalog from scratch.

Microsoft Windows

Code 0xC004E028

Leave a comment

Kapothi with Windows Server: When Activation Says “Wait Your Turn”

Sometimes even the most seasoned admins hit a wall. You enter the customer’s product key, press activate, and Windows Server throws back a cryptic code: 0xC004E028. Panic? Not quite. This is a classic Kapothi moment — a “big problem” that turns out to be nothing more than a waiting game.

The Error Explained

Code 0xC004E028 doesn’t mean your key is wrong. It means Windows is already busy trying to activate, and you’ve asked it again before the first attempt finished. Think of it as knocking twice on the same temple door — the monk inside will answer, but only once.

Why It Happens

  • Slow response from Microsoft’s activation servers
  • Multiple attempts entered too quickly
  • Network hiccups delaying the handshake

The Ritual Fix

  1. Wait patiently — let the first activation finish.
  2. Restart the server — clears pending requests.
  3. Retry activation from Settings or with slmgr /ipk.
  4. Troubleshoot if the issue persists.

Edition Matters

Always confirm the installed edition (Standard vs Datacenter) before entering a customer-supplied key. A mismatch will never work, no matter how many times you retry.

# Install the product key
slmgr /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

# Check activation status
slmgr /dli
slmgr /dlv

Closing

In the end, our server activated just fine — proving that not every Kapothi moment is a disaster. Sometimes, the solution is simply patience.

Hyper-v, Microsoft Windows, PowerShell

Kapothi Scroll: Compacting VHD/VHDX with PowerShell & SDelete

Leave a comment

Kapothi Scroll: Compacting VHD/VHDX with PowerShell & SDelete

Kapothi — Sinhala slang for “getting into a big problem” — is exactly how it feels when your VHDX file swells to double its real usage size. A 22GB disk showing up as 41GB? That’s a Kapothi moment. Here’s the ritual to reclaim space.

Command Box Legend (Kapothi Style)

What is SDelete and How to Get It

SDelete is part of the legendary Sysinternals Suite created by Mark Russinovich. It is a secure delete utility that can overwrite free space with zeros, making it visible to compaction tools like Optimize-VHD. Without this step, deleted files inside a VM still appear as “used blocks” to the VHDX file, preventing shrinkage.

In Kapothi terms, SDelete is the chalk ritual: it marks the courtyard stones so the lantern keeper knows which ones are truly empty.

How to Get SDelete

  • Download SDelete from the official Microsoft Sysinternals page.
  • Extract the sdelete.exe file.
  • Run it inside your VM from an elevated Command Prompt.
# Example usage inside VM
sdelete -z C:

This command writes zeros to all free space on the C: drive. Once complete, you can shut down the VM and run Optimize-VHD on the host to reclaim space.

Step 1: Sweep the Courtyard (Zero Free Space with SDelete)

Inside the VM, run SDelete to mark free blocks with zeros. Without this, compaction won’t know which stones are truly empty.

# Run inside the VM (Command Prompt as Administrator)
sdelete -z C:

This may take time, but it’s the chalk ritual that reveals unused courtyard tiles.

Step 2: Compact the VHDX (Optimize-VHD)

Back on the host, use PowerShell to mount, optimize, and dismount the disk.

# Mount the VHDX
Mount-VHD -Path "C:\Path\To\YourDisk.vhdx" -ReadOnly

# Compact the disk
Optimize-VHD -Path "C:\Path\To\YourDisk.vhdx" -Mode Full

# Dismount when done
Dismount-VHD -Path "C:\Path\To\YourDisk.vhdx"

-Mode Quick → faster, less thorough
-Mode Full → slower, maximum space reclaimed

Step 3: Verify the Lantern’s Weight

After compaction, check the file size. It should shrink closer to the real usage (~22GB). Some overhead remains, but the bloat is gone.

Step 4: Last Resort — Rebirth with Disk2VHD

If compaction still doesn’t shrink enough, create a new disk using Disk2VHD:

  • Download Disk2VHD from Microsoft Sysinternals.
  • Run it inside the VM.
  • Select the volumes you want to capture.
  • Save to a new VHDX file.
  • Attach the new disk in Hyper-V and retire the bloated one.

This is the rebirth ritual: a fresh lantern forged, carrying only the light you need.

Kapothi Wisdom

SDelete first, then Optimize-VHD → Without sweeping the courtyard, the lantern keeper can’t lift away unused stones.
Protect your shrine tools → Always run compaction after major deletions inside the VM.
Disk2VHD fallback → When the lantern is too heavy, forge a new one.

🕯️ In Kapothi terms, this is turning a “big problem” into a ritual solution: chalk the stones, sweep the courtyard, and if needed, rebuild the lantern itself.

Microsoft, Microsoft Windows

How to Fix Your Windows Date and Time Settings

Leave a comment
How to Fix Your Windows Date and Time Settings

🕒 How to Fix Your Windows Date and Time Settings

If your computer clock is wrong, it can cause issues with your internet connection and apps. Use these simple commands and shortcuts to get back on track.

✅ The Quickest Shortcut

# Open Date & Time settings instantly
timedate.cpl

💡 How to use: Press Windows Key + R on your keyboard, type the command above, and hit Enter. It opens the classic Date and Time window immediately.

✅ Using the Command Prompt (CMD)

If you prefer using the Command Prompt to manage your time zones, use the tzutil tool. It is fast and very reliable.

# List every available time zone in the world
tzutil /l

# Check which time zone your PC is currently using
tzutil /g

# Change your time zone (Example: Sri Lanka)
tzutil /s "Sri Lanka Standard Time"

💡 Quick Guide:
/l → Shows you a list of all names.
/g → Shows your current setting.
/s → Sets a new time zone (make sure to use “quotes” around the name).

✅ Easy Navigation Paths

  • The Fast Way: Press Win + R → type timedate.cpl.
  • The Modern Way: Go to SettingsTime & LanguageDate & Time.
  • The Expert Way: Open Command Prompt → type tzutil.

💡 Pro Tip

Most time issues happen because “Set time automatically” is turned off. If your clock is constantly wrong, open your settings and ensure that toggle is switched to ON so Windows can sync with the internet.

✅ Stop Automatic Time Zone Changes

If your PC keeps switching to the wrong time zone, you can disable the automatic adjustment.

# Turn off automatic time zone
1. Press Win + I to open Settings
2. Go to Time & Language → Date & Time
3. Find "Set time zone automatically"
4. Switch it OFF
5. Manually select your correct time zone

💡 Pro Tip: If the time zone still changes, check that Location Services are disabled, since Windows uses your location to adjust time zones.

Microsoft, PowerShell

Kapothi System Hygiene Checklist

Leave a comment
Kapothi System Hygiene Checklist

🧹 Kapothi System Hygiene Checklist

This guide shows how to detect and remove impostor executables like the fake Windows Driver Foundation (WDF.exe), while also cleaning up unwanted startup entries to save RAM and CPU usage.

🔍 Detect Suspicious Files

Look for oversized or unsigned executables in C:\Windows\. Example: Windows Driver Foundation (WDF).exe (fake, 672 MB).

📋 Export Services & Tasks


  # Export all services with paths
  Get-CimInstance Win32_Service |
  Select-Object Name, DisplayName, StartMode, PathName |
  Out-File C:\services_with_paths.txt

🛠️ Alternative: Export to CSV

Get-CimInstance Win32_Service |
Select-Object Name, DisplayName, StartMode, PathName |
Export-Csv C:\services_with_paths.csv -NoTypeInformation

This produces a clean spreadsheet‑friendly file with all service details, perfect for filtering and analysis.

⚠️ Quick PowerShell Filter

Get-CimInstance Win32_Service |
Select-Object Name, DisplayName, StartMode, PathName |
Where-Object { $_.PathName -and $_.PathName -notlike "C:\Windows\System32\*" } |
Export-Csv C:\suspicious_services.csv -NoTypeInformation

This highlights only services whose executables are outside the standard C:\Windows\System32\ directory, helping you spot anomalies quickly.


  # Export all scheduled tasks with full paths
  Get-ScheduledTask | ForEach-Object {
      foreach ($action in $_.Actions) {
          [PSCustomObject]@{
              TaskName   = $_.TaskName
              Path       = $_.TaskPath
              Execute    = $action.Execute
              Arguments  = $action.Arguments
          }
      }
  } | Out-File C:\tasks_with_full_paths.txt -Width 4096

🕵️ Process Explorer

Process Explorer is part of Microsoft’s Sysinternals Suite. It shows detailed information about running processes, including parent processes, command lines, and loaded DLLs. Download it from Microsoft Sysinternals.

Use it to trace suspicious executables:

  • Right‑click the process → Properties
  • Check Parent process to see who launched it
  • Check Command line for hidden scripts
  • Use DLLs tab to inspect loaded modules

🗝️ Registry Check


  # Winlogon Shell should only be explorer.exe
  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  Shell = explorer.exe

📑 Autoruns

Autoruns is another Sysinternals tool that shows every program configured to run at startup. It covers Logon, Services, Scheduled Tasks, Drivers, and more. Download it from Microsoft Sysinternals.

Check these tabs carefully:

  • Logon — suspicious scripts/executables
  • Scheduled Tasks — hidden triggers
  • Services — verify only legitimate system services
  • Image Hijacks — ensure no debugger hijacks
  • Winlogon — confirm Shell is only explorer.exe

🧹 Cleanup Ritual

  • Restore registry values to defaults (explorer.exe)
  • Disable/remove unwanted Autoruns entries
  • Delete malicious files (WDF.exe, wtime.cmd, wudf.exe)
  • Reboot and confirm clean startup
  • Run full malware scans (Windows Defender, Malwarebytes)

⚡ Benefits

  • Freed up RAM 💾
  • Reduced CPU usage ⚡
  • Faster startup 🚀
  • Cleaner shrine‑home 🕊️

🕯️ Kapothi Insight

Every impostor exe is a hidden chant. Trace the scroll, silence the ritual, and the shrine runs serene.
Microsoft, PowerShell

Hunting Down a Fake Windows Driver Foundation (WDF.exe)

Leave a comment
Hunting Down a Fake Windows Driver Foundation (WDF.exe)

🕵️‍♂️ How We Tracked Down a Fake Windows Driver Foundation (WDF.exe)

Malware often hides in plain sight, pretending to be legitimate system files. One such case is the fake Windows Driver Foundation (WDF.exe). Here’s how we detected, traced, and removed it using free tools like Autoruns, PowerShell, and Process Explorer.

Step 1: Spotting the Suspicious File

C:\Windows\Windows Driver Foundation (WDF).exe

A massive 672 MB executable with no signature or version info. Clearly not a legitimate Microsoft file.

Step 2: Autoruns & PowerShell Checks

We exported all services and tasks to confirm no hidden startup entries.

Get-CimInstance Win32_Service | 
Select-Object Name, DisplayName, StartMode, PathName | 
Out-File C:\services_with_paths.txt
Get-ScheduledTask | ForEach-Object {
    foreach ($action in $_.Actions) {
        [PSCustomObject]@{
            TaskName   = $_.TaskName
            Path       = $_.TaskPath
            Execute    = $action.Execute
            Arguments  = $action.Arguments
        }
    }
} | Out-File C:\tasks_with_full_paths.txt -Width 4096

No service or task pointed to WDF.exe. Suspicious.

Step 3: Process Explorer Trail

Process Explorer revealed WDF.exe was spawned by cmd.exe running a script:

C:\Windows\System32\cmd.exe /c "C:\Windows\wtime.cmd"
@echo off
timeout /t 30
cd %windir%
%tmpd%"%windir%\Windows Driver Foundation (WDF).exe"

Step 4: Registry Hijack Discovery

The Winlogon Shell value was hijacked to run the malicious script:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell = explorer.exe,wudf.exe wtime.cmd

Normally, Shell should be only:

explorer.exe

Step 5: Cleanup

  • Restored Shell value to explorer.exe
  • Deleted malicious files:
    • C:\Windows\Windows Driver Foundation (WDF).exe
    • C:\Windows\wtime.cmd
    • C:\Windows\wudf.exe
  • Rebooted — malware no longer launched
  • Ran full malware scans for confirmation

Lessons Learned

  • Malware can hijack Winlogon Shell instead of services or tasks
  • Exporting services and tasks with PowerShell helps confirm legitimacy
  • Process Explorer is invaluable for tracing parent processes
  • Always check registry keys for hidden startup hijacks

Conclusion

This detective work shows how persistence and free tools can uncover even the most hidden startup hijacks. By documenting the trail — from Autoruns to PowerShell exports, Process Explorer analysis, and registry inspection — we created a repeatable method for others to follow. Use this guide to protect your PC from impostor files like fake WDF.exe.

Active Directory, Windows Server

🔍 Troubleshooting Active Directory Connectivity

Leave a comment
Troubleshooting Active Directory Connectivity

🔍 Troubleshooting Active Directory Connectivity

⚠️ Important: Replace kapothi.com in the commands below with your own AD domain name. For example, if your domain is example.local, substitute accordingly.

1. Check IP & DNS

This command shows the full network configuration of your PC. It helps verify that your DNS server is pointing to your Active Directory DNS, not a public one like Google or Cloudflare.

ipconfig /all

2. Ping Domain & Controller

Use ping to confirm basic network connectivity. If the domain or controller doesn’t respond, you may have a firewall or routing issue.

ping kapothi.com
ping <DomainControllerName>

3. DNS Resolution

Active Directory relies on DNS. These commands check if your domain resolves correctly and if the required SRV records for LDAP are present.

nslookup kapothi.com
nslookup -type=SRV _ldap._tcp.dc._msdcs.kapothi.com

4. Find Domain Controller

nltest queries the domain to locate an available Domain Controller. If this fails, your PC may not be properly joined to the domain or DNS is misconfigured.

nltest /dsgetdc:kapothi.com

5. Test Secure Channel

This PowerShell command checks the trust relationship between your PC and the domain. If broken, you can repair it using administrator credentials without rejoining the domain.

Test-ComputerSecureChannel -Server <DomainControllerName> -Verbose
Test-ComputerSecureChannel -Repair -Credential kapothi.com\<AdminUser>

6. Kerberos & Time Sync

Kerberos authentication requires synchronized clocks. This command checks that your PC’s time matches the domain controller’s time.

net time /domain:kapothi.com

7. Flush DNS Cache

If you’ve recently changed DNS settings, cached records may cause issues. Flushing clears old entries and forces fresh lookups.

ipconfig /flushdns

8. On the Domain Controller

Run these commands directly on the DC to check its health and replication status. They help confirm whether the issue is with the PC or the AD infrastructure itself.

dcdiag /test:Connectivity
repadmin /replsummary

💡 Tip: Always check Event Viewer logs on both PC and DC for detailed error messages. Look under System and Directory Service categories.

🛠 Domain Join Fix – File and Printer Sharing

One common cause of “The specified network name is no longer available” during domain join is that File and Printer Sharing is disabled on Domain Controllers. This service is required for SMB and RPC traffic, which Active Directory uses to establish secure channels.

Step 1 – Enable File and Printer Sharing

  • On each Domain Controller, open Control Panel → Network and Sharing Center → Advanced sharing settings.
  • Turn on File and Printer Sharing.
  • Alternatively, check Windows Firewall inbound rules for File and Printer Sharing (SMB-In) and ensure they are enabled.

Step 2 – Verify Access

From a workstation, confirm you can reach the domain shares:

\\kapothi.com\SYSVOL
\\kapothi.com\NETLOGON

If these folders are visible, the DCs are correctly allowing SMB traffic and the workstation should be able to join the domain.

Step 3 – Retry Domain Join

Once File and Printer Sharing is enabled and SYSVOL/NETLOGON are accessible, retry the domain join process. The secure channel should now establish successfully.

Linux, Windows Server

Understanding Kubernetes: The Kitchen Story

Leave a comment

Understanding Kubernetes: The Kitchen Story

Kubernetes (often called K8s) is an open‑source system that orchestrates containers across clusters of computers. The easiest way to grasp it is through a kitchen story that turns complex tech into everyday sense.

The Restaurant Analogy

To understand why we need orchestration, imagine you are running a world-class restaurant:

  • The Head Chef (Kubernetes): You don’t cook every dish yourself. You manage many chefs, ovens, and stations. Kubernetes ensures every dish (container) is assigned to the right station (node) at the right time.
  • The Lunch Boxes (Containers): Each recipe is packed neatly with its own ingredients. These are your “containers.” Kubernetes decides where to place those boxes in the kitchen and ensures they’re prepared correctly.
  • Dynamic Staffing (Scaling): If 100 customers walk in, the Head Chef calls in more staff. If the restaurant is empty, he sends people home to save costs.
  • The Backup Plan (Self‑healing): If an oven breaks, the Head Chef moves the dish to a working one immediately. The customer never even knows there was a problem.

Teaching Flow

StepConceptAnalogy
1ContainersStandardized Lunch Boxes
2ClusterThe Entire Restaurant Kitchen
3OrchestrationHead Chef assigning stations
4Auto-ScalingHiring/Releasing staff based on crowd
5Self‑healingReplacing a broken oven or sick chef

Why Kubernetes Matters

In the modern digital world, K8s is the industry standard because it is:

  • Reliable: Keeps apps running even when hardware fails.
  • Scalable: Handles traffic spikes without manual intervention.
  • Efficient: Maximizes server usage to save money.
  • Portable: Works the same in any cloud environment.

Conclusion

Kubernetes is the “Head Chef” of the modern cloud. It manages the chaos of thousands of containers so that your applications stay smooth, scalable, and resilient—even during peak hours.

Microsoft Windows

Shrinking C: Drive to 50GB — The Ritual Scroll

Leave a comment

🧮 Shrinking C: Drive — The Ritual Scroll

Ever stared at the “Shrink C:” box in Disk Management and wondered: “What do I type here to make my C: drive exactly the size I want?” Here’s the comfort‑focused ritual to never forget again.

🧠 The Formula

Amount to shrink = Current size − Target size

✨ Example 1: Shrink to 50GB

If your current size is 100GB (≈102400 MB), and you want 50GB (≈51200 MB):

102400 − 51200 = 51200

✅ Type 51200 in the box

✨ Example 2: Shrink to 75GB

If your current size is 100GB (≈102400 MB), and you want 75GB (≈76800 MB):

102400 − 76800 = 25600

✅ Type 25600 in the box

⚠️ Notes

  • Windows might block full shrink due to unmovable files.
  • You can try disabling hibernation (powercfg -h off).
  • Temporarily disable pagefile.
  • Defragment the drive before shrinking.

🔗 Conversion Helper

If you need to convert between MB, KB, GB, or TB, use our Kapothi converter tool here: Kapothi Convert

🧘 Ritual Summary

“To shrink C: to your target size, subtract the target MB value from the current MB value. That’s your magic number to type in the box.”

Bitlocker, Windows 10, Windows 11

Enable BitLocker without TPM on Windows 10 & 11

Leave a comment

Enable BitLocker without TPM on Windows 10 & 11

BitLocker is Microsoft’s built‑in drive encryption tool. By default it prefers a Trusted Platform Module (TPM), but you can enable BitLocker on PCs without TPM by adjusting a policy and using a password or USB startup key.

Step‑by‑step guide (OS Drive)

  1. Open Group Policy Editor
    Press Win + R, type gpedit.msc, and press Enter.
  2. Navigate to BitLocker settings
    Go to:
    Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives
  3. Enable non‑TPM option
    Open Require additional authentication at startup → set to Enabled → tick Allow BitLocker without a compatible TPMApplyOK.
  4. Restart your PC
    This ensures the policy takes effect.
  5. Turn on BitLocker
    Control Panel → BitLocker Drive Encryption → select your system drive → Turn on BitLocker.
    Choose Password or USB startup key as your unlock method and follow the prompts.

Encrypting Other Partitions (Data Drives)

BitLocker policies are divided into three categories: Operating System Drives, Fixed Data Drives, and Removable Data Drives. The TPM requirement applies mainly to OS drives. For other partitions, you can enable BitLocker directly.

  1. Fixed Data Drives (D:, E:, etc.)
    – Open Control Panel → BitLocker Drive Encryption.
    – Select the partition → Turn on BitLocker.
    – Choose a password or smart card unlock method.
    – Optional: Configure policies under Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Fixed Data Drives.
  2. Removable Drives (USB, external HDD)
    – BitLocker To Go handles these.
    – Turn on BitLocker from Control Panel.
    – Set a password to unlock on any PC.
    – Optional policies under BitLocker Drive Encryption → Removable Data Drives.

PowerShell quick start (optional)

# Enable policy for OS drives without TPM
reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f

# Turn on BitLocker on C: with password
Manage-bde -on C: -Password

# Encrypt a data drive (example D:)
Manage-bde -on D: -Password

# View status
Manage-bde -status

Best practices

  • Backup first: Always back up important files before encrypting.
  • Save your recovery key: Store it in multiple safe locations (USB, password manager, and a printed copy).
  • Performance: Initial encryption can take hours depending on drive size; you can keep working while it runs.
  • Password strength: Use a long passphrase if not using TPM.

Comfort insight: Think of OS drives as the main shrine gate needing special ritual keys, while data drives are side gates that can be locked with simpler keys. Configure each gate according to its role for maximum serenity and security.