FDE for traditional MBR partition

Discussion in 'encryption problems' started by abi, Mar 6, 2015.

  1. abi

    abi Registered Member

    Feb 24, 2015
    Ok, in an earlier post* and with kind help from this forum I realised that it is impossible to have FDE on your system partition when it is GPT / UEFI. At least if you are looking for freeware today.

    So, now I will reformat to MBR** and disable UEFI (or whatever has to be done) in order to use FDE on my W8.1 64-bit laptop. (As a bonus, that should also remove any remaining traces of Superfish and other bad fish!)

    Any thoughts on pros and cons for the following alternatives will be highly appreciated!
    (I have obviously studied their websites, but it's hard finding comparisons)

    1. Truecrypt 7.1a. Pros: Used it for years, still trust it. Cons: Discontinued. Developers say it is not secure any more.
    2. Ciphershed. Pros: Continuation of Truecrypt. Cons: Not released yet.
    3. Veracrypt. Pros: Apparently an improvement of Truecrypt. Cons: ? Not a long track record
    4. Diskcryptor. Pros: Recommended by the EFF. Cons: ? Seems to have lived in the shadow of Truecrypt?
    * https://www.wilderssecurity.com/threads/fde-for-sdd-which-one.373708/
    ** Fingers crossed that a future upgrade to Windows 10 will work on MBR(!)
  2. Palancar

    Palancar Registered Member

    Oct 26, 2011
    How about some basics first. You need to make certain that your laptop even has legacy bios as an option. Some machines no longer boot without UEFI. You need to be positive about that.

    Next, (rhetorical question) what is your threat model? There are some great commercial products (example Jetico) that support GPT and full disk encryption. If you are securing for theft, corporate spying, etc.... they are more than good enough. Their only weakness is its closed source so the backdoor question comes to mind. Great company with no record of anything going on, I am just saying!

    If you insist on re-working your machine and staying with Windows I would use TC. My opinion. My true opinion and the way I went is to exit Windows world and head to Linux. I would absolutely hate to go back to Windows.
  3. deBoetie

    deBoetie Registered Member

    Aug 7, 2013
    I'm still not sure what your problem with Bitlocker is, particularly if you have a TPM, and it's completely transparent. That way, you can also benefit from trusted boot features, which defends against rootkits. Clearly dependent on your threat model, but I'd say the risk with Windows generally is way bigger than Bitlocker in isolation. In addition, my threat model worries more about remote threats than it does about physical ones, and any FDE is useless for them! Plus with Bitlocker, there's nothing to stop you using Truecrypt as well.

    Some additional comments on @Palancar's notes:

    Jetico is a good company, when I looked at Bestcrypt a couple of years back, apart from the steep cost per machine, there were doubts about their performance levels on SSDs. That may have changed now, but for sure, Truecypt's performance is pretty darn good because it enables multithreading etc.

    As has been noted previously, Truecrypt is the only open solution which is cross-platform, and since you'll very likely be wanting to use various incarnations of Linux sometimes, it makes sense at least as a transfer medium if not FDE.

    Oh, while I remember it, and I feel like a granny exhorting their kids to wear a vest: by all mean back up the keys/headers whichever route you go. You will save yourself a whole world of grief. Remember you will NOT be able to recover anything like the good old days when you could do a dual boot and get the important files off the disk, without those keys. And then of course you have to keep those keys safe... it goes on....
  4. mirimir

    mirimir Registered Member

    Oct 1, 2011
    I just read https://www.happyassassin.net/2014/01/25/uefi-boot-how-does-that-actually-work-then/ and understand UEFI a little better. And I'm reminded of this:
    OK, so could one run a Linux box with LUKS FDE, and then boot Windows from a network share.