This project has moved. For the latest updates, please go here.

Decrypt In-Place for Non-System Drives/Partitions?

Topics: Users Discussion
Dec 15, 2014 at 2:22 PM
Edited Dec 15, 2014 at 2:38 PM
For Windows, I noticed that VeraCrypt can in-place encrypt non-system disks and partitions which was lacking in TrueCrypt.

Can VeraCrypt perform in-place decrypting for non-system encrypted disks and partitions?

Which versions of Windows support the in-place encrypt and decrypt?

Is the in-place encrypt and decrypt only for the Windows platform?

Thank you!

Edited to clarify questions.
Coordinator
Dec 15, 2014 at 6:19 PM
Edited Dec 15, 2014 at 6:20 PM
In-place encryption of non-system partitions was present in TrueCrypt since version 6.1 and VeraCrypt inherited it. It is available only for NTFS partitions and disks and it is supported on Windows Vista and onwards.

These limitations are due to the fact that the filesystem needs to be shrunk in order to make space for the volume header and backup header and this is implemented using a Windows system call that shrinks NTFS filesystems.
On other operatings systems, in-place encryption is not implemented. There are no plans to implement it. For Ext3 and Ext4 filesystems, shrinking is possible but low level knowledge is needed to implement in-place encryption correctly.

It is not possible to perform an in-place decryption for non-system partitions and disks. This has not been implemented because we need to support pause/resume functionality but we can't distinguish if the an encryption is in progress or a decryption. So the choice was made to enable encryption only since usually it is not needed to decrypt a partition/disk that contain sensitive data (you just wipe it).

In another discussion, a user asked why VeraCrypt doesn't implement this while TrueCrypt 7.2 implements the in-place decryption. This was easy for them because they removed encryption capabilities.

There are two ways to implement both in-place encryption and decryption:
  • Ask the user before resuming the operation if it is a in-place encryption or an in-place decryption
  • Write data the volume that tells if we are encryption or decrypting.
The safest way is to ask the user. Any thoughts on this?
Dec 15, 2014 at 8:04 PM
Edited Dec 15, 2014 at 8:16 PM
Hello Mounir,

Thank you for your detailed explanation.

To me, removing the human error of having the person click on the correct option would be safer. Another problem I can foresee is a user starts encrypting/decrypting and then changes their mind. Hence, they pause/defer and then select the opposite action thinking it will undo the previous action resulting in loss of data.

Therefore, I would prefer writing data to the volume that denotes in-place encrypting or decrypting.

I do not believe writing to the disk volume the current process of in-place encryption/decryption would cause a security issue since there is data in the clear unless after encrypting, some marker was left behind showing you encrypted the drive removing plausible deniability.

I assume that the system decryption somehow denotes that it is in progress of decrypting the system partition. Would that same process work for non-system volumes?

Best Regards,
Enigma2Illusion

Edit 1 to add reference to issue created requesting in-place decryption feature.

https://veracrypt.codeplex.com/workitem/35

Edit 2 to add issue of user changes their mind.
Coordinator
Dec 15, 2014 at 8:15 PM
I agree that avoiding any potential human error is ideal but I'll have to carefully think how to implement this without introducing any side effects, either on the security side or data format side. There some fields in the volume header that are currently unused, so I can give them a new meaning to implement this feature.

That being said, I think I'll start by an implementation that requires the user to choose in order to validate the decryption functionality and afterwards implement the persistence of operation type in the volume itself.

Can you please create an entry for this in the issue tracker?
Thanks.
Dec 15, 2014 at 8:24 PM
Your reply occurred between my edits. :)

I have created the issue referencing this thread for details.

https://veracrypt.codeplex.com/workitem/35

Thank you!
Coordinator
Dec 15, 2014 at 9:40 PM
Thanks.

Concerning the way system partition decryption is handled, it actually writes the type of the ongoing operations to an XML files in the profile of the current user so that the next time he resumes the operations, VeraCrypt will know if it is going to resume decryption or encryption. If logon to the same machine using another account, then VeraCrypt will display a dialog so that the user will choose the type of the operations :
Image

So, the dialog is already there and that's why I want to start doing the same for a non-system partition.

PS: As you can see in the screenshot above, I updated the appearance of VeraCrypt to look more modern.
Dec 16, 2014 at 12:13 AM
Thank you again for the detailed explanation and providing both short term and long term solutions! :)
Coordinator
May 17, 2015 at 1:24 PM
The latest 1.11-BETA version for Windows that is available on the Nightly Builds folder on Sourceforge (https://sourceforge.net/projects/veracrypt/files/VeraCrypt%20Nightly%20Builds/) adds decryption of non system partition/drive.

The decryption functionality is implement both as a specific menu under "Volumes" and when resuming interrupted process.

Thank you in advance for your tests/feedback.
May 17, 2015 at 6:58 PM
Hello Mounir,

Will this decryption in-place for non-system volumes work with hidden volumes?

Is there a safeguard to prevent or ask the user if a hidden volume exists in order to proceed/abort the in-place decryption?

Thank you!
Coordinator
May 17, 2015 at 9:44 PM
Hi,

If a non-system volume contains a hidden volume, the decryption would destroy the hidden volume data. That's why before the decryption starts, VeraCrypt mount it and it checks if the volume could contain a hidden one (it relies on the header flags for this) and if yes, it displays the following warning:

VeraCryptDecryptWarningHidden

In this dialog, the user has the possibility to cancel the operation.