Whole Drive (grayed out) vs Windows system partition - is there security differences?

[aidukonis]

Dear authors,

First of all big thank you for developing VeraCrypt. I highly appreciate that.
I have spent 2 months reading this forum and trying to understand the solutions for grayed out whole drive encryption option.

My case: Win10, UEFI, Dell XPS (2017), Single drive C with Windows (no other drives), need to protect data on C drive in case of loss of computer or so (no hidden volumes, etc).

As soon as I have just single drive, would there be any security loss because of choosing to Encrypt "Windows system partition" versus "Encrypt the whole drive"?

A user guide on howtogeek claims: "You can choose to either “Encrypt the Windows system partition” or “Encrypt the whole drive”. It’s up to you which option you prefer. If the Windows system partition is the only partition on the drive, the options will be basically the same."

Could authors answer if in such a case (having single drive) there is no security difference between system partition & whole drive?

Unfortunately I can't understand the user guide here: https://sourceforge.net/projects/dc5/files/beta/ due to lack of IT competence.

If there will be others looking for answers, here are the excerpts from this forum which helped me to understand the cause of grayed out "whole drive" option:

"EFI boot disk can't be full encrypted. "
Alex - 2016-09-01
https://sourceforge.net/p/veracrypt/discussion/technical/thread/014f2f1d/?limit=25

"Data written on system drive (e.g. C:) is encrypted. If there are other drives (e.g. D: E: etc.) data on these drives have to be encrypted as ordinary VeraCrypt volumes. "
Alex - 2016-09-02
https://sourceforge.net/p/veracrypt/discussion/technical/thread/014f2f1d/?limit=25

"For UEFI, Windows hidden partitions for booting purposes must not be encrypted. Even Microsoft's BitLocker does not encrypt the hidden boot partition. Hence, one of the reasons why the whole disk option is greyed out."
Enigma2Illusion - 2017-12-17
https://sourceforge.net/p/veracrypt/discussion/general/thread/357fcdad/

Related posts:
https://sourceforge.net/projects/dc5/files/beta/
https://sourceforge.net/p/veracrypt/discussion/technical/thread/509432c4/?limit=25
https://sourceforge.net/p/veracrypt/discussion/technical/thread/aaeeb26b/?page=2
https://sourceforge.net/p/veracrypt/discussion/general/thread/de13d5a3/
https://sourceforge.net/p/veracrypt/discussion/technical/thread/f90bcf05/?page=3
https://sourceforge.net/p/veracrypt/discussion/general/thread/ebd7adc1/
https://sourceforge.net/p/veracrypt/discussion/technical/thread/37629f65/
https://sourceforge.net/p/veracrypt/discussion/technical/thread/b1bf19bc/

Thank you for the answer in advance.

[Alex]

If C: is the only drive C: content is encrypted. Data outside C: is not encrypted (~100MB for ESP and MSR) It is normal level of security (like BitLocker) and easy to install.

To achieve better level of security there are several ways:
1. separate keys and data (move header to USB)
2. create hidden OS
3. use TPM and secure boot to protect boot loader from modification

[aidukonis]

Thank you very much Alex for prompt reply!
I have Googled a lot about ESP and from your answer understood that despite I see a single drive:

In reality I have several partitions:

EasyUS Partition Master:

(side-note: for clarity I have Win10 Home and BitLocker is not included)

The ESP holds Boot, Recovery, Logs, etc:

If I may re-phrase the question then, if I select "Encrypt the Windows system partition" for disk C:

Is there a possibility for somebody (who theoretically acquires my PC without my knowledge and does not know the VeraCrypt password to access encrypted data on disk C), to somehow retrieve the data from disk C, because other partitions (e.g. ESP or other) is not encrypted and logs/backups the data from C drive for recovery or any other set-by-default reasons?

If there is no such possibility, then encrypting data on C is totally sufficient to protect data. If it is somehow replicated/backuped/logged outside C drive OS partition (factory settings) on those unencrypted partitions, then there is a security pickle. This is why I am wondering about the difference between encrypting partition vs whole disk.

Hope it helps others as well.

I would very much appreciate your answer, Alex.

[Alex]

if someone found your notebook, data on C: drive is protected good enough.

Notes: there are many possibilities to attack.
e.g.
1. Spy program can save data outside encrypted region - this is one of the ways. (it depends what do you use in the OS) It can be data or header with keys decrypted.
2. Data is protected by password - the only authorization factor. (it is complex but the only) It is possible to capture it. e.g. via pre boot spy or external video.

Security is balance. VeraCrypt can give good level (comparable to commercial software)

[aidukonis]

Thank you for the answer Alex!

[drowned]

Man, I'm just not happy with this! Aidukonis' screenshot of his sole drive shows a typical Windows security nightmare - there's stuff EVERYWHERE!!! Stupid little unexplained & cryptically named partitions, all clearly separate from C: and all outside Veracrypt's remit. Depending on your activities / location / endangerment etc any one of them could get you blackmailed, tortured, persecuted, imprisoned... Seriously, it's not good enough. Yes, I hugely admire the efforts of the Veracrypt team but that doesn't change the principal fact - that a secured system must be completely secured.