I have purchased a WD Ultra 2Tb external HDD for backups. This has a single NTFS partitition. WD also gives it's own encryption software which I do not plan to use. I was already doing backups on another 500Gb HDD which was having a 200Gb encrypted TrueCrypt partition (apart from another 300Gb unencrypted partition) but the space was over in both, so I got a new large one. I am using VeraCrypt instead of TrueCrypt which I used earlier My question is : 1) Should I partition the 2Tb HDD and encrypt a say 500Gb partition to store sensitive files? What format to use for the partition, before and after encryption? 2) Should I make a 500Gb container instead of a partition? Is this better than above option? What format to use for container? 3) Should I just go ahead and encrypt the entire 2Tb HDD with VeraCrypt and also store non-sensitive data like backup of my pictures on this encrypted HDD? Is this better than above 2 options? What formats to use? The HDD will not be used by anyone else. I was also thinking maybe I can make a small partition to store VeraCrypt portable in case I want to see the data on some other computer. Does this make sense? What is best, entire HDD encryption or partition encryption or container? Or should I just use the WD encryption instead, not inclined towards it.
I've come to prefer multiple small containers. They're easy to move, and it's easy to keep backups of backups. But then, mostly what I backup are VMs.
I also finally settled on making containers rather than partiton or complete HDD encryption. Easier to handle.
Let me offer up some concerns for that decision. Not saying its wrong, just making sure you grasp the full picture before proceeding. Using the example mentioned above, a 2TB external with a single NTFS partition (which presumably will be cleaned and wiped before deployment): in this instance you would be employing file based multiple containers upon the hosting NTFS file system. I am not here to argue for/against VeraCrypt or any other encryption product because all would be susceptible to the following: First, I don't really know the OP's threat model, against which he is fortifying his data archives. Lets assume that the encryption product you deploy is perfect with no weaknesses. So your file based volumes are solid and cannot be broken into (underlying supposition for this thread). Further lets say the operating system is FDE and that too is rock solid and cannot be broken into. Examining only the external drive at this point: From a forensic vantage point the NTFS filesystem hosting those encrypted volumes is categorically changed anytime one of the volumes is mounted and used. In fact logs/tables are generated/changed inside the NTFS filesystem anytime the external is used in any manner. Is this of critical importance to you? Depends 100% on your threat model. Would revelation of access times, dates, files, etc... cause you harm? If so you may want to reconsider your approach. If your threat model is more wanting super privacy and no "state powers" will be approaching you, then likely you are fine. For corroboration I would recommend reading about how NTFS journals and logs, MFT, etc.... There are many hours of good reading on the subject.
Good points, Palancar I should have added that I only open such TrueCrypt volumes after copying them to a machine with FDE.
The OP described a much different model. In his model as I understood this thread, he was archiving in encrypted volumes upon a hosting NTFS filesystem. I was trying to protect the user just in case awareness of that weakness wasn't there.
Thanks for the replies and suggestions. My main concern is just personal privacy and nothing else. I have now resorted to a mixture of containers and encrypted partition. I think it will suffice for my requirements.
I get that What I'm saying is that it's safest to backup to a local encrypted container, on a machine with FDE. Then unmount the container, and move the file to the backup device. When it's necessary to access the backup, copy the container file to a FDE machine, and then decrypt/mount. That eliminates the risk of leaving plaintext in the clear.
Mirimir, that is fundamentally a solid suggestion. Although you must be working with comparatively small files. This thread describes 2 TB and that is not something I would want to use your procedure on. I am happy the OP is content with the dialogue here. As a final reminder (just because I do care about folk's safety) when an NTFS filesystem is connected to windows the tables in the filesystem are always changed immediately to show the "handshake". Moving on now. LOL!!
Well, I wouldn't do all 2 TB in one shot But yes, if the box is short on local storage, what I've suggested won't work. Yes, don't like Windows much anymore
