windows 7 - TrueCrypt full disk encryption on the Intel 520 Series SSD

19
2014-01
  • Sean W.

    I am considering purchasing the Origin PC EON 11-S Pro laptop. It will be mounted to my wheelchair, so a solid-state drive (Intel 520 Series) will be used to eliminate any data loss due to low level physical shock. Although the device will be with me most of the time, I would like to drive to be encrypted for numerous reasons. However, I am concerned that an improper software-based encryption scheme may damage or otherwise degrade the performance of the (rather expensive) SSD to unacceptable levels.

    Is TrueCrypt a reasonable solution with this particular model of SSD? Would bit locker be a more stable solution? This related question and answer is a bit broader than what I'm asking, but it was still helpful.

    Note: I am aware that this particular SSD automatically implements hardware-based encryption, however I'm uncertain whether the laptop's BIOS supports setting the ATA password or "drive password". Additionally, concerns have been raised as to whether this method is as secure as a software-based solution.

    • Answers
  • slhck

    I have a Intel solid 520 series 120 GB. I tried to fully encrypt with TrueCrypt and believe me: It's a bad choice. It will mess up your boot and your information.

    TrueCrypt full encryption is not working on this model of SSD. PGP full encryption is not working on this SSD either.

  • minya

    In my experience (about two years of active use, including on the road), SSDs and TrueCrypt are a better match, speed-wise, than regular HDDs and TrueCrypt. Under my workloads (gaming, software development, virtualization) the encrypted SSDs have performed quite well with no stability issues whatsoever.

    In you case, it will cost nothing (except for some time) to test whether TrueCrypt is a good fit: full-disk encryption done with TrueCrypt is reversible, so you can encrypt the drive, test-drive for performance, then decide whether you like the result or not. If not, go back to unencrypted state or try BitLocker. Also, becase SSDs outperform average laptop HDDs even on massive block writes, the time penalty for the test would be minimal.

    One other thing to consider is AES-NI, the instruction set many recent Intel processors support. If your laptop's CPU supports AES-NI, this will speed-up AES encryption with TrueCrypt about twenty-fold (provided that the disk drive itself isn't a bottleneck).

    The only thing to worry about, again from experience, is the SSD firmware/controller issues which may or may not occur on your system. But that would probably be covered by warranty and does not depend on the type of encryption used.


    • Related Question

    windows 7 - Truecrypt v. PGP v. Bitlocker for whole disk encryption?
  • andrewj

    This is a follow up on a previous thread from last year (What software should I use to encrypt my hard drive?): any more thoughts on whole disk encryption? I'm getting a new laptop and am willing to spend some money for a straightforward, easy to implement disk encryption method.

    I already use Truecrypt, which has the advantage of being open source and free, but am worried that it may be somewhat clunky to implement for whole disk encryption. It seems on face value, that Bitlocker may be the easiest to use solution, enough to warrant upgrading from Windows 7 Professional to the Ultimate version. On the other hand, I've also seen people use PGP as well.

    Also, do any of these programs interfere with the ability of the system to go into hibernation or standby mode or have problems with solid state drives?


    • Related Answers
  • AnonJr

    If you're already using TrueCrypt, there's no compelling reason to switch at this point in time. Most people find BitLocker easier to implement, and if you have the appropriate edition of Windows 7 there's nothing wrong with using it. Its been a long time since I last looked at PGP so I can't really comment there.

    In the end you'll do better to focus on making sure things like master passwords are sufficiently complex and hard to guess, that you're locking the logged in account when you're not there, and watching for other commonly missed vectors of attack. You'd be surprised how many "securely encrypted disks" are compromised by having weak authentication measures or are left logged in...

    Ultimately the best solution is the one you use. ;)

  • NetFossil

    Using PGP right now in our environment. PGP will prompt for authentication coming out of hibernation as well as system boot, but not from sleep. Not sure about BitLocker or TrueCrypt. I'm looking at evaluating BitLocker right now.

  • slhck

    I have tried both PGP and Bitlocker and found that both are easy to implement, but Bitlocker asks for a recovery key every time there is a change in the hardware — it looks like this:

    BitLocker Recovery Key: 402853-586311-176957-360866-697576-425466-365607-689666

    This key needs to be with you all the time in case the system asks for it, which I find very difficult to memorize or keep comparing to passwords in PGP.

    I have seen Bitlocker ask for this key more than once during my Bitlocker tests.

    Other advantages of PGP over Bitlocker in my opinion are:

    • You don't care what MS OS you are running, if you had to read your drive from a different machine (all you have to do is to install PGP software and you are ready to go)
    • You can configure more than one user to access the drive (ex. admin and the regular user)

    Disadvantages are maybe in recovering a damaged OS since Windows doesn't have PGP drivers embedded and therefore Windows can not access the drive.

  • lurscher

    • truecrypt is more fit for file system encryption. Pgp is too generic for this, i haven't used bitLocker

    • there might be an overlap, but truecrypt favours symmetric encryption schemes, while Pgp is more oriented for signature, and public key cryptography certificates. If you are really paranoid about quantum computers breaking public key cryptography in the next 10 years, stick with symmetric key encryption schemes (default on truecrypt)

    explain where do you see potential clunkiness; truecrypt is in fact designed with partition and whole-disk encryption in mind

  • nick

    What makes you think that bitlocker is not secure? It has been developed by the recognized team and has no known backdoor issues. Any PC may be "hacked" with a sloppy user, it does not matter what WDE software is used.

    As far as what crypto software use for the whole disk encryption, three mentioned here (PGP, TrueCrypt and Bitlocker) are good and should safe enough for everyday use. PGP and TrueCrypt are developed fpr both Win and Mac, while Bitlocker is for Win only. I would add to the list SecureDoc full disk encryption from Winmagic that works well on both Mac and Win machines.

    Also bear in mind that you choice of encryption software on the first machine will influence its use on the consequent computers.

  • anonymous

    You can use truecrypt from linux, but I don't think microsoft bitlocker is compatibile with linux.

    And... I guess truecrypt is TRULY SECURE (fbi, cia, coud't decript some hardisk after 12 months)

    while bitlocker is NOT TRULY SECURE, it can be hacked.