Truecrypt question/verification

I've been using this freeware for years and love it. Recently though I received a new laptop which came with two SATA drives built into it. The user has free reign with them, though I have my windows partition with one and house my VMware OS's on the other. Windows mounts the other one on load up for additional space. I am looking for confirmation on my thought process here to encrypt both and not lose my mind, here is what I have in mind:

Perform a full disk encryption on Drive1 housing my windows, then perform another full disk encryption on the other though once I boot into Windows allow truecrypt to run upon start up and auto-mount the second drive? This way both drives can be used and I lose no functionality. Is this the correct solution to this dilemma?

 

Wouldn't your question be better answered over at the TrueCrypt Forums?

http://forums.truecrypt.org/

Ken:

 

It's exactly what I do. You simply use the "System Favorites" function.
http://www.truecrypt.org/docs/?s=system-favorites

 

I'm writing this from a reliability/data recovery/disaster recovery point of view.

Encrypting the entire system disk plus fully-encrypting the entire internal data disk may seem like the simplest solution, but the reality is that in the first case it can make disaster recovery much more difficult, and in the second case it will result in a disk that can be spontaneously overwritten by normal Windows activities. It's almost always better to encrypt each partition separately rather than encrypting entire disks.

I normally recommend first encrypting the system partition and then separately encrypting any other partitions that might contain sensitive user data. You can set them as system favorites if you want them to mount during bootup, otherwise leave them unmounted until they are actually needed. Don't bother encrypting the manufacturer's recovery partitions or the Windows 7 boot partition, as those partitions don't store any user data.

Exceptions to the above: On the system drive, if you have altered your partition layouts AFTER storing sensitive data in them, but BEFORE encrypting them, then it's possible that some data remnants might now exist in unallocated space (e.g. partition gaps etc.). This is uncommon, but possible. In this case you can either encrypt the entire system disk in its current condition, or you can wipe the entire disk, set up new partitions, reinstall Windows and then encrypt the individual partitions.

The same logic applies to disks that are used only to store user data. If you've been altering your partition layouts such that sensitive data remnants might now exist within the unallocated space then it's probably best to first wipe the entire disk, then set up new partitions and encrypt them. You could also merely encrypt the entire device, as this would include all unallocated space, but I recommend against this option when used in conjunction with internal hard disks because Windows has an unpleasant habit of spontaneously 'fixing' the apparently blank and uninitialized (from Windows' point of view) disk. Basically, Windows overwrites your encryption header with boot sector information, although worse outcomes are also possible. These sorts of things are especially likely to happen during a Windows upgrade or reinstallation, but it can also happen at other times such as during an unexpected Windows glitch. Other software, especially partitioning software, can also spontaneously make these sorts of changes to your fully-encrypted device without warning. If the disk is external then you can merely disconnect it during the riskier moments, but an internal disk is always vulnerable to these sorts of occurrences.

Note: To improve your chances of recovering your data if things should go wrong, I recommend burning an extra copy of the TC rescue disk as well as copying the rescue disk iso file. You should also manually back up the headers of all encrypted partitions. Store all header backup files and the iso file externally. And back up your data as well, of course. The added layer of encryption will immensely complicate most data-recovery operations, so keeping separate backups of important data is crucial. The backups can also be encrypted, of course. As long as they're not connected to the system they won't necessarily share its fate.