Using Hardware and Software Encryption on System Drive

I wish to combine hardware SSD encryption with Truecrypt or other software encryption for system drive.

Is there special order must follow so no problems?
For example, must first activate SSD encryption in BIOS, then install OS, then encrypt using Truecrypt?
Or other way: first install OS, then encrypt using Truecrypt, then activate SSD encryption?

And if having SSD encryption active, must first enter password for SSD when boot, then second enter password for Truecrypt?

 

I am afraid getting start use Truecrypt because so many discussions about problems other users having.

I do not want to brick the computer or lose the data by use the wrong order.

 

Just image the drive before any testing.

PD

 

This mean nobody know answer?

 

First off, you might be interested in seeing here. (And be sure to check the links included there.)

Basically on the whole I don't really think hardware encryption is worth it...particularly if you're going to be using software encryption anyway. As you'll find in those links, hardware encryption isn't exactly fullproof (sure, theoretically no encryption is, but you understand my point)...

For one thing, you're assuming there aren't backdoors implemented by the manufacturer. That's a pretty big assumption (especially these days.)

For another, as you can see in that first link, hardware encryption has been cracked (at least by law enforcement), even as recently as this year, and on hardware from a company as reputable as Western Digital. That to me raises a red flag on the actual security offered by hardware encryption.

Okay, so you might say you're not worried about governments and high-level crackers like that, you just want to keep everyday snoops and black hats out of your data. Sure, fine. (Although that would be a bit odd, considering you're interested in doubling up on your encryption.) But even supposing the hardware encryption is good for keeping out the vast majority of would-be attackers...that means it can also keep you out...

As I mentioned here, considering how virtually all hardware encryption works, if some piece of the hardware fails, you're going to have a heck of a time trying to recover what you've stored on it.

(And of course, as with everything (but especially encrypted things), you're going to want a backup.) And you're going to especially especially want a backup if it's hardware encryption. But here's the rub though: if you're backing up encrypted data...that means the backup would most likely need to be encrypted too. Which means you have two options again: software encryption or hardware encryption. Hardware encryption, aside from all the drawbacks I already mentioned, is also probably going to add a greater cost to your backup (particularly if you take into account the options of low-cost/high-capacity cloud storage). So you're either looking at doubling your expenditure and getting multiple pieces of hardware with encryption features, or simply relying on just software encryption in one of the cases.

This of course raises the question "If software encryption alone is good enough for your backup, why isn't it good enough for your primary?"

Sure, you may have some circumstance in which your primary is under much greater threat than your backup, and feel the extra protection is worth it on the main drive. But I have a hard time imagining a common realistic scenario in which this is true.

So all that being said, I suppose you can guess my recommendation: Forget about the hardware encryption. It simply adds too much more risk for not enough payoff. The ROI just isn't there.

However, if you insist, I would honestly read all documentation extremely carefully, as how you implement it may make a difference, or none at all. I wouldn't be surprised if the particular hardware and its particular scheme would actually make a difference...so the only real way to be sure is test it. (Which is why we're all so adamant about backups.)

 

This is what I should have done before I encrypted my drive. A little bit too late, but thanks for the advice.