This project has moved. For the latest updates, please go here.

System encryption on SSD. Would "Whole Drive" mess up over-provisioning?

Topics: Technical Issues
Apr 11, 2015 at 9:21 PM
I am moving all my crypto over from DiskCryptor to VeraCrypt since I always liked TrueCrypt and by all accounts and my own experience with having actual email contact with the developer I believe VeraCrypt is a worthy successor.

If I encrypt my operating system, should I choose Whole Drive? I mean, that would cover the 100mb boot partition as well as the Windows system partition but how would that effect over-provisioning? Would there be any problems?

Over-provisioning is essentially unused space at the very end of the disk, no partitions created, that is used for internal workings of the drive to improve reliability etc. So since there is no actual partition there I am just unsure of how that plays into the "Whole Disk" mode.

Thanks.
Apr 11, 2015 at 9:47 PM
Currently, you cannot encrypt the entire system disk that has Windows OS boot partition called System Reserved which has no drive letter and is used as part of the boot-up process. Also avoid whole disk option, if your PC came with other partitions on the system drive for OS installation or recovery tools. Instead, select encrypt OS option which will only encrypt the C partition.

Regarding the "unused" portion of your SSD, read the following from the documentation.

https://veracrypt.codeplex.com/wikipage?title=Trim%20Operation

https://veracrypt.codeplex.com/wikipage?title=Wear-Leveling

https://veracrypt.codeplex.com/wikipage?title=Reallocated%20Sectors


The above topics and many others can be found in the link below.

https://veracrypt.codeplex.com/wikipage?title=Security%20Requirements%20and%20Precautions

Regards.
Apr 11, 2015 at 10:01 PM
Enigma2Illusion wrote:
Currently, you cannot encrypt the entire system disk that has Windows OS boot partition called System Reserved which has no drive letter and is used as part of the boot-up process. Also avoid whole disk option, if your PC came with other partitions on the system drive for OS installation or recovery tools. Instead, select encrypt OS option which will only encrypt the C partition.

Regarding the "unused" portion of your SSD, read the following from the documentation.

https://veracrypt.codeplex.com/wikipage?title=Trim%20Operation

https://veracrypt.codeplex.com/wikipage?title=Wear-Leveling

https://veracrypt.codeplex.com/wikipage?title=Reallocated%20Sectors


The above topics and many others can be found in the link below.

https://veracrypt.codeplex.com/wikipage?title=Security%20Requirements%20and%20Precautions

Regards.
Are you entirely sure about your statement about not being possible to whole disk encrypt when the boot and system are on the same drive? I had a warning earlier when my boot was on my old hard drive and windows was on my new SSD. After I fixed that and reformatted so that both are on my new SSD I have no complaints from VeraCrypt about my drive/boot configuration... Nor did I have any problems with DiskCryptor either beacuse the bootloader then enables the OS to boot. I have a feeling you are wrong about that.

Thanks for the links. I am going to check those out.
Apr 11, 2015 at 10:08 PM
I am still unsure about how over-provisioning is effected by whole disk encryption. Those links just explain the mechanics and precautions about privacy leaks. They do not explain if it is ok to use whole disk encryption on an SSD with over-provisioning, which as I said is just unused space that "could" be turned into a partition but you just leave it alone so the drive can work with it to keep the drive healthy. I can't help thinking that ignoring the boot partition would open you up to exploit by an attacker with physical access to the system. If the windows partition is encrypted and the boot partition is not, surely they could do some jiggery pokery on that partition and cause problems for you?

So I would like some clarification before I go ahead with this system encryption. If I cannot get the clear info I will end up doing just the windows partition for safety reasons (I do not want to format a second time...).
Apr 12, 2015 at 12:34 AM
Only the SSD controller has access to the "extra" drive space to use for bad blocks. Hence, VeraCrypt cannot access this extra space reserved by the SSD manufacturer.

A quick Google search confirms my statement.

http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/whitepaper/whitepaper05.html

.
Are you entirely sure about your statement about not being possible to whole disk encrypt when the boot and system are on the same drive?
.
Yes, I am sure if you are talking about Windows System Reserved partition.

http://helpdeskgeek.com/help-desk/hdg-explains-what-is-the-system-reserved-partition/
Apr 12, 2015 at 12:40 AM
With my Samsung SSD the OP is not set in stone, nor hidden. It is user-configurable. It just appears as unused space. I can make it into a partition if I wanted. So it is not hidden for access only to the drive as far as I can tell.

Is there any VeraCrypt page that documents you cannot perform Whole Disk encryption on a drive that has the system and boot (100mb) partition on the same drive? I was getting warnings earlier that a drive that doesn't have the boot partition on the same one that windows is on is not supported and gave me the choice to ignore the warning. After I formatted and arranged to have the 100mb created on the same drive, now I do not get that error any longer. Also, when I was using DiskCryptor I had both encrypted and it booted fine because the actual bootloader (which is not encrypted with either software) is what lets the other partitions boot.
Apr 12, 2015 at 1:30 AM
Can you point me to the Samsung documentation for your model saying that you can use this SSD "reserved" partition as a user data partition instead of SSD reserved partition?

As the link I provided stated, some models allow you to configure the size of the over-provisioning, however the SSD controller controls the usage of the reserved partition and not the user or the OS.
OP is a way to set aside a minimum amount of free space, inaccessible to the user or the OS, which the SSD controller can utilize as a kind of “work bench.”
.

The error you were getting as you stated was due to the System Reserved partition was not on the same drive as the OS.


https://veracrypt.codeplex.com/wikipage?title=System%20Encryption
Note: By default, Windows 7 and later boot from a special small partition. The partition contains files that are required to boot the system. Windows allows only applications that have administrator privileges to write to the partition (when the system is running). VeraCrypt encrypts the partition only if you choose to encrypt the whole system drive (as opposed to choosing to encrypt only the partition where Windows is installed).
.
I know the above is confusing. Trust me when I say, do not encrypt the Windows System Reserved partition with TrueCrypt/VeraCrypt. Here is the last example I will provide regarding this subject. :)

http://www.hacker10.com/encryption-software-2/diskcryptor-vs-truecrypt-comparison/
Windows 7 system reserved partition contains some necessary boot files, do not attempt to encrypt Windows 7 system reserved partition like I did because the computer will not boot!
Apr 12, 2015 at 9:17 AM
I know this may not be he right place, but:
  • I read enough about "... 100mb boot partition can't be encrypted..." or "... you have to encrypt C only...".
  • Doing a new, clean install of Win7, you can delete the 100mb "system" partition, there'll be no problems using Win7; there weren't any problems with encryption (TrueCrypt), I didn't have to make a clean new install using VeryCrypt up to now.
  • Works with Vista as well, and no, I don't have or ever had any problems using Vista.