Windows 10: Encrypt whole disk vs only one partition

Open source disk encryption with strong security for the Paranoid

Brought to you by: idrassi

Windows 10: Encrypt whole disk vs only one partition

Forum: General Discussion

Created: 2017-05-13

Updated: 2017-05-13

blip - 2017-05-13

VC = Veracrypt
PT = Partition Table
BL = Boot loader
TC = Truecrypt

When you use VC to encrypt Windows, you have two options: to encrypt the whole disk or only the Windows partition.

I have some other questions but will ask these first:

1) What exactly is the difference? I assume all the partitions on the drive will be encrypted and de-crypted together.
2) Will any part of the PT be encrypted on either options? I recall reading in the TC user guide years back that OS encryption replaces the Windows code in the PT.
3) (slightly unrelated) Is the Veracrypt BL located in the PT?

I assume the PT would not be encrypted because it would have to run Windows somehow and that the VC BL is located in the partition table on both MBR PTs and GUID PTs.

Correct me if I am wrong on anything and relevant reading material would be welcome.

I ask because I am concerned how a GPT would affect backing up and restoring Windows, using Linux tools. If there is anything related to that topic here, please post. Though that's not the primary subject and I don't want this thread to go on a tangent.

Last edit: blip 2017-05-13

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alex - 2017-05-13

EFI/GPT and MBR boot are different.

Loader is started from FAT partition with special GUID (EFI system partition) ESP.

ESP contains boot loaders (grub for linux, bootmgfw for windows, dcsboot for veracrypt)

List of loaders to execute is saved in NVRAM (boot order)

Note: ESP - this is the main reason to exclude full disk and hidden volume from setup.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
- blip - 2017-05-17
  
  So to understand what you are saying:
  The Veracrypt boot loader is NOT located in the GUID PT (as I believe was the case with the MBR PT). The VC BL is located in the 450MB/500MB EFI partition? Can you confirm this?
  
  What then would be the difference between whole disk encryption and windows-partition encryption?
  
  If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

blip - 2017-05-18

My bad. I just noticed on a gpt disc, that the option to encrypt the whole drive is greyed out - you can only encrypt the one Windows partition.

Can you confirm my interpretation of your post though, please.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alex - 2017-05-18

The VC BL is located in the 450MB/500MB EFI partition

Correct.
Directory EFI\VeraCrypt

VC boot loaders:
DcsBoot.efi - OS loader
DcsRe.efi - Rescue loader

Note: EFI shell configuration - DcsCfg.efi

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.