This project has moved. For the latest updates, please go here.

Windows 7 on UEFI laptop, SSD FDE

Topics: Technical Issues
Nov 4, 2015 at 1:40 PM
Edited Nov 4, 2015 at 1:59 PM
Hi,

I'm thinking about encrypting my system SSD with VeraCrypt, so that pre-boot authentication is required every time the laptop is booted up. I found out that there is a partition, that is write protected and is not to be encrypted on an UEFI based motherboard, so that Windows will boot up without any hassle. I was wondering, if I use the options of encrypting the SSD partition which has the OS installed, are there any way for unauthorized users to decrypt the drive, as the whole SSD is not encrypted?

So I would go:
  1. System -> Encrypt system partition/drive
  2. Type of system encryption = normal
  3. Area to encrypt = Encrypt the Windows system partition (or the whole drive? I had a warning message "As your system drive contains only a single partition that occupies the whole drive, it is preferable [more secure] to encrypt the entire drive including the free "slack" space that typically surrounds a such partition", so which one to choose?)
  4. Encryption of Hos Protected area = yes or no?
  5. number of OS = single boot as I plan on using only Windows 7 on this drive
My old laptop had no issues on this matter encrypting everything, as it had mobo with BIOS, but this UEFI is much more complicated for me so far, haven't had any info on UEFI until now. :) Any help is appreciated!

Edit: the SSD is MBR
Nov 4, 2015 at 2:56 PM
Hello,

Newer versions of Windows OS have a System Reserved partition which cannot be encrypted by VeraCrypt since this will prevent your PC from booting. The drive will show-up in the Disk Management as a partition without an assigned drive letter and is less than or equal to 200 MB in size.

For system encryption, you cannot use UEFI/GPT. You will need to set the BIOS to boot using Legacy Mode and the C drive must be using MBR. You can Google search for the information.

Many PC vendors include other partitions on their system drive for recovery, troubleshooting tools and the Windows OS software. If you encrypt those partitions, you lose the ability to troubleshoot, repair and/or install OS when your PC is having problems.

I recommend choosing the option "Encrypt the Windows system partition" which will only encrypt the C drive (partition) which is the OS.

This will allow you to make use of the PC vendors recovery, troubleshooting tools and install Windows software when the PC is having problems.

Hopefully you have made backups of your system drive including the PC vendor supplied partitions since a disk failure or user error (deletes data or partition) can occur at anytime.

NOTE: Encryption on SSD may not encrypt previous data. Only the SSD controller has access to the "extra" drive space known as over-provisioning for bad blocks. Hence, VeraCrypt cannot access this extra space reserved by the SSD manufacturer.

http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/whitepaper/whitepaper05.html

https://veracrypt.codeplex.com/wikipage?title=Wear-Leveling

https://veracrypt.codeplex.com/wikipage?title=Reallocated%20Sectors

Kind Regards.
Nov 4, 2015 at 3:43 PM
The SSD I'm using was clean, and I've wiped it for a few times using Parted Magic Secure erase command. The only partitions it has are the 100 MB and the rest of the advertised 240 GB is for system use, C:\ and it is MBR, not GPT. Therefore, if anything goes wrong, I must install Windows from scratch and that is something I'm willing to do.

What I need is that I can use pre-boot authentication on the laptop and the data on the drive is as safe as possible against a possible thief. Can this be achieved with encryption of the Windows system partition? Or would the OS still load in my case, as it's MBR and would use legacy to boot it up, and the whole SSD would be encrypted? Except those parts of the SSD that are inaccessible by Veracrypt. And will those inaccessible files weaken the encryption in any way?
Nov 4, 2015 at 7:17 PM
To be clear, the 100 MB partition is probably the System Reserved partition and with VeraCrypt you cannot encrypt the System Reserved parition or your PC will not boot.

Hence, you want to select the option to encryption only the OS partition instead of the entire drive option which would encrypt the System Reserved partition.
.
Can this be achieved with encryption of the Windows system partition?
Yes.
.
Or would the OS still load in my case, as it's MBR and would use legacy to boot it up, and the whole SSD would be encrypted?
The OS will not load.
.
And will those inaccessible files weaken the encryption in any way?
No. Merely if you had sensitive data on the PC previously, it is possible the sensitive data is in an inaccessible area to VeraCrypt.