This project has moved. For the latest updates, please go here.

additional option for SSD Encryption not to encrypt blank sectors

Topics: Feature Requests
Dec 15, 2015 at 2:25 PM
Edited Dec 15, 2015 at 2:28 PM
As it is presented by Symantec PGP in this thread

My propostion is to add additional option (like --fast Symantec PGP) in VeraCrypt that will allow user to choose not to encrypt blank sectors on the SSD drive. I know it will sacricife safety but better this than no encryption at all since the efficiency and lifespan of an SSD with full encryption is falling drastically.

from Symantec forum:
"By default FDE encrypts an entire disk, even unused sectors. This improves security, since an attacker can't tell an empty drive from a full drive. However, this writes to every sector of an SSD and makes every future write a re-write - which are significantly slower on SSDs.
To combat this, we introduced a command line option: --fast. If you encrypt using this option, it doesn't encrypt blank sectors. Due to security considerations, this is an advanced option only available on the command line.

If two drives are encrypted with --fast, it's easy to tell which has more data (and therefore which to attack). A fundamental premise of encryption is to obscure the value of the content, so a blank document and a document full of text should be indistinguishable (see Wikipedia's entry on block cipher modes of operation for an interesting example of what happens when this goes awry). ."
Dec 17, 2015 at 8:06 AM
Edited Dec 18, 2015 at 8:22 AM
There is another approach not causing security concerns.

Just do not partition some GB of your SSD! As those sectors stay empty, the SSD Controller can use them for wear-leveling and you can fully encrypt the partition.
Some SSDs even do not provide their entire capacity to the user and do this "behind the scenes".
I think Intel drives are doing that. They provide only 120 of 128 GB to the user and use the remaining 8GB for wear-leveling.