FDE and 100 MB System Reserved Partition

I am on Windows7 Ultimate 64-bit. As you probably know, it has a 100 MB system reserved partition. I understand it was made for BitLocker and contains boot files.

If I want to fully encrypt my system, what should I do? Encrypt just C: and leave the 100MB partition as it is, encrypt both separately (if so, in which order?), merge both partitions somehow and then encrypt them as one partition or...?

If I leave it unencrypted, does the 100MB partition contain any sensitive files which could help an adversary to bypass the encryption?

If I encrypt it, will the system be able to boot?

Those of you who have FDE and W7 Ultimate, what did you do? Please advise if you have your system encrypted with TrueCrypt, DiskCryptor or PGP.

Thank you

 

I have used several WDE software programs. I have settled on TrueCrypt and am a high post long standing member on those forums (different user name). If you read around those forums you will see that the users with "sage" have learned to re-configure our drives and do away with the 100 meg partition that you mentioned. There isn't much sense in beating it to death here. A simple search over there will yield volumes of reading on how and why you might want to consider confining your 7 OS all to one partition.

Now please bear in mind that you/I are referring to the 100 meg that the 7 OS uses on a hard drive that is not formatted/configured.

This is something totally different than those machines that are manufactured to use "extended bios" instead of legacy bios. Not trying to confuse you, but I thought I would mention this point in the slight chance that I misunderstood your post.

 

If you use BitLocker, then only C. The 100MB system reserve partition doesn't contain any sensitive information.

No, not with BitLocker!

With TrueCrypt, you don't need the 100MB system reserve partition. Here is how to get rid of the 100MB system reverse partition, if you desire to do so:

http://www.terabyteunlimited.com/kb/article.php?id=409

Best regards,

KOR!

 

King of Rapture, thank you very much for your reply and the link.

Does it mean I can leave it unencrypted without jeopardizing privacy of encrypted data on other partitions (including the Windows system partition)?

OK, I don't need it, but is it safe to keep it? Can I have TrueCrypt FDE with the 100MB partition unencrypted? If so, can it be used by an adversary as a backdoor to the encrypted system in any way?

Thanks, that's very valuable information. However, if I can avoid messing with the boot partition I'd rather skip that step.

And one more thing, all partitions on that HDD where the system reserved partition and Windows system partition are located are marked as dynamic. Does it change anything? Can I merge partitions on dynamic disks? If not, can I convert it to basic disk?

Plus, that HDD is not Disk 0, it's Disk 4. Any importance?

I have five harddisks in my PC. Data partitions are encrypted (some with DiskCryptor, some with TC). If I want to have TrueCrypt FDE and encrypted OS partition (possibly with hidden OS), what exactly should I do?

What would you do if you were in my shoes?

Thanks in advance

 

Here is what I do with PGP and TrueCrypt:

PGP

Using PGP you can easily just have it encrypt the drive as (at least in my experience) it encrypts the 100MB Partition as well by default. Another plus is PGP can use two-factor (Keyfile) authentication at boot. Now if you don't want to pay the $150 or so it costs than TrueCrypt (TC) is the option.


TrueCryp
TC does have the option the encrypt the 100MB partition and the HPA/DCO partitons (Host-Protected Area). Now I have NEVER been able to use this. Everytime it BSOD's on me. So I recommend (if possible) to reinstall and merge the partition. OR use Gparted or another partitioning tool to do this. Easus Partition Manager Home is free and easy way to do this.


As for leaking data, it IS possible as it is just a partition so windows could write to it and you would have no idea. Best bet is to encrypt EVERYTHING.

 

Actually, I do own PGP Desktop Professional.

But with PGP I can't have a hidden OS which I could if I used TrueCrypt. Not that is a must, but I'd like to try it.

Thanks for telling me this. Any explanations about this problem on TC forums?

I'd like to avoid reinstallation as it would mean a lot of hassle with reinstalling, activating and setting up all those programs I am using. I guess image restore is not applicable in this case?

So with GParted or EaseUS I could easily merge partitions even if they are dynamic and would get a bootable system?

Thank you very much for your help. Would you have any how-to links by any chance?

 

Well good news is hidden OS has a nice feature: TC won't allow you to write to any partition or drive that is NOT a hidden volume when you are on the hidden OS that way data leaks can NOT happen. You can ONLY leak to hidden truecrypt containers which isn't bad as you are the only one with access to them.

www.truecrypt.org/docs/?s=hidden-operating-system

The issue I had with BSODs is not mentioned and when I posted they deleted the post. Their forums are censored all the time, post anything that puts TC in any bad light and it's gone. (Partly why I don't use TC any more).

Before doing anything take an image of your system. Esus worked for me in the past but it may not work for you. Do NOT risk your data with out a back up.

For the back up I would encrypt it or wipe it out after the system is encrypted. This way you don't have an unencrypted back up.

 

So it means that all hidden volumes that are meant to be used from the hidden OS have to be created before the hidden OS?

Yeah, it's sad they censor their forums heavily.

So, I guess the right procedure would be:

1) assign a drive letter to the 100MB system reserved partition

2) image the 100MB partition and store the backup image on an unencrypted partition

3) image the C: partition and store the backup image on an unencrypted partition

4) use EaseUS to merge the 100MB partition with C: partition

5a) if step 4 fails boot using the image software recovery CD, navigate to the unencrypted partition with backup images and restore the images to the 100MB partition and C: partition respectively

5b) if step 4 succeeds make a new image of the new C: partition (which now includes boot files from the former 100MB partition), store it on an unencrypted partition

6) if step 5b works encrypt the new C: partition

7) encrypt that partition that contains the unencrypted C: image


Do I get it correctly? Anything else I should pay attention of?


EDIT: I have already made a backup image of the 100MB partition without having assigned a new drive letter to it. I guess it doesn't matter because I can still restore that image to any location I want, right?

 

Correct. You can do this and it SHOULD work. This is how I did it. Before you go ahead though I would disable the bitlocker services. Just to be on the safe side of things. Also if this doesn't work and you restore from back up I would (at that point) just go ahead with the hidden OS set up. As I said in my last post Hidden OS prevents leaking to unencrypted (unhidden) volumes.

 

Problems. I asked the same question on EaseUS forums and they say it wouldn't work.

I guess I'll have to come up with an alternative scenario. Any ideas?

It's off.

If I remember correctly, after creating the hidden OS, TC automatically wipes the C partition and forces you to install a clean OS. If so, can I restore the old image?

 

Hmm.. Worked for me (if I recall correctly). And yes that is what TC does. You can try restoring the old image but I would be VERY careful if you do.

 

OK, let's say I've decided to use TrueCrypt for the FDE, possibly with hidden OS.

The hard disk where my OS is installed is a dynamic disk. Does it make any difference? Should I convert it to basic disk before FDE? Does it (dynamic/basic) affect the FDE in any way?

Also, should it be GPT or MBR disk?

My system disk is disk 4 in Disk Management. I saw on the TC forums that TC automatically seeks disk 0 and if it fails to find the bootloader there it can't boot. If so, how can I make my system disk be disk 0?

Thank you

 

This is how my computer is set up:

Disk Type - Unallocated Space - Device Type - Partition Style

Disk 0 Basic 9MB IDE MBR

Disk 1 Basic 9MB IDE MBR

Disk 2 Basic 9MB IDE MBR

Disk 3 Basic 2MB IDE MBR

Disk 4 Dynamic 4MB UNKNOWN MBR

Disk 5 Removable 4MB USB MBR

CDROM 0 DVD 0MB IDE MBR

CDROM 1 DVD 0MB SCSI MBR

That's the Disk List from Windows Disk Management.


Below is the Volume List (partitions):

Disk 0 - G: (Active, Primary); H: (Logical); I: (Logical); J: (Logical); *Unallocated

Disk 1 - P: (Logical); O: (Active, Primary); Q: (Primary)

Disk 2 - K: (Active, Primary); L: (Logical); M: (Logical); N: (Logical); * Unallocated

Disk 3 - R: (Primary)

Disk 4 - * (System Reserved 100MB); C: (Boot); D: ; E: ; F:

Disk 5 - V: (Primary)


So, the system disk is Disk 4. It is dynamic disk, it has 100MB System reserved partition and C: partition with Windows 7 OS (plus D, E, F partitions).

Disk 0 is the old system disk (it was the main disk with OS before I upgraded my PC and installed a new OS).

Disk 5 is a removable USB thumb drive.

Also, I have only one optical drive. The other one showed up after installing some software (it must be a virtual drive).

MY HDDs are SATA drives, I am not sure why they are presented as IDE drives in Disk Management. My motherboard has one 6 Gb/s port and the main system disk (disk 4) is connected to it. Maybe that's why it's listed as "unknown" device type in Disk Management. Other disks are connected to 3 Gb/s ports.

The only active OS is the one on C: partition on Disk 4. Old OSes are still on their native partitions (G:, K:, R: ) but are inactive and encrypted.
If I find a way to convert Disk 4 from dynamic to basic, will TC be able to boot the encrypted system from Disk 4?

 

Your setup is way out of my comfort zone, but with encryption, simple is best. I'd pull all drives but the one you want to be your primary OS drive. I'd then partition it with GParted, with about 50Gigs for the first partition, and the rest for the second. Install Win7, TC it using Hidden OS option, and TC will move it to the second partition and wipe the first. Reinstall the Decoy OS on the first and make sure it all works. Then add your other drives back in, one at a time and make sure it all works. Then you can TC (or not) all the rest of them or do whatever. It may seem like more work, but it's almost foolproof and in the end, may be quicker than trying to troubleshoot your current setup.

PD

 

Pauly, thanks for the input. I would do it right now if I knew it would work.

I have already tried that (with unencrypted disks): the system drive is Disk 0 only if there are no other drives connected. When I add one more drive it becomes Disk 0 and my system drive becomes Disk 2. Each new disk connected, it pushes the system drive one step back and it makes it Disk 2, Disk 3 and Disk 4 finally.

The point is that I would probably be able to encrypt the system disk while other drives are disconnected, but as soon as I would connect other drives, the system drive wouldn't be Disk 0 any more and I wouldn't be able to boot the system. I don't know what to do.

Does anyone know if PGP Desktop or DiskCryptor require the boot drive to be Disk 0?

 

In my experience if you encrypt the ENTIRE drive (not just the system partition) requires Disk 0. I haven't deliberately tried it. Also to answer your above question about GPT and MBR. TrueCrypt ONLY supports MBR. PGP can support GPT on Mac at least. DiskCryptor I have no idea.

 

Thanks, x942. I have asked in different forums and in IRL and nobody can help me to sort this out (make disk 4 be disk 0).

Would this work: I take all HDDs out of the PC and put them in enclosures; I leave only the system disk inside and thus make it Disk 0? When I connect the other drives (which are now external disks), everything should work fine, right?

I still haven't found the way the convert the system disk from dynamic to basic; even the specialized software fails to do it. It looks like I'll have to reinstall Windows and hope it will make it basic disk by default.

Another pending issue is the 100MB system reserved partition. While almost everybody on TC forums advise removing it, I read here it's required for FDE.

There is so many confusing information that it starts to drive me crazy.

 

Yes. Removing the other drives should work but that's a lot of hassle. Why not just back up all your data format the drives and go from there?

As far as the 100MB partition goes it's only needed for bitlocker. TC doesn't need nor use it in any way.

 

Just for reference, is it ok to also encrypt and or remove this 100 mb partition if bitlocker isn't used? Will the computer be able to boot?

What's the point of that reserved partition anyway, is it an Achille's heel built in Windows to subvert other methods of FDE?

 

Yes you can remove it and all you will lose is bitlocker.

The only purpose for it is bitlocker. Bitlocker boots from that partition when in use. It does nothing else and subverts FDE in no way shape or form.

 

In the chapter called "Security Precautions Pertaining to Hidden Volumes" , among other things, TrueCrypt User Guide says:

How can I ensure that?

 

Never seen anything with BIOS/EFI level logging before.

That said windows is log heaven. There is no way you can guarantee that all logs are wiped. But since it's all encrypted anyways I don't see any problem here.

They would have to compel you to give the password to see the logs. Giving them the decoy system password would only allow them to see logs from that system.

 

The trick with FDE is that you need to get every piece of hard disk encrypted as much as possible.

Read this article "Method 3: Trick to Remove 100.00 MB System Reserved Partition During Setup".
http://www.mydigitallife.info/hack-to-remove-100-mb-system-reserved-partition-when-installing-windows-7/

I've been using paid FDEs even one with destruction password. Based on personal experience, OS corrupted or losing data are my lowest concern.

Having my data files safe - away from unwanted hands - is my one and only lifeline.

 

and your right , i too merged the 100mb with my os partition before creating a fde with tc

 

Check this out:

http://www.terabyteunlimited.com/kb/article.php?id=409

It removes the 100.00 MB System Reserved Partition after Setup.

Best regards,

KOR!