Ecryption question

Gregry254 · 9 Dec 2011 at 21:25

I have 2 hard drives in my system that I use for storing everything (docs, pics, music, movie rips and what ever else) and my SSD for windows and some programs.

My question is . . . is it possible to encrypt the 2 storage devices and have them automatically unencrypt/unlock/what ever when I log into windows?

I have used trucrypt in the past but it would mean manually mounting the drives before I access them each time I turn on the PC and since I have "My Docuents" on there that would just be a pain!

I thought about maybe making a batch file and putting it in the startup? anyone done anything like this before?

CaptainCrash · 9 Dec 2011 at 22:50

Gregry254 said:
My question is . . . is it possible to encrypt the 2 storage devices and have them automatically unencrypt/unlock/what ever when I log into windows?

Not quite sure exactly what you're trying to achieve, but setting up an encrypted drive to automount without entering a password would sort of defeat the object of the exercise, would it not?

You can set up the data volumes as system favorites using pre-boot authentication, but you'd need to encrypt the system drive as well (probably a good idea in any case if you're serious about security). It's all in the TrueCrypt docs, look under "TrueCrypt Volume" and its subheadings.

accod · 10 Dec 2011 at 08:51

You could use the folder encryption built into Windows but this isn't nearly as good as TrueCrypt. If you do this, make sure you backup the key.

PistolPete · 10 Dec 2011 at 09:14

Do you have a motherboard with a TPM device fitted, or a socket where you can fit one (Most of my Asus boards do) and run Windows 7? If so, Bitlocker is your friend.

Gregry254 · 10 Dec 2011 at 19:31

CaptainCrash said:
Not quite sure exactly what you're trying to achieve, but setting up an encrypted drive to automount without entering a password would sort of defeat the object of the exercise, would it not?

I am just trying to make sure if for whatever reason someone was to steal my PC they wouldn't be able to access all my documents.

And with it automounting when I log in I don't see the security issue with this as I would have to log into windows with a password before it would run the script and mount the drives?

I did think about encrypting the system drive but because its an SSD I don't know what kind of effect encrypting the full drive would have? I know you arent meant to fill the drive right up so when it encrypts it would it not be the same as filling it up?

accod · 10 Dec 2011 at 20:34

As you said, you shouldnt encrypt the whole ssd. What I've done on my laptop (not my gaming PC due to speed) is have the OS encrypted using truecrypt with a 60GB partition, and then have the remaining space on the ssd unencrypted as a D drive to provide wear levelling space for the ssd. Any individual files on the D drive that I want encrypted use MS EFS. Since the private key for these files is stored on the OS drive, they're safe (file names are still visible).

Using MS EFS by itself isn't great because if someone gets your Windows login then they can access your files. Getting your Windows password is a lot easier than a truecrypt password, although you could combine it with a some sort of smartcard.

CaptainCrash · 10 Dec 2011 at 23:38

Gregry254 said:
And with it automounting when I log in I don't see the security issue with this as I would have to log into windows with a password before it would run the script and mount the drives?

That would be hopelessly insecure - it's child's play to reset a Windows user account password: Offline NT Password & Registry Editor, then your data volumes would be wide open.

To be honest I'm not clear about the full implications of encrypting an SSD, there seems to be a fair amount of conflicting information - that said though, if your data genuinely *needs* the kind of protection that TrueCrypt offers, I think you probably have to just go for it and accept any potential performance/longevity hit, if in fact there is any.

If you don't want pre-boot authentication (including system volume encryption), and you don't want to manually enter a password, I suppose you could do it this way (using a blank password and a keyfile on a USB stick), but it seems a clumsy way of doing it, and of course someone could copy the keyfile unless you always keep the USB drive where you can see it.

Unfortunately, I think security and convenience will by necessity be a tradeoff to a certain extent, you can optimise your system for one or the other, not both.