This project has moved. For the latest updates, please go here.

Is it possible to encrypt system partition before installation of Windows?

Topics: Technical Issues
Mar 29, 2016 at 10:30 PM
Considering how SSDs may leak data due to wear level implementation, I would like to do a clean install of Windows on to an SSD, but I want the device to be encrypted fully before the Windows installation itself is started.

I am thinking of starting with a clean SSD (unused), boot Windows installer from USB; run VC from a cmd Window using <Shift-F10> to get to cmd, encrypt the whole drive, then install Windows to the encrypted drive (perhaps even to a VHD file).

Will the installer be able to transparently see the encrypted drive to install to? Could I then manually install VC itself to the Windows installation?
Mar 31, 2016 at 2:09 PM
Edited Mar 31, 2016 at 2:12 PM
It won't work like you think. You can fill the drive with random data prior to installation, but If you encrypt the system right after the clean install, only data that could leak ("due to wear level implementation") will be some windows system files, so nothing to worry about ;) And these might leak even if you previously have filled disk with random data, so it's useless. After you fully encrypt the system you are safe though.
Mar 31, 2016 at 2:40 PM
Thanks, I was hoping that I would be able to slip stream the installation or something like that.... and I would prefer, but it isn't essential, that it didn't even disclose that Windows was ever on the disk.
Apr 1, 2016 at 8:35 PM
Edited Apr 1, 2016 at 8:43 PM
If don't want to "even disclose that Windows was ever on the disk.", I'd fill your mounted fully encrypted system with zero or random data (using privazer for example), which should replace those previously leaked system files by the random garbage. Veracrypt always replaces your real data by "random" data prior writing, so you can safely fill your mounted disk with zeros, but "random" data will be written to the disk anyway.
Apr 1, 2016 at 10:38 PM
With modern disks, particularly SSDs or hybrid SSDs, you can never be sure that where you write to a disk physically; you know the logical location, but it is up to the disk to physically map that outside the OS. Spinning disks re-map data blocks as needed and on the fly without reporting that situation to the OS; anything with flash involved does so for other reasons (wear leveling is one). The only way to ensure that an SSD has no data from any previous write, is to encrypt every single write to that device from the very first write operation.

It's probably impossible to do, but we need the installer (Windows) to be fully aware of encryption needs and to ensure that nothing is ever written in clear text to the drive. The exception might be a drive that has it's own encryption facility that is activated at the BIOS / UEFI level before anything gets written to it; even then, you are at risk of the drive manufacturer having a back door. So, I don't think this is a battle that could be won, at least not with a Windows install and probably not with any other unless the system drive is only ever able to be accessed as an encrypted volume from day zero.