Personal computing discussed

Moderators: morphine, Steel

Gold subscriber
Minister of Gerbil Affairs
Topic Author
Posts: 2259
Joined: Tue May 25, 2004 7:41 pm

Drive Partition Encryption

Wed Jan 15, 2014 8:58 am

A side-topic came up in my other post in this forum, so I thought I'd expand on the topic here.

In a couple weeks I would like to implement drive encryption, but I need some advice.

My system currently has the following:

An SSD for boot and Windows.
Two more SSDs for VST music libraries (huge sample libraries; 99% read-only).
A physical HDD with the following partitions: Apps, VST, iTunes music library, music recording, 3D and animation working folders, and office data, including some personal/financial records.
A second physical hard drive for backups of the above.

At this time, I plan to install a bigger hard drive and/or a new SSD to support the app and VST partitions that are currently on my primary HDD above. Due to the size of some of these partitions and the length of time it takes to complete full backups, antivirus scans, and (for the HDDs) defrags. I do not plan to combine partitions in this project or change my backup and defrag strategy (unless I move something to SSD; in which case I'll stop defragging those partitions, of course).

I need some advice regarding encryption of some or all of these partitions.

Q1: If encrypting one partition in a system, do I need to encrypt all of them? Or is it just advisable to do that?
Q2: Can I encrypt in phases over the course of a couple weeks?
Q3: My system specs will appear in my signature below. Is encryption/decryption going to be noticeable in CPU usage or system response?
Q4: My motherboard has a UEFI bios and my computer case has hot-swap removable drive enclosures. What are the ramifications of having a hard drive partition tied to the hardware? If my computer is stolen, will I still be able to restore my backups to another UEFI system?
Q5: I need to educate myself more. Do you have any recommended reading suggestions?

Last edited by BIF on Wed Jan 15, 2014 2:29 pm, edited 1 time in total.
Intel i7 6850K, Gigabyte GA-X99 Designare EX, 64 GB DDR4 Kingston HyperX, two Geforce 980 cards, EVGA 1200W PSU, and various SSDs and HDDs
Graphmaster Gerbil
Posts: 1212
Joined: Tue Mar 03, 2009 11:31 am

Re: Drive Partition Encryption

Wed Jan 15, 2014 9:06 am

What are you planning to use to encrypt the drive? Bitlocker? Trucrypt?

Also I don't now what you are running for specs on your system since it is not in your sig yet but if you have a processor with AES encryption capabilities, the performance hit is minimal.
Gold subscriber
Minister of Gerbil Affairs
Topic Author
Posts: 2259
Joined: Tue May 25, 2004 7:41 pm

Re: Drive Partition Encryption

Wed Jan 15, 2014 2:33 pm

Oops, sig added to first post; sorry!

As to the question regarding true crypt or bit locker, I really haven't decided yet. Any knowledge or experience with either one would be appreciated.
Gerbil XP
Posts: 341
Joined: Fri Oct 15, 2004 2:22 pm

Re: Drive Partition Encryption

Wed Jan 15, 2014 4:35 pm

I can only speak to Truecrypt and diskcryptor (A fork of truecrypt with some extra features):

You can encrypt partitions in place at any time and in any order. I would recommend encrypting all partitions that have the potential to leak sensitive data (probably your system drive & everything on your physical HDD) Stuff like your sample libraries is your call... if you're sure no sensitive data is 'leaked' onto those drives, there's really no reason; on the other hand the AES acceleration makes the crypto so fast it can be a question of 'why not'.

In place encryption, even if it's working on the system drive, works in the background and you can use/restart your machine while it runs.

You can also encrypt entire drives, but I would recommend against it; when windows sees an apparently blank drive it can do flaky things like try to initialize it. It will leave unrecognized partitions alone.

For system encryption, truecrypt only supports one method of authentication: a pre boot password (you get a dos like prompt before windows starts) Diskcryptor additional supports keyfiles (eg: a usb drive that has part of or all of you password on it) Bitlocker supports both methods (and more) depending on if you have a TPM. (bitlocker is a *much* more complex system, and weather that makes it more or less secure is debatable. You'll have to read up on it and all the different modes it uses)

Note: Doing 'in place' encryption on a ssd has some theoretical security leaks. Since the drives firmware is in charge of where new writes go, it's possible for old, unencrypted data to survive being 'overwritten'. If you want to be absolutely safe, the best practice is to start fresh, so that no unencrypted data is ever written to the drive. But I've never heard of anyone actually recovering data from a ssd in this way...
The truecrypt manual is good reading to learn more about this in general:
Minister of Gerbil Affairs
Posts: 2303
Joined: Tue Jan 01, 2002 7:00 pm
Location: North DFW suburb...

Re: Drive Partition Encryption

Wed Jan 15, 2014 6:48 pm

Last time I looked into it, full drive encryption and SSDs didn't go well together. Full drive encryption is the antithesis of TRIM and wear leveling. If you encrypt the entire drive, the encryption program writes data to every sector on the drive. The "emptiness" of the encrypted drive is hidden by the encryption. That's the point right? To the drive, it looks as though every sector has active data on it. Wear leveling works by writing new data to empty locations then marking the old one unused. Once every empty location has had data written to it, it starts back at the "least used" sector that is free and begins again. That's the simply version anyway. With no free sectors, it will write back to the same location it originally was in. This will kill the drive in pretty short order. It also has the side effect of making some drives very slow.

The only way I know around this is to encrypt at the partition level and ensure that you do not allocate the entire disk to partitions. Level some portion of it free, the more the better.

Like I said, I haven't looked into this in a good while, but I also haven't seen anything that makes me think it has changed either.

Gold subscriber
Minister of Gerbil Affairs
Topic Author
Posts: 2259
Joined: Tue May 25, 2004 7:41 pm

Re: Drive Partition Encryption

Thu Jan 16, 2014 8:17 am

Okay, thanks everybody for the info. I will research!

Who is online

Users browsing this forum: No registered users and 4 guests