Truecrypt - encrypt system or entire drive?

Since the Truecrypt boards are not accessible I am going to ask here, please if someone can help me...

I have two HDDs. The first/second are from the same model: Samsung 700 GB.

I am going to install Windows XP SP3 in the first drive, using, let's say, 50-100 GB reserved for sensitive data stored in the same partition used by XP SP3. Let's call that partition C:\.

That means I might have some sensitive data stored by the browser, Windows, and some contents that I do not wish others to see. Unless I insert the correct password while booting, I want all data never being recovered again.

I will create another partition (D:\) in the same first HDD, using the other 600-650 GB to store random data, things that can be accessed by any people.

The second HDD, used as slave (E:\), will only be required to store more data that can also be accessible by any people, therefore, can be unencrypted as the second partition (D:\) in the first HDD.

D:\ and E:\ are not going to have any operational system installed. I am not going to use dual boot, or Vista. When Windows 7 arrives, I am going to remove XP and replace it, doing all that process again.

Assuming that's the case here, which option should I choose while encrypting the first partition? Is there a risk of leaving some tracks in the other unencrypted drives?

Encrypt the windows system partition
Encrypt the whole drive

The reason I am asking this is because Truecrypt cannot encrypt any partition where Windows is not installed and where it boots. I would like to encrypt everything, including Windows and all drives with only data stored, since apparently that's not possible, I will stick with one O.S. and one partition encrypted.

 

Maybe I am missing something, but I will try to answer, based on my uses of TC.

First if the goal it to encrypt C, but not D and E, choose the "Encrypt Windows Partition."

But your statement, "I would like to encrypt everything, including Windows and all drives with only data stored, since apparently that's not possible, I will stick with one O.S. and one partition encrypted." I dont get?

Are you saying you DO want to encrypt an additional partition/drive but cant?

I have an external data drive that I have encrypted the entire partition with no issues, and it has no OS on it. Maybe I am misreading your issue, however.

 

My primary goal was to encrypt every single drive/partition, OS and file stored in any disc. But I can't do that, and I will explain why.

First, if I am using dual boot (XP on drive C:\ and Vista on second drive E:\), and also using the "whole disc encryption" option on XP, Vista will not be encrypted. And while I am using Vista, I can't encrypt the drive. The message says "Windows is not installed on the drive where it boots".

While Vista is running, I can't see XP and drive C:\ since it's encrypted. Everytime I have to mount the drive, inserting the tedious password again. I wasn't capable of auto-mounting this C:\ drive when Vista is starting by itself. I need to do that manually. The XP C:\ drive was acessible after I did that, but this is not good. In the end, you'll have to insert the password twice by this method. One when you are booting, two when you are trying to view the C:\ drive while using E:\ (the second).

Those are some reasons why I am not going to use dual boot in this machine.

Well, assuming that's my current use of this machine:

***************
FIRST HDD - 700 GB
***************
C:\ XP SP3 partition - 50 GB
D:\ second partition - 650 GB - random data - no OS installed
***************

***************
SECOND HDD - 700 GB
***************
E:\ third partition - 700 GB - random data - no OS installed
***************

What should I do to encrypt all partitions on the first drive, and encrypt the second drive as well?

In a way that I don't need to insert the password again to see them, while I am booting C:\.

I imagine that by inserting the boot password, I received clearance to see all other encrypted drives. Or Truecrypt was mounting them by caching their passwords in the encrypted C:\ partition.

Unless I can figure out all of this, I will have to let only the C:\ partition encrypted and the rest with random data, including the slave drives, will be seen by any other people.

 

If you have given up the idea of dual boot, then encypting ALL drives is no issue. Auto mounting them, is however another task.

AFAIK to use WDE and TC, with dual boot the os's need to be on the same drive, but I may be wrong. I do know that TC has the ability to "skip" the TC boot loader and then try loading the os from the first available non tc volume, but this would mean you would have XP encrypted and Vista not.

If you are going to go with:

***************
FIRST HDD - 700 GB
***************
C:\ XP SP3 partition - 50 GB
D:\ second partition - 650 GB - random data - no OS installed
***************

***************
SECOND HDD - 700 GB
***************
E:\ third partition - 700 GB - random data - no OS installed
***************

Then you will need to load XP on C, and C needs to be the FIRST partition on that drive, physically. It cant be a second partition, that is marked as C and marked active. This generally comes into play when you have a recovery partition from the manufacturer that occupies the first part of the partition. So first step is to make sure xp is on C, and C is the first partition.

Then you can boot to XP, and use the Encrypt where windows is installed option, encrypting C. You would then encrypt D and E separately, and mount them individually. (there are some scripts and guides floating around here on auto moutning to do that for you).

AFAIK, TC's boot loader can only decrypt the OS partition/drive. Each partition must be encrypted separately, therefore they are going to have different headers, keys, etc, even if you use the same password.

I would either create one large partition on disk 1, and use WDE, and then encrypt disk 2 and use and auto mount, or encrypt the system partition and use containers where you need them.

Do you really have 1.3TB of data you need encrypted?

To quote Justin, decide what REALLY needs to be encrypted and what doesnt, FIRST, then encrypt what makes the cut.

 

Hold on. Assuming you only wish to encrypt the Windows partition, if you are using "whole disk encryption" you will encrypt the other partitions if they are stored in the same disc?

Unfortunatelly I will need to use at least 5 other Hard Drives, but I believe the "sensitive data" will be stored in the same partition used by Windows XP. That's why I am going to reserve at least 10% of the total disc size for the operational system. The rest will be used to store random data, like videos.

Auto-mounting the other partitions/slave drives is the primary issue... are you sure we can force Truecrypt to mount them once Windows started? I am not going to do that manually forever, I need them mounted once my system has started, after I insert the boot password. I wish to use the same password for D:\ and E:\ in the above scenario.

That means I will have all discs and partitions encrypted, not only the OS partition.

If you say there's no chance of leaving traces in some unencrypted discs/partitions, then there's no reason to encrypt anything other than the OS and all sensitive data stored with it.

 

Still vulnerable even after encryption.

http://www.anti-forensics.com/?p=240

Full Disk Encryption How to with Truecrypt and WinXP

 

Yes there are auto mounting scripts you can find here, no they will NOT auto mount based on JUST entering your boot password. EACH disk/partition enrypted requires you to enter its password, even during an auto mount, unless you code the password in, which would make encrypting it pointless.

To be honest, I have not used WDE with 2 partitions, one being the boot. But if you are using WDE, everything should decrypt with the boot password, I believe. Additional disks have to be mounted one by one.

Download the TC documentation and go through it good before you do this, and backup everything first. It took me 4 days to do a hidden OS setup, plus a container and partition, because I refused to read the manual.

 

The auto-mounting script doesn't work in that scenario:

First, if you log into Vista, you will not see the XP drive, cause it will be encrypted. But if you log into the XP drive, you will see all files placed on the Vista drive.

Second, if you attempt to mount the XP drive while using Vista, you are required to use the option "Mount without pre-boot-authentication". If you don't choose that option, that's it, you will not access the C:\ drive at all.

That said, there's no way (that I am aware of) to use a batch script and make the C:\ mounted while Vista is starting.

That's one reason why I am removing this dual boot thing. I will only keep XP or Windows 7 installed on the first partition, and try to encrypt the rest. And by rest, I mean, no other operational system installed. There can be only one.

That way I believe, I might have some sucess trying to use one of these scripts. I haven't figured out what I am doing wrong, but perhaps auto-mounting a WDE drive is not supposed to work while you are using the *other* non-encrypted dual boot-drive.

Which is sad since you will be forced to insert the same password twice. Once when you boot, twice when you are manually looking into Truecrypt after Vista started. And using the "Mount without pre-boot-authentication" simply turns the copy-paste impossible, you'll also have to type every single digit of the password.

 

They have this Truecrypt built in feature in NDM (Network Drive Manager) good for wireless laptops to manage and keep connecting your mapped drives are access or not instead of letting Windows Mapping take care of it.