This project has moved. For the latest updates, please go here.

Need guidance on encrypting a 2nd hard drive

Topics: Technical Issues, Users Discussion
Jan 21 at 8:28 PM
Edited Jan 22 at 12:39 AM
I have a laptop with 2 built-in hard drives.

The 1st hard drive is an SSD where the OS (Windows 8.1) is installed.

The 2nd hard drive is a 1 TB regular hard drive.

Given that the space on the SSD is limited, I was previously using the 2nd hard drive to store both user data (e.g. Documents, Videos, etc) and as the install location for gaming applications, given that the latter often take tens of GB per game.

I've recently replaced the 2nd hard drive recently as the original one failed.

I have been thinking of encrypting the entire 2nd hard drive, but a few concerns have cropped up:
  1. would it be a bad idea to install applications/programs on an encrypted 2nd hard drive? I'm concerned that they may freak out when I boot up Windows and login, given that it takes time to enter in the password to mount the volume. From what I understand, I can't get the 2nd hard drive to be automatically mounted without having to enter a password
  2. would it be a better idea to format the 2nd hard drive as a normal (unencrypted) hard drive, then create a container on the 2nd hard drive just for sensitive user files (e.g. Documents)
  3. assuming the answer to #2 is yes, are there any size / performance issues with having a large container file (e.g. 20 GB)?
  4. if the answer to #2 is no and you recommend I go ahead and encrypt the entire 2nd hard drive, how do you defragment it? I played around and Windows doesn't recognize a VeraCrypt volume
Please note that my version of Windows 8.1 doesn't support BitLocker and I can't upgrade it now, so that's not an option. Also, the 2nd hard drive does have built-in encryption (HGST Bulk Data Encryption) but that requires BIOS support for ATA that I don't have. So I'm looking for a VeraCrypt-based solution.

Thanks for any help.
Jan 22 at 12:37 AM
Edited Jan 22 at 12:44 AM
Regarding this:
taugrim wrote:
  1. would it be a bad idea to install applications/programs on an encrypted 2nd hard drive? I'm concerned that they may freak out when I boot up Windows and login, given that it takes time to enter in the password to mount the volume. From what I understand, I can't get the 2nd hard drive to be automatically mounted without having to enter a password
I went ahead and tried installing applications/programs on the encrypted 2nd hard drive.

What happens after login is that some programs detect the volume isn't there (because it hasn't been mounted yet) and they either reset the location of folders to the default configuration (e.g. this happened with GeForce Experience and the location of recording video files) or they prompt me for the location of their files. Note that I did specify to have the encrypted hard drive mounted at login but the problem is that mounting after login takes some time, given that I have to enter the password and wait while the drive is unencrypted.

So it looks like the answer to #1 is that it is a bad idea.

I'm still looking for feedback for questions #2 and #3.

I'm going to try #2 above, i.e. trying to use the 2nd hard drive as a normal hard drive and then create a VeraCrypt container on it.
Jan 22 at 10:30 AM
Hi there,
I was in the same situation and decided to go on (system partition encryption + 2nd drive encryption, no container), because (on-the-fly) decryption is still possible so you might cancel it all if required.
Some of my programs are on the second drive, too, for the reasons you mentionned (ssd limited size). A small problem occured when I wanted to encrypt the 2nd drive, veracrypt couldn't unmount it because it was used by many programs (example: owncloud syncing a directory on my 2nd drive). I just forced it (quite dirty I know). No problem anyway. The encryption process ended after 12 hours (! I didn't anticipated it, I realized that if some forced windows update reboot occured during the encryption, it would have been a REAL problem - as in win10, you can't postpone them forever, as you just can specify times when you don't use the computer and windows uses it to apply your updates during these times).

After the 2nd drive encryption process is finished, veracrypt tells you you can't mount your encrypted data drive to the same drive letter because it's assigned to the real encrypted partition, which is seen as RAW now in "my computer => manage => disks...). I unassigned to free the D letter and then "auto-mounted" my newly encrypted partition. Then added it to the system favorites. You have to use the same password - be careful of the us layout trick if not using a us keyboard as both windows and 2nd drive must be using the same password, so veracypt can use it to mount both disks at boot time, before any program starts.

Rebooted and tadaaaaa! it worked and the applications using stuff on the 2nd drive are ok.

I only have a major issue now, the veracrypt bootloader isn't starting anymore ! the regular windows bootloader is starting, doesn't find any windows, of course, and then asks what to do. I managed to boot on my encrypted windows (+ 2nd drive still working), thanks to the rescue disk zip (EFI folder) on a usb stick, because the windows bootloader allows you to choose one.
I'm about to create a topic here, because I can't manage to make the veracrypt bootloader to start first.
I'll let you know (or you might find my topic if I don't resolve it).

Regards
Jan 22 at 3:25 PM
michauko wrote:
I'll let you know (or you might find my topic if I don't resolve it).
I found this thread https://sourceforge.net/p/veracrypt/discussion/technical/thread/5b859040/
Explaining why some machines can't reboot on the veracrypt bootloader each time.
I'm trying to fix it, a guy in the thread suggests to modify the EFI partition, an idea I don't like - and another explains how he managed to tell his EFI system to trust veracrypt and thus, use secure boot correctly.
I'll try this. But unluckly, before I found these solutions, I just started to cancel everything, starting with the full decryption of my 1TB drive - takes 5 hours.
Once this process is finished, I'll try to fix the bootloader problem first, based on the secure boot trust setting blah blah blah.
If it works I'll encrypt my 2nd drive again. If not, I'll decrypt my system and will consider to upgrade to win10 pro to maybe use bitlocker - I hate this idea.

Maybe "idrissi" the author should consider to to the pre-boot test TWICE, if on the second reboot windows starts directly, then it could suggest that we'll face this UEFI problem and WARN us before.

i'll let you know
Jan 24 at 11:56 PM
taugrim wrote:
I'm going to try #2 above, i.e. trying to use the 2nd hard drive as a normal hard drive and then create a VeraCrypt container on it.
To share what I've learned, I did implement #2 (formatted the 2nd hard drive as a normal (unencrypted) hard drive, then created a container on the 2nd hard drive just for sensitive user files (e.g. Documents)).

It's worked out well.

For others who read this thread looking for the same advice, one thing to note is that you have to be careful about defragmentation.

The VeraCrypt documentation said this:
VeraCrypt volumes behave like real physical disk devices, so it is possible to use any filesystem checking/repairing/defragmenting tools on the contents of a mounted VeraCrypt volume
However, I've never been able to get Windows to recognize a VeraCrypt mounted volume in terms of regular disk tools (chkdsk, defragmentation, etc).

Thankfully, I found the following article about defragging a TrueCrypt drive, and it mentions that Piriform's Defraggler can defrag a mounted volume:

https://askleo.com/should-i-defrag-truecrypt