FDE for SDD - which one???

Discussion in 'encryption problems' started by abi, Feb 24, 2015.

  1. abi

    abi Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    6
    Just got a new Windows 8.1 64-bit laptop and realized that a SDD disk is impossible to wipe. Because of this - and in case of theft - I'm considering to use FDE (full disk encryption), but which one should I use?

    • The 'original' Truecrypt has been discontinued as we all know.
    • The 'original' Truecrypt and any forked versions are AFAIK officially not W8 compliant, but do they work for W8.1 regardless?
    • Bruce Schneier recommends Symantec Endpoint Encryption (which is a development of the old commercial PGP Disk etc), but besides the price it seems impossible to install unless you're a sysadm in a big organization (yes, I have tried)
    • PGPi has not been updated since 2002 and it seems no freeware PGP version exist any longer according to P Zimmermans site
    • Everyone distrusts Bitlocker, but if you can live with a potential NSA backdoor (should stil protect you against theft and similar threats) then it seems easier to use than Symantec, but costs roughly the same (W8 -> W8 Pro upgr). Besides, it requires TPM.
    • Linux based FDE for W8 (LUKS?) seems to be trusted but very complicated to use unless you a Linux expert? I gave up finding the right guidelines for this, if it is an option at all?
    • Finally there is a long list of FDE products claiming there're world class but dont' have the reputation to prove it...
    So, what is the smart thing to use for FDE for a W8.1 with a SDD driveo_O?

    In the past I have used PGP Disk and Truecrypt, not as FDE but for volume encryption.

    Yes, I can accept some uncertainty over potential NSA backdoors but would obviously prefer not to have them.
    Yes, I will gladly pay for a quality product.
    Yes, reliability, security, portability and stability (as in 'the product will exist for a long time') are the most important factors for a FDE product.

    Thank you very much for any guidance!
     
  2. krustytheclown2

    krustytheclown2 Registered Member

    Joined:
    Nov 18, 2014
    Posts:
    210
    Diskcryptor is the clear choice. Doesn't your SSD have the built-in self-encrypting feature? Intel/Samsung/Crucial all do. That's even easier to set up.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    What brand/model SSD?

    Most consumer SSDs with FDE use BIOS password. That's useless.

    Enterprise FDE SSDs and some newer consumer FDE SSDs from Crucial, Samsung, etc secure passwords with BitLocker or other Windows frontends. There are no frontends for OSX or Linux, as far as I know.
     
  4. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    For some modern systems with TPM, W8.1 supports recent TGC Opal 2 standards and MS eDrive for drive-based encryption (which SSDs such as the recent business Crucial ones do). This is using Bitlocker though, so it depends on your attitude to that really. There are some benefits to buying into this story since it covers secure boot/some rootkit detection, as well as performance improvements from having encryption on the drive (and the drive presumably knows about how to do its levelling). My understanding is that if you switch on the FDE before putting any real data on, that minimises any exposure.

    It may also take some digging with whatever you choose to ensure that wear levelling can happen properly, I've seem some recommendations to create an unused partition to ensure some spare blocks.
     
  5. abi

    abi Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    6
    OMG, this is getting complicated... :-/

    Thank you very much for all you replies! :)

    The disk is a Samsung MZMTE256HMHP-000L1.
    It is a GPT.

    AFAIK the GPT means that Truecrypt (~Ciphershed) is ruled out.
    GPT also rules out Verycrypt, that in spite the W8.1 compatibility, does 'not support GPT partitions yet'.
    Diskcryptor seems to have no reference to GPT in the documentation, only to MBR. It supports W8.1.

    Can this be a dead-endo_O? :-(
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I'm not familiar with GPT, but it should be possible to reformat and partition with MBR.

    I'm not seeing that this model supports TGC Opal 2 and MS eDrive.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Truecrypt does not support GPT - that's one of the theories why the developers chose to quit at that point, it was quite a lot of boring work.

    I'm not clear that you'd necessarily get any benefit from GPT unless you have a load of partitions/a huge SSD (lucky you!!!) So I don't see any particular benefit from that.

    I did do a little evaluation of Discryptor (on a VM), precisely because it could support GPT (although I didn't test that) - this forum post supports that assertion:

    https://diskcryptor.net/forum/index.php?topic=4680.0

    I quite liked Discryptor, seemed solid and fast, but like I say, that was only a little eval, YMMV!

    But in the end, I went to the dark side and ran with Bitlocker/TPM because that's OK for some classes of protection, and requires no user input on boot. Of course, that's not all I use....
     
  8. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I have Windows 8.1 Pro w/bitlocker, I read about the backdoor in bitlocker. I decided to encrypt my individual files with Axcrypt and not enable bitlocker.
     
  9. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,282
    Could you give more details -- what exactly did you read, and where?
     
  10. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    It was 2 years ago just after I order my new system, I had a big big disagreement with the parts Manager. All I remember is that there was a lot of controversy over a possible backdoor.
     
  11. abi

    abi Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    6
    This link is extremely interesting - thank you very much!!

    1) It confirms that Diskcryptor can NOT work with GPT on the system / OS disk
    2) It shows a 6 step process for converting to MBR and disabling UEFI to use Diskcryptor

    For anyone interested the remaining options seem to be:
    1) Follow the beforementioned 6 step proces and use Diskcryptor for FDE of system drive
    2) Continue using volume encyption only (Truecrypt is working fine!) while awaiting that Diskcryptor / Veracrypt / Ciphershed implements GPT system drive FDE (no ETA). Volume encryption not perfect (risk of data leaking on disk), but way better than nothing and 1000 times easier than the first option.
    3) Look for commercial alternatives like Jetico's Bestcrypt (claiming to support system drive GPT), Bitlocker or maybe Symantec.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    That's been around for ages and will always be an issue for proprietary security products such as Bitlocker. OTOH, its code has been scrutinised by large organisations, so is hopefully OK as far as standard commercial threats are concerned (not nation state).

    The more concerning things regarding Bitlocker recently are:

    a) they have changed/weakened the diffuser in W8 - no reason given although may be performance. Dodgy.
    b) if you provide a Live account for the admin login on W8, when you set up Bitlocker, it will copy the recovery keys to the cloud. Great for easy recovery, terrible for handing over your keys to anyone. But you can avoid this.

    Still don't see what's wrong with ditching GPT unless you need it....
     
  13. abi

    abi Registered Member

    Joined:
    Feb 24, 2015
    Posts:
    6
    And maybe there's a fourth option also:

    4) Nuke my laptop since it had Superfish installed. It's now removed, but I feel like completely cleaning the HD, format it and install a clean Windows 8.1 with the Lenovo crap. If I understood it corectly, then I will be able to choose MBR as part of that process, and then later I can simply use Diskcryptor for FDE...
     
  14. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Oh, the ordure is not limited to Lenovo, they're the ones caught out in the most embarrassing way - more or less all the main manufacturers load with bloat at best.

    Anyway, I routinely rebuild any laptop to my standards and only load the drivers that I think are absolutely necessary. I'd advise the same regardless of manufacturer - doesn't normally take too long apart from the elapsed time of the update cycle.

    Slightly OT, I've noticed that ATI graphics card driver/software updates now come with default gaming nonsense selected for install (with information going to some network or other). You just have to be constantly vigilant with all these defaults.
     
Loading...