full disk encryption

[popcorn]

Hi

I have decided its easier and more to secure to encrypt my whole system rather than attempt to stop/clean all the possible leaks that a windows system oozes.
To me truecrypt FDE was a no brainer so I thats what I did, Im running a hp laptop and when encryption finished I rebooted and nothing....my machine would not boot, I could not enter bios to change boot options nothing. I remedied this by swapping out the HDD into a spare system and spent 36 hours decrypting 500G
In the TC full system encryption wizard I opted for full drive encryption including the host area, thinking this is where I had gone wrong I repeated the process again only this time I choose not to encrypt the host area, another night of encryption later and same thing wouldnt boot by any means or media on its own.
After much googling (well startpaging) the issue seems to be the Insyde BIOS
which wants to access the encrypted drive, which is.... er well encrypted hence the hang.
I am now weighing up my options, do I just encrypting the windows partition ?
how secure is this ? and will this also cause boot failure ?
what other options are they for truecrypt equivalent FDE ? could they also cause boot failure ?
I have read that bitlocker will work well on my paticular system but I dont want to have to use a proprietary client if at all possible.

[Justin Troutman]

Quote:

Originally Posted by popcorn

I have read that bitlocker will work well on my paticular system but I dont want to have to use a proprietary client if at all possible.

It might not hurt to give BitLocker a shot, given that you're already using Windows; it's closed-source, but it was designed with a cryptographer on board (Niels Ferguson, co-designer of Twofish), so I'm optimistic about the cryptographic aspects of it. That, and because these disk encryption products don't use a MAC due to constraints, they opt for specialized modes of operation geared towards disk encryption, like XTS, a narrow-block mode that TrueCrypt uses. BitLocker employees CBC plus the Elephant diffuser, which works on much wider blocks, and offers better "poor man's" or "pseudo integrity" than narrow block modes like XTS. In that regard, BitLocker is a bit more robust.

[0strodamus]

I've had good success with DiskCryptor on several systems.

[Cutting_Edgetech]

Do you have W7 Ultimate? You have to have Ultimate edition to use Bitlocker.

[PaulyDefran]

Truecrypt should do a test before it encrypts the system partition. It will install the TC bootloader, but *not* encrypt, and then ask you to reboot to test. Did it do this?

I have an Insyde H2O BIOS on my laptop, and it works fine. I *don't* let Win7 format the disk (thereby putting that 100MB partition on there), I do It myself with Mini-Tool http://www.partitionwizard.com/download.html and either just put 1 big partition or set up 2, for the Hidden OS.

Here is an article on how to get rid of the 100MB partition if you want to try that:

http://www.terabyteunlimited.com/kb/article.php?id=409

But just starting from scratch seems easier.

PD

[popcorn]

Hi
Thanx for response,
yes Im running W ultimate, and thanx for the info on bitlocker Justin even tho this is going to be a last resort as I would feel a lot better using truecrypt or at least another open source solution, DiskCryptor looks promising but to be honest Im reluctant to try this again until Im confident it wont involve a day and half of decrypting and another day of updating windows.

During the TC wizard I did the reboot test and all seemed good, I do have the 100M partition at present.
here are 2 links to TC forums with pretty much the same issue as me -http://forums.truecrypt.org/viewtopic.php?p=83235#83235
-http://forums.truecrypt.org/viewtopi...=100662#100662

This seems like a hp issue rather than a TC one so any advice/solutions will be more than appreciated

[PaulyDefran]

I read those TC threads. What I would do (if you don't want to buy a different laptop...but that may not help, my Acer has an Insyde H2O BIOS, but works fine)...is first see if there is an updated BIOS available. Then, wipe out the disk and put your own small partition on it (20GB for Windows Only). Install Windows, then TC, then run OS encryption and see if it works (pretty quick for only 20GB). If you image your current setup, you can be back to it quickly. Installing Windows from a flash drive should only take about 15 minutes. It should be a fairly quick experiment.

PD

[popcorn]

Quote:

Originally Posted by PaulyDefran

I read those TC threads. What I would do (if you don't want to buy a different laptop...but that may not help, my Acer has an Insyde H2O BIOS, but works fine)...is first see if there is an updated BIOS available. Then, wipe out the disk and put your own small partition on it (20GB for Windows Only). Install Windows, then TC, then run OS encryption and see if it works (pretty quick for only 20GB). If you image your current setup, you can be back to it quickly. Installing Windows from a flash drive should only take about 15 minutes. It should be a fairly quick experiment.

PD

Ok thanx Pauly that is a great idea and definitely the way forward
I will let you know how things go

[PaulyDefran]

Make sure you *don't* use the Windows installer to format...it will put that 100MB on there. Use any other partition tool like G-Parted or that Mini-Tool one I linked to, etc...

Let us know how it goes.

PD

[popcorn]

Hi
well now typing this from a fully encrypted windows partition
Thanx PD your advice was golden, although I got round this issue in a slightly different way.
I copied the bootmanager file and boot file from system reservered partition into my main C: drive and then deleted the system partition, also updated the insyde bios from F.04 to F.15, by doing this I avoided having to wipe the drive.
Also changed the boot order in bios putting disc/cd first, just in case.
Am happy to say that the last measure was not needed as after encryption of the windows partition my system still boots wahay.
I still have one question... what are the security implications/differences of whole disc and windows partition encryption?
thanx again

[happyyarou666]

all you need to know is that fde is the one and only way to go if you want to have youre data safe

[popcorn]

Quote:

Originally Posted by happyyarou666

all you need to know is that fde is the one and only way to go if you want to have youre data safe

can you post any links regarding this issue, I've been looking but cant find much detail on the differences

[PaulyDefran]

Quote:

Originally Posted by popcorn

...what are the security implications/differences of whole disc and windows partition encryption?
thanx again

If you have one physical disk with two partitions (C:\ and D:\) and you only encrypt C:\, then anything on D:\ could be read by anyone that could get access to that partition in various ways. So, if all you store on there are Sponge Bob episodes, you would be fine...but if you store anything sensitive, or anything that leaves tracks (a Program Files folder for instance), then you could be exposed. If going FDE, just encrypt everything, IMO.

PD

[happyyarou666]

Quote:

Originally Posted by PaulyDefran

If you have one physical disk with two partitions (C:\ and D:\) and you only encrypt C:\, then anything on D:\ could be read by anyone that could get access to that partition in various ways. So, if all you store on there are Sponge Bob episodes, you would be fine...but if you store anything sensitive, or anything that leaves tracks (a Program Files folder for instance), then you could be exposed. If going FDE, just encrypt everything, IMO.

PD

this! couldntve said it any better , no links required just take our advice , or leave it , the decision is yours to make ,if you want your data to be safe i trust youll do the right thing , take care