From Truecrypt system FDE to...? Veracrypt?

Topics: Technical Issues, Users Discussion
Mar 24, 2015 at 12:22 PM
As a long-time Truecrypt user I just used it for FDE for my brand new W7 64-bit laptop. (One SSD with two partitions + one hidden W7 partition).

I know Truecrypt was discontinued, but it's simply too confusing figuring out what to use instead, and I guess even an insecure Truecrypt is better then nothing while I decide what to do for the longer term.

Veracrypt certainly seems like the best option and I'm quite impressed of all the work put in to it. Ciphershed has not released anything, and Diskcryptor is simply too complicated to setup for me, lacks documentation etc.

I was hoping I could migrate to Veracrypt system FDE at a later point in time, but the documentation (*) says that is not possible, at least not now. Only non-system FDE migration is possible.

Any suggestions or advices or what to do from the more experienced FDE users?

1) Stick w Truecrypt for now and hope it will suport system FDE migration to Veracrypt later? (And if that doesn't happen, then potentially have to clean laptop before decrypting to remove Truecrypt before installing Vera).
2) Remove Truecrypt asap and before any personal files are put on laptop to use Vera instead thereby betting on Vera as the long-term best solution?

Thank you very much for sharing your thoughts!!

(*)
https://veracrypt.codeplex.com/wikipage?title=Converting%20TrueCrypt%20volumes%20and%20partitions
Coordinator
Mar 24, 2015 at 10:25 PM
Converting TrueCrypt system partitions is on the TODO list but it is not a priority right now as there are other specific features that are badly needed. Nevertheless, it will be eventually implemented.

TrueCrypt is not totally broken. It is just that it doesn't offer the same security level as it was the case in 2004 and since the project stopped, there will be no update to correct the vulnerabilities discovered so far.

I personally recommend users to upgrade to VeraCrypt in order to take advantage of all what have been fixed alongside better security and the only way is to decrypt and then encrypt using VeraCrypt.

The only drawback for FDE is that the boot time is very long compared to TrueCrypt and many users finds it unacceptable (for example, it takes 58 seconds to boot using SHA-256 on a Core-i7 2600K and 27 seconds using RIPEMD-160). This long time is due to the 16-bit bootloader inherited from TrueCrypt and it was decided to stick with security in VeraCrypt while working to rewrite the bootloader in order to get better performances and to add the dynamic mode feature that would allow to reduce mount time when using very long passwords.

So, before moving to VeraCrypt for FDE, you should carefully consider of this boot time is acceptable for you. If not, you can stick with TrueCrypt while waiting for the upcoming changes. Meanwhile, you can install VeraCrypt on your machine since there are no conflicts with TrueCrypt and you can use VeraCrypt to secure your non-system partitions and file containers.
Mar 25, 2015 at 10:57 PM
idrassi; thank you very much for taking time writing an elaborated reply! That was very kind of you and highly appreciated!

I will stick with what I know for the very short run while familiarizing myself with Veracrypt as you suggested before switching over!
Thank you for your work with Veracrypt. I imagine it must be very time consuming.

Maybe I can ask a final question since people are expecting Windows 10 to be released later this year:
Is it possible to update / upgrade Windows from 7 or 8.1 to, say, 10 on a FDE system partition WITHOUT having to decrypt everything first?
(Skipping decryption before upgrading is not just because it is easier, but on a SSD disk where erasing data does not work, then it would be really nice if you would never need decrypting anything, not even for upgrading your OS)

Thank you once more!!
Apr 1, 2015 at 12:12 AM
Is it possible to update / upgrade Windows from 7 or 8.1 to, say, 10 on a FDE system partition WITHOUT having to decrypt everything first?
.
No. Per the FAQ for both TrueCrypt and VeraCrypt, you will need to decrypt system drive/partition before performing the OS upgrade.