Some questions about drive encryption

[anon]

Hello everyone,

I recently spotted some brand-new Kingston 4GB SD cards in the local eBay, at a prize that looks like a steal (23AR$, no more than 4 euro). Remembering some things shoulder told me in the past, I was thinking I could get around encrypting my netbook's hard drive for extra security. I have some questions before proceeding, however.

1. Would you recommend BitLocker, TrueCrypt or something else? I plan on installing Master Razor's latest release of his lite Win7, but can't remember if it included BitLocker.
2. The computer has a SD card slot and supports booting from it. I've read that unless you have a special disk with hardware encryption, a small segment containing unencrypted boot loader must always be present. Is it possible to encrypt the entire hard disk if I place the loader in the card and boot from it? Will that work if I don't assign it a drive letter?
3. Can I expect a noticeable performance impact from encryption?

Processor: Intel(R) Atom(TM) CPU N455 @ 1.66GHz
Memory: Kingston 2048 MByte DDR3 (running at 667 MHz)
Hard drive: TOSHIBA MK1665GSX, 160GB, running at 5400RPM

It also has a TPM v1.2.

Thanks in advance!

[shoulder]

1. Would you recommend BitLocker, TrueCrypt or something else? I plan on installing Master Razor's latest release of his lite Win7, but can't remember if it included BitLocker.

As you're going to use Windows, I'd go for TrueCrypt.
The reason for this is it's open source, which is an important point when it comes to security.

2. The computer has a SD card slot and supports booting from it. I've read that unless you have a special disk with hardware encryption, a small segment containing unencrypted boot loader must always be present. Is it possible to encrypt the entire hard disk if I place the loader in the card and boot from it? Will that work if I don't assign it a drive letter?

Why would you want to do this?

3. Can I expect a noticeable performance impact from encryption?

If noticeable at all, not much.

[anon]

Why would you want to do this?

So that my drive letters don't change. The system boots from the card, Windows is on the C: drive and data in D: just as it is now, if it's doable.

[shoulder]

I rather meant why boot from SD at all?
If possible (on Windows), it would just make things more complicated.

[anon]

So that the actual hard drive can be fully encrypted from top to bottom, instead of having a tiny unencrypted boot partition and then the rest. A bit of a "philosophical" thing, but I'd prefer it that way.

[cheatos]

So that my drive letters don't change. The system boots from the card, Windows is on the C: drive and data in D: just as it is now, if it's doable.

In order for BitLocker to operate, the hard disk requires at least two NTFS-formatted volumes: one for the operating system (usually C:) and another with a minimum size of 100 MB[13] from which the operating system boots. BitLocker requires the boot volume to remain unencrypted—on Windows Vista this volume must be assigned a drive letter, while on Windows 7 that is not required

Will this answer you?
even If yes, you'd still need to encrypt the whole drive so let's continue..

xkcd: Security
opinion based on personal bias: since BitLocker is a MS product, then it's superior, there goes my solution for the problem

but how to setup that?, I don't have previous experiences, my best bets for a research:
BitLocker Drive Encryption Step-by-Step Guide for Windows 7
Moving boot loader on a new drive

The reason for this is it's open source, which is an important point when it comes to security.

although a lot complain about lack of docs for compilation(a tedious process) and lack of trust that the compiled exe really reflects the published source, anyway if you we can't trust anything, then we wouldn't be posting on this forum using Firefox, Windows ... and even the wireless/ethernet drivers' auto-updater sh*t...

[anon]

Thanks for the reply. I've done a little testing with TrueCrypt in a VM today, and it turns out the boot loader must be in the same disk you're booting from, so it's a no-go. But it does encrypt the entire drive except that 512-byte loader in the first sector, so it'd be okay with me.

I will test BitLocker and read your links in detail the next days. Would still buy the SD card even if neither system could do what I want, the prize is good and having some extra storage space doesn't hurt.

About that comic, I'm not doing this because the computer contains top-secret documents, I just don't want it to be available should I forget it somewhere (extremely unlikely) or if someone steals it from me (somewhat more likely)

[Instab]

trücrypt of course. for the reasons shoulder mentioned and because it's not limited to one os. that can come in handy sometimes.
also i see no sense in the sd card setup. a trücrypt encrypted system disk is fine if the password is good and should make for a proper killjoy for any thief

[Master Razor]

I've done a little testing with TrueCrypt in a VM today, and it turns out the boot loader must be in the same disk you're booting from, so it's a no-go.

Which particular boot loader are you referring to? If it is M$ internal loader it should work, provided a new BCD store is made with the right path to winloader.exe and other exec such as memtest.

[anon]

Which particular boot loader are you referring to?

TrueCrypt's.

[anon]

It's done.



I dedicated the SD card to ReadyBoost.

Thanks for all the help!

[anon]

Hibernation is much slower, but everything else is fast as usual.

[Instab]

Hibernation is much slower, but everything else is fast as usual.

hibernation shouldn't be used as default anyway. a clean start is always better especially with windows.
anyway good to see you found a solution

[anon]

hibernation shouldn't be used as default anyway. a clean start is always better especially with windows.

I thought so until I began using it. It prevents me from having to open all my programs and reloading the content of browser tabs.

[anon]

Two more questions.

1. to reinstall the OS in a fully encrypted disk, I am to decrypt it, do the deed, then reinstall TC and reencrypt once again, right?

2. if I make a full raw image of an encrypted disk (in order to temporarily use that computer for experiments), will the OS work when I restore it back?

Google and a little common sense say yes to both, but I want to confirm.