This project has moved and is read-only. For the latest updates, please go here.

TRIM Passthrough for Encrypted System on SSD?

Topics: Technical Issues
May 5, 2016 at 6:06 AM
Edited May 5, 2016 at 7:06 AM
I have not been able to find any technical information about the implementation of TRIM in VC or TC. The old TC documentation suggests that TRIM will work on system drives that are running FDE, but there are no specifics or instructions on how to verify that this is actually working on a particular installation.

The question arises because an SSD which believes it is full will not be able to properly perform garbage collection. If the OS is able to pass through TRIM commands and identify empty blocks to the drive, then garbage collection will continue to run even with FDE protecting all of the actively stored data. There are negative security aspects to having the exact amount of occupied space readily observable, but for many this is secondary to protecting the drive and having old data properly removed.

This is an issue because many FDE programs write random data to the entire drive, whether or not there is active data in every block. Garbage collection stops clearing old data from the NAND because the SSD sees the encrypted block as being "in-use," even though no data is being saved there by the OS. This severely reduces the life of the drive.

Anyone able to tell me how VC addresses (or doesn't) TRIM/GC? Published data, personal experimentation, or links are welcomed. Thanks for your help.

EDIT: Here is an old blog post about exactly this issue from WinMagic. They say that their SecureDoc program gives users the option of doing a "quick" or "thorough" encryption. Quick works perfectly for an SSD because it only touches blocks that are in use. http://www.winmagic.com/blog/2012/12/06/the-need-for-speed/
May 5, 2016 at 4:04 PM
Found this comment today about TC.

"For SSDs, BitLocker appears to issue TRIM commands when encrypting entire system drives, whereas with TC, I would have to do a manual TRIM after encrypting a system drive to observe zeroed sectors when viewing outside of Windows. For SSD data drives, of course, there is no remedy as TrueCrypt doesn't support TRIM on data drives, or more generally, volumes outside the scope of system encryption."

See original here: http://www.wilderssecurity.com/threads/are-you-using-veracrypt-as-replacement-to-truecrypt.374694/

I will install VC on a system drive, manually run TRIM, and would like to be able to verify that it is working like it did in TC. Can anyone teach me how to easily view the drive outside of windows? I've used some Hex editors to look at raw disk contents, but there are WAY too many sectors to get through and the data is presented in very tiny segments. I'm looking for a high-level program that will quickly show me used vs. unused sectors.
May 10, 2016 at 4:59 AM
Bump. Question still unresolved.
May 10, 2016 at 11:50 AM
Edited May 10, 2016 at 12:17 PM
May 14, 2016 at 10:16 PM
Yes, everything I've found online says that DiskCryptor is SSD optimized. Several other commercial programs are, too. TrueCrypt allegedly was and I'm unclear as to whether or not VeraCrypt is.

Can you suggest a program that will allow me to analyze my disk to determine how VC is treating free space? That will quickly and conclusively resolve this problem for the entire community -- I will gladly report back with my findings.
May 20, 2016 at 1:00 PM
Did you get any progress on this ?
May 22, 2016 at 3:34 PM
No, unfortunately not. All of the raw disk editing software I've been able to find only lets you view very small sections at a time. I want something that is graphical (think Windows Disk Properties graph) and high-level. All I need to know is what percentage of my disk is being shown as free when the drive is not mounted. That will answer this question for everyone. If you know of any utilities that fit this description, please share.

I'm glad to see that some others in the community are curious about this as well. Fingers-crossed that we figure it out or someone on the dev team comes in to answer it for us.