For the last several years, my company has used whole drive encryption on all employee take-home computers. Think Bitlocker, but that's not the one we actually use. Encryption is compulsory, and if an employee is found to have disabled or bypassed the pre-installed encryption, only bad things await him or her. The good thing is that as far as I can tell from personal experience and conversations with others, even our older generation i5 processors have not experienced any significant performance problems attributable to encryption.
In another development, new laptops have been distributed for the last couple years now with SSDs only. HDDs are not even available on a new build. The company black-boxes everything, so I'm essentially "just a user" because I can't really see how they work.
At home, I have a personal workstation and a personal laptop. Both use an i7 processor from their respective eras. The workstation was built in late 2012 and the laptop is from summer 2011.
When it comes to these personal machines, I'm gradually replacing HDDs with SSDs over time, and I'm also replacing smaller SSDs with bigger capacity SSDs.
So now for my questions:
1. Is it practical to adopt whole drive encryption for personal devices? Will this change the way I take backups, recover lost drives, or perform weekly maintenance?
2a. Is it secure to adopt whole drive encryption for personal devices? I must admit that the company laptop is all managed by the "mothership", so I am woefully ignorant about this technology actually works. I also have no idea how these various states compare when it comes to security with whole-drive (or whole-partition) encryption: "locked but running", just "sleeping", "off but plugged in to AC", or "off with battery", or "off without battery". Is there a difference in the state of the data for any given computer power state?
2b. I've also read that people suspect some encryption software of having "back doors" for NSA or other US government entities. If I decide to go to the trouble to do this, I'd like to keep the back door closed, if that's even possible.
3a. Keys. I know that Bitlocker and others use keys/certificates. Where should I go to learn more about how this works and what I need to do so that I can be sure I can always recover the data?
3b. State of my backups. I use Macrium Reflect to back up the laptop and the workstation. How does this change when using encryption on the boot, application, and data drives?
3c. Do defraggers still work on HDDs that have been encrypted? Is there anything I need to know here.
3d. I read that SSD provisioning (or is it TRIM?) doesn't work, or doesn't work fully, on SSDs that have been encrypted. I would like to learn more about this too and whether or not encryption could result in poorer performance and/or a lower life expectancy of the drive. If life expectancy is decreased, I would like to know what that means, realistically speaking (does it degrade unnoticably? By 50%? By 80%?).
4. I would like to know the alternatives to Bitlocker for Windows 8.1 and Windows 10, as well as virtual OSs (Windows and Linux). I mean VMs made to run as virtual systems under those versions of windows. Truecrypt is gone of course, so I'd like to know what my Open Source and non-Open Source options are, and whether there is information available to help me learn more, and a way to look up whether or not back doors have been reported in them.
Okay, that's enough for now. Thanks in advance for anything you can contribute!