I would leave these hidden partitions unencrypted to allow future Windows upgrades to succeed.
Per the FAQ:
Note: If the system partition/drive is encrypted and you want to reinstall or upgrade Windows, you need to decrypt it first (select System > Permanently Decrypt System Partition/Drive). However, a running operating system can be updated (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted.
.
Any system that can get infected is succeptable with or without encryption.
When I disabled Fast Startup on my system, my system appeared to boot faster rather than come out of Fast Startup state.
Is FS still a potential vulnerability?
There may be other undiscovered ramifications for security. Not worth the risk in my opinion given the boot time does not seem to be an issue on my system with Fast Startup disabled.
So it is fine to leave them unencrypted and does not endanger the information stored on the OS partition?
Yes, do not encrypt those partitions. Per the links in my previous post, if your system get physically or software compromised, it will not matter if you are using encryption.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
So essentially: No matter how a system stops running, after a few minutes the RAM will not contain any usable data anymore and all is well?
Correct.
In other words: Wear-levelling might leak data from BEFORE the encryption process, but neither the passphrase nor any data written after the encryption is completed.
Correct?
Correct for the passphrase. However for the SSD wear-leveling, the SSD controller will determine where to write the encrypted data which can leave the source unencrypted "before" data on the SSD.
Also be aware that SSD can have over provisioning which the controller can use when memory cells are failing or when the SSD is nearly full to perform wear-leveling.
I guess a donation is in order! ;)
Excellent! I sure the developers will appreciate donations to keep the VeraCrypt project viable.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
In my opinion, I would avoid removing any partitions to encrypt at the device level because Windows will always prompt you to format the device when you plug into the computer or in the case of always attached HDDs/SSDs when you reboot your computer. If you accidently click the wrong answer when prompted to format, you lose the data. Of course, you should always have backups.
You need to select Partition 1 since it is defined for the entire storage of the device. Thanks for the screenshot. Very helpful!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You must disable Fast Startup. See threads:
https://veracrypt.codeplex.com/workitem/475
https://sourceforge.net/p/veracrypt/discussion/technical/thread/ab96939d/#e63b
I would leave these hidden partitions unencrypted to allow future Windows upgrades to succeed.
Per the FAQ:
.
Any system that can get infected is succeptable with or without encryption.
https://veracrypt.codeplex.com/wikipage?title=Security%20Requirements%20and%20Precautions
https://veracrypt.codeplex.com/wikipage?title=Malware
Hello,
When I disabled Fast Startup on my system, my system appeared to boot faster rather than come out of Fast Startup state.
There may be other undiscovered ramifications for security. Not worth the risk in my opinion given the boot time does not seem to be an issue on my system with Fast Startup disabled.
Yes, do not encrypt those partitions. Per the links in my previous post, if your system get physically or software compromised, it will not matter if you are using encryption.
Hello,
Correct.
Correct for the passphrase. However for the SSD wear-leveling, the SSD controller will determine where to write the encrypted data which can leave the source unencrypted "before" data on the SSD.
Also be aware that SSD can have over provisioning which the controller can use when memory cells are failing or when the SSD is nearly full to perform wear-leveling.
Excellent! I sure the developers will appreciate donations to keep the VeraCrypt project viable.
Correct. Existing data.
In my opinion, I would avoid removing any partitions to encrypt at the device level because Windows will always prompt you to format the device when you plug into the computer or in the case of always attached HDDs/SSDs when you reboot your computer. If you accidently click the wrong answer when prompted to format, you lose the data. Of course, you should always have backups.
You need to select Partition 1 since it is defined for the entire storage of the device. Thanks for the screenshot. Very helpful!