This project has moved. For the latest updates, please go here.

question on how system encryption works (isnt in the documentation)

Topics: Users Discussion
Mar 29, 2016 at 2:29 PM
I have used system encryption to encrypt my entire SSD drive, which contains a windows 7 partition, along with some smaller partition that windows 7 uses for god knows what.

Now being an engineer, I kind of get most of the things that are going on but somethings confuse me.

One thing is this. I get that in drive encryption, if you want to decrypt the drive, you have to run veracrypt software and mount. That way, im assuming, VC is always running in the backgroun to decrypt/encrypt the data.

But what happens in system encryption? Is there some process thats scheduled to run at start up to keep decrypting/encrypting data? The moment the password is entered and VC accepts it, some kind of process needs to be running while Windows is starting up, logging in, running apps, accessing data etc. Is this some kind of small process thats run before windows itself?

Some insight to this would be really helpful.
Apr 1, 2016 at 9:05 PM
Edited Apr 1, 2016 at 9:06 PM
VC uses it's own low level boot loader (see wikipedia), which resides in memory and transparently encrypts/decrypts data on the fly as disk is accessed while windows are loading. Because the windows installer in MBR mode creates one extra partition (yeah, God knows what for, windows 7 eats 100MB, windows 10 reserves 500MB), I prefer to create one big single partition myself using diskpart (shift+F10 on windows setup) and encrypt that. The extra partition is clearly not needed, because if you do not allow windows to create partitions themselves, they will just use your partition and create extra folder on the C drive. Everything works fine, no space is wasted and you have complete control ;)
Apr 1, 2016 at 10:48 PM
Part of the reason for the extra system partition has to do with integrity. It is easier for malware to write to the Windows system drive, rather than to a hidden special use drive. So, this is more about security than inconvenience and it is something that Microsoft deliberately does with good reason in this case. When you avoid this, you actually lessen the security of your installation, at least somewhat.

But heck, using Windows itself is already a huge security risk; we need to work best with what we have and if we need Windows, then that is part of the price you have to pay and better to consider the use of "built-in" protections, rather than trying to overcome them where it makes sense.
Apr 4, 2016 at 8:26 AM
affinity wrote:
But heck, using Windows itself is already a huge security risk;

I think, that malware after UAC admin prompt asked at the right time answered wrong can write wherever it wants, including the reserved partition. But it could be harder to detect it and even harder to get rid of it from there, because it is not visible ;)

I came to conclusion, that the reson for this extra partition is the recovery mode (so you do not need the install DVD). If ntfs table of the main partition becomes corrupted for some reason, this extra partition allows you to boot to recovery mode and fix the system. For me it's a wasted space, when I have the install dvd by hand. Moreover, if windows are corrupted, I prefer to reinstall than to repair.