Yet another FDE SSD Question
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Ive looked into a bunch of posts about this but I am not sure I am grasping it completely so I appologize for the redundency...
On Fri. I am recieving a new Thinkpad with a SSD. I assume it will come with a Windows disk and I will have to go through the motions of installing a brand new OS.
So would the propper way to go about this be to install the OS and then the absolute first thing would be to install VC and then encrypt the entire SSD?
Any comments, assistance, or advice here would be greatly appreciated and thank in advance if anyone has any thoughts.
I am not sure Im understanding how or if I have to encypt the drive before installing the OS?
(I decided to reply here, rather than your duplicate post in the wear-leveling thread)
I'll start by answering your last question... do you need to encrypt your drive before installing the OS? Absolutely not, and I can't even imagine how it would be possible. The Windows setup program would see the encrypted SSD as unformatted and start by destroying any encryption you've done. Instead, you'll install VeraCrypt into a fully functioning Windows system, just like with any other Windows program. You really don't need to encrypt your drive or system partition until you're ready to start storing personal or otherwise sensitive data on it. However, as a new user, you may want to install VeraCrypt earlier than necessary just to familiarize yourself with the program, check compatibility, and test your backup methods for an encrypted Windows system. The wear-leveling security vulnerability that could arise only becomes an issue if you are encrypting an SSD that already contains sensitive data. As long as you wait until after encrypting to produce or copy sensitive data to the drive, wear-leveling is a non-issue in terms of security.
It sounds like you're planning on encrypting the entire drive, but there's a perfectly good case to be made for encrypting just the Windows system partition (not to be confused with the small "System Reserved" partition). The system partition (C: drive) is probably where all your sensitive data will be... emails, browser history, financial data, swap file, etc. In addition to my encrypted system partition, I also like to have at least one UNencrypted partition where I can store a few archives and images (including the VeraCrypt rescue image) that can be accessed without mounting the system volume. That's why I forgo whole drive encryption in favor of the partition variety. Just something to consider.
So tomorrow is the big day for you! Good luck with your new ThinkPad.