VeraCrypt designed for SSD?
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Is it safe to use SSD with VeraCrypt? I know there's a known venerability when encrypting SSD devices - I don't recall the technical term for it.
"I know there's a known venerability when encrypting SSD devices"
Please elaborate.
The main issues with SSD drives comes the notions of "TRIM" and "Wear Level". There are many resources on the internet about them and how they affect security and privacy.
Concerning VeraCrypt, the safest way to use an SSD drive is to fully encrypt it when it is brand new and before ever using it. You can combine this with a full wipe using third party tool prior to the full encryption.
"Concerning VeraCrypt, the safest way to use an SSD drive is to fully encrypt it when it is brand new and before ever using it."
1.- I currently have a non-encrypted non-SSD. I just bought a SSD. I want to migrate to FDE SSD.
I am not sure if Windows will continue to work when doing a System encryption on the new SSD with VC and then after it has been encrypted (as System) then clone my old HD into the newly encrypted SSD. Will I have to re-install windows manually on the SSD? or a Windows clone (from the old HD) will still work?
2.- Should I use the SSD manufacturers's hardware AES encryption for the FDE and then create VC containers inside?. Or do you think it is safest to not use the Manuf's hardware FDE encryption and instead use VC encryption also for the System.
3.- Why do you recommend a full wipe of a brand new SSD prior to encryption?
1- I'm not sure I understand the purpose of encrypting your Windows that is already installed on the SSD if you are going to clone your old Windows into it, thus erasing the previous install? Maybe there is a misunderstanding concerning "System encryption". Do you really mean "System encryption" for the SSD? System encryption implied that you install Windows on the SSD and then doing the system encryption. I think you mean fully encrypting the SSD disk and then clone the old Windows into it. From the point of view of VeraCrypt, it should work if the old disk and the new disk have the same size and layout.
2- How does the manufacturer's FDE encryption work? Is it equivalent to VeraCrypt boot encryption? Does it need extra software? It is difficult to judge without further details. One of the leading non-SSD harddrive manufacturers offers hardware encryption that needs a Windows software to unlock the drive. In the case of this manufacturer, they use AES in ECB mode to encrypt the data!! Everyone knows that ECB "doesn't provide serious message confidentiality, and it is not recommended for use in cryptographic protocols at all."
3- This recommendation is linked to wear-leveling. The documentation explains this in details (especially second paragraph): https://veracrypt.codeplex.com/wikipage?title=Wear-Leveling
so basically the best way to securely encrypt my desktop ssd is to copy some old files off old ssd and destroy that ssd, get a new ssd, install OS, encrypt that, then copy old files over? anything else to disable on new ssd or anything?
Depending on your manufacturer, some provide a secure erase utility that you can run on the SSD. Since your SSD is the OS drive, most likely you will need to remove the current SSD and connect it to another PC as a secondary drive in order to run the secure erase utility from the manufacturer.
Then you can reuse the SSD on your desktop PC by installing the OS, encrypting and copying the files back to the SSD.
Your method is definitely the most secure. It depends on your threat model if the alternate solution above is good enough for your needs.
Last edit: Enigma2Illusion 2014-12-16
ok but still, is veracrypt truly going to be good enough, this nand and wear leveling stuff wont leak data once i do all that?
Once the OS partition is encrypted, any new writes to the OS partition will be encrypted. See the link from Mounir's post referencing the second paragraph.
Meaning, when you save your data on the encrypted OS partition and wear-leveling controlled by the SSD writes it to different cells, the different cells will have encrypted data.
Last edit: Enigma2Illusion 2014-12-18
ok so either get new ssd or secure erase, instantly use veractype once set up, no potential data leaks after that? sounds great, thanks for help
Your statement regarding potential data leaks is an entirely different topic. Please read the section Security Requirements and Precautions in the documentation from the provided link below.
Security Requirements and Precautions
There are too many variables to your question which is why I refer you to the documentation. :)
what about imaging the current drive until it gets secure wiped, then placing it back. the point is to never let the unencrypted data touch the drive after it is secure wiped. i assume most imaging/cloning software will end up using decrypted data, but i saw where the linux dd tool can clone it perfectly as-is, but im not sure. i may just reinstall windows from scratch and try to bring everything back i guess
By keeping your current drive, you will perform:
There is no way to secure erase the OS drive and clone back while encrypting the SSD drive. VC would have to be installed on the target OS drive and running which is not the case since there is no OS available.
You could attempt the following assuming the clone software will allow you to only restore OS, not an entire device restore that includes the empty space (complete clone).
I am not aware of clone/backup software that would allow you to first enter the bootloader password before the software begins restoring. Maybe someone else on the forums knows of software that could perform this task.
I hope that makes sense. :)
ok so yes dd tool in linux copies drive bit for bit but i wonder if it also copies the unencrypted bits leftover from wear leveling, which is what im trying to avoid, not sure
yeah its fine i should've saved you the typing and told you i just decided to secure wipe (actually used enhanced secure wipe) and reinstall os, and take a few hours to reinstall everything. appreciate all the help though
Glad to help! :)
Sorry from my question from a non-techie end-user.On the back of the question above, I am wondering if there would be a way to create some sort of HDD or hardware ID certificate and build it into a keyfile during the encryption process so that one would been that hardware-linked keyfile for decryption. It would also be helpful, for added security, if one could also build an optional decryption expiry date, much like the expiry date of your milk box, so that the decryption could be interrupted beyond a certain static date(OK, I know that since this is a passive field, there could be way around it, still it would deter more than one attacker who does not know about this additional safeguard measure).Thanks. Luca