Truecrypt - OS reinstall on Fully Encrypted Drive

Discussion in 'encryption problems' started by jetjockey8, Aug 31, 2012.

Thread Status:
Not open for further replies.
  1. jetjockey8

    jetjockey8 Registered Member

    Joined:
    Aug 31, 2012
    Posts:
    3
    Location:
    Romania
    Hi everyone.

    I am new to this forum but I have been reading some truecrypt related threads and I noticed there's a lot of people in here with solid knowledge on that subject. On that note, I wanted to ask for your opinion regarding an OS reinstall on my fully encrypted drive. The drive is 2tb in size, split into 4 partitions, 500 gb each. The OS is on C:\, and the rest of my data is on D:\ E:\ and F:\. The disk is encrypted with AES-256 completely (MBR included). Basically everything except the truecrypt boot loader is encrypted. Now the thing is, I want to reinstall my OS (Windows 7), and I am not sure on how to proceed with that.

    From a logical point of view, there are 2 possible scenarios for this action:

    Scenario A - Success:
    After I start my PC, I enter the TC password, the data is decrypted, then I boot from my USB stick, and start the installation process. When prompted to choose which partition to use, I delete the C, re-create the partition, choose that partition as the installation one, and start the install process. On reboot, the installation process will be interrupted by the TC boot manager prompting for the password again. I re-enter the TC password and the installation process should continue, and end successfully.

    Scenario B - Epic fail:
    After I start my PC, I enter the TC password, the data is decrypted, then I boot from my USB stick, and start the installation process. When prompted to choose which partition to use, I delete the C, re-create the partition, this compromises the integrity of the TC volume, the install process starts. On reboot, the installation process will be interrupted and the TC boot manager prompts for the password. I enter the password but nothing happens (since deleting and re-creating a partition compromised the integrity of the TC volume) and my data is lost forever.

    Bonus - Scenario C - I'm really not looking forward to that.
    Decrypt the entire disk (2TB), this will take 3 days (12 hours on each day, in order to avoid night time where the power consumption on the grid is higher and I might get a power failure on the grid). After the drive is decrypted, reinstall the OS, and re-encrypt the drive completely (another 3 days).

    Note: I am aware that data backup is an essential factor in this process, I don't have another 2TB drive to back up my data, I am aware I am taking a big risk here, it is the only way to do it. Some of my super-essential data is already backed up on my memory sticks (some 20 gb), the rest, I could do without if I had to, but I would prefer not to. I am also aware that it is not recommended to keep the OS on a big drive like this, I am planning to buy an SSD for the OS in the future, and keep the 2TB drive just for data. But for now, it is what it is and there's nothing I can do about it.

    Sorry for the long post, and any suggestion from you guys is highly appreciated.
     
    Last edited: Aug 31, 2012
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Create a rescue.iso just in case.

    If you don't care about anything on C:\, just format it. Then reinstall Windows. You *might* have to do a fixmbr to get rid of the TC bootloader...or Windows may just overwrite it...can't remember the sequence from the last time I did it.

    Are D/E/F encrypted? If so, you should still be good (the rescue.iso can get to them, and a new TC install can open them)...but get confirmation.

    As always, make sure you have backups. Image those data drives before messing with this. You can secure delete them when you get it back working, or store them encrypted by the imaging program, or in TC containers, as a back up.

    PD
     
  3. jetjockey8

    jetjockey8 Registered Member

    Joined:
    Aug 31, 2012
    Posts:
    3
    Location:
    Romania
    Hello and thank you for the quick reply.

    Yes, the whole 2TB drive is encrypted (C,D,E,F + MBR). - Whole drive encryption, not individual partitions.

    So as I understand from your post, it is possible to install Windows "normally" (meaning without having to decrypt the whole drive, install win and re-encrypt it after the installation is done).

    I don't have any ways to backup the data right now (meaning I don't have another 2TB to copy it), but I don't have to, since I made sure I have a backup of the absolutely essential information on my drive (~20GB). Like I said, I can do without the rest, but I would prefer not to have to. My biggest problem is I don't have a UPS so I would try to avoid decrypting a 2TB volume and re-encrypting it again, because in case of a power outage I'm screwed.

    PS: what is fixmbr and how is it performed?
    PPS: by rescue.iso you mean the truecrypt rescue disk?
    PPPS: do I have to backup the header of the encrypted hard drive? - if so, I already tried that and it tells me that backing up headers only works for encrypted volumes not for whole encrypted drives.
     
  4. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    993
    Location:
    Hawaii
    Not that it matters, but just so you know, Track 0 is not encrypted. This holds the MBR, the partition table, the TC bootloader and the TC volume header. (The TC header is partially encrypted via separate means.)

    What's on the USB stick? An alternate OS I assume? I'm sorry, but you can't use this to install a fresh copy of your OS onto an encrypted partition. Unless you're very skilled and know more than a few TC tricks, Scenario C is the only method that will work. The other scenarios won't behave at all the way you expect them to.

    My recommendations:
    1) Burn a TC rescue disk if you don't already have one
    2) Back up your data. Really! You'd be amazed at what can go wrong.
    3) Decrypt the entire disk
    4) Reinstall your OS
    5) Encrypt just the OS partition
    6) Encrypt the data partitions separately. If you want them all to mount automatically when you provide the preboot password, make each of them a system favorite and give them all the same password.
    7) Back up the three headers of your newly-encrypted data partitions, just in case.

    Bonus recommendation: Before step 4, shrink partition C down to a size that is just large enough to hold your OS and its installed software, plus some breathing room. The next time you need to do this sort of thing it'll be much easier because you'll have much less data to decrypt. Imaging your OS will also become easier and more useful.

    PaulyDefran's method is very dangerous and could result in the loss of your data. During the installation process Windows will not be able to recognize the contents of your encrypted partitions and it will almost certainly overwrite portions of them in order to 'fix' them and make them function normally. There will be other ill effects as well.
     
  5. jetjockey8

    jetjockey8 Registered Member

    Joined:
    Aug 31, 2012
    Posts:
    3
    Location:
    Romania
    Thank you so much. This is very valuable information. Makes sense and I will do as you said. I am planning to get a 180gb SSD for the OS.
     
    Last edited: Sep 1, 2012
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I strongly second dan's suggestion. I know it sucks "time-wise" but the windows installer will do so many things you can't control.

    BTW ----- if you go that route don't encrypt the whole drive as ONE when you encrypt the system disk after the install. Its much easier to encrypt the system disk using separate master keys, etc.... and then encrypt the other partitions using their own individual credentials. You can use the same password and auto mount them if you want to. In the future you will only have to redo the system disk and the other partitions can remain unchanged. This would mean all partitions have their own encryption credentials (make volume header backups and store them), and you would only have to deal with them individually over time. Its a much better method than doing a one step encryption. I hope you understand what I am saying but if not post back and we can expand on the subject.

    I want to suggest you get and use a backup program to avoid the risk of using the windows installer for future restores of your system disk. Using a backup image you would simply write back a clean saved copy to the system disk and then encrypt the system disk and you are done!! No need to touch the other partitions using this method. You can even use linux based dd restores to avoid the need to encrypt the system disk again if you want to.

    I can virtually promise you the windows installer will be unkind to those encrypted partitions. M$ installers love to fix things that aren't broken, thereby breaking them. Seen it more times than I ever want to. Now I just read about folks that don't follow the warnings others here give out. My .02
     
  7. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    Good advice. Disregard what I said. I have backups of backups and can't really lose data no matter what I do. Better safe than sorry!

    PD
     
Loading...
Thread Status:
Not open for further replies.