Possible Dilemma of Bad Blocks?
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hello everyone. My questions pertain specifically to flash drive and SSD technologies (for example, if you store data on a thumb drive or an internal/external SSD), though other users could potentially find this information very important for hard drives as well.
Here are my scenarios. Say I have just completed a full disk encryption on Windows (the system partition or entire system drive), or I have just completed encrypting a non-system partiton/drive, what happens if any of the blocks on the drive become corrupted during this process?
It seems like in this situation, the drive would attempt to recover the corrupted data from that block, copy it to a new block that works, and then mark the original block as bad. Whether or not it can recover the data from the block, it appears that it would leave the data in that area unencrypted, and then prevent VeraCrypt from being able to encrypt it, rendering it permanently unencrypted and vulnerable. Is this indeed what might happen? What I'm really trying to get at is whether or not VeraCrypt is able to encrypt blocks in the process of being marked bad, or blocks already marked as bad. This is because if any sensitive information is written to the drive before it is encrypted, it might be impossible to ensure all of it gets encrypted if VeraCrypt attempts to move unencrypted data to a bad block.
I am not certain if what I've described is true, but it seems that way to me due to how flash/SSDs work due to overprovisioning/wearleveling/bad block handling. It could be true of HDDs as well, since areas can become corrupted and get marked as bad. Is there any validity in this or am I just paranoid?
I started thinking about this after I noticed that the VeraCrypt rescue disk was created on my SSD (rather than a thumb drive, because I didn't want to create one, but somehow it forced its way onto my desktop), and when this disk is created, it is putting it onto unencrypted SSD space (I think? It really seems that way.) I began to wonder, what if VeraCrypt tried to move the rescue disk data to a bad block during the process of fully encrypting the disk? It could have potentially left the disk in a permanently unencrypted area and then eventually found a working block to store it on. I just don't know what to think at this point, and I'm hooked on this question, because if it's true, it can be a huge vulnerability.
Last edit: Robert J 2020-08-17
Another quick thing I had wanted to say - if VeraCrypt has some way to manage all areas marked as bad, either by trying to encrypt it, or write random data or some sequence of 0's and/or 1's to all the bad blocks, doing so would immediately solve this potential problem. I'm not even sure if this is possible, though, because drives might forbid and even hide areas that are marked as corrupted. Again, I just don't know about this, but it seems like a potential problem that might be serious.
https://www.veracrypt.fr/en/Reallocated%20Sectors.html
https://www.veracrypt.fr/en/Security%20Requirements%20and%20Precautions.html
The VeraCrypt Rescue Disk only applies to system encryption. You need to make a bootable disk from the Rescue Disk and test that you can boot from the rescue disk.
https://www.veracrypt.fr/en/VeraCrypt%20Rescue%20Disk.html