SSD Encryption

Kilobyte Kid

SSD Encryption

I know much has been said on encryption on SSDs, but I'm having a difficult time coming to an informed decision about encryption options for my Crucial MX100(256GB).

 

My plan is to partition my MX100, and then encrypt only the second partition, as follows:

- C:/ 140GB (system files)

- D:/ 100GB (personal data) encrypted. My plan was to use Truecrypt, which I have used a lot with my older hard drives.

 

I was wondering if anyone here is familiar with pros and cons to this. My understanding is there are concerns that TRIM is not handled properly with encryption software like Truecrypt, and this among other things (complex SSD tech-talk that I couldn't understand) could cause excess wear or harm to the SSD.

 

Any recommendations or tips would be greatly appreciated. Thanks!

 

 

8 Replies
Kilobyte Kid

Re: SSD Encryption

The MX100 has hardware encryption and that is the way to go. Assuming you have Windows 8 pro and a full UEFI system, boot the install disc and run diskpart clean on the ssd from the command line, then install. Don't bother with a data partition.

Then, when you enable bitlocker it should not ask you if you want to encrypt all or part of the drive (which would indicate the h/w encryption isn't working properly), it should just instantly lock.

This avoids all the issues with encryption you mention and had zero impact on speed. This is the way to go.
Kilobyte Kid

Re: SSD Encryption

Additional: It is worth realising that all your data is encrypted all the time when saving to your ssd as encryption is built in. You just need a 'gate keeper' and the MX100 uses the Opal 2 standard which means bitlocker is compatible and can do this. Bitlocker won't actually perform the encryption in this case, it just acts as the doorman.

Trucrypt is software only and is no longer supported by the devs. It can cause issues with speed and wear on an ssd and is not ideal.
Kilobyte Kid

Re: SSD Encryption

Unfortunately, I don't have UEFI. I'm  on Windows 7 but will be jumping to Windows 10 this week.

 

I appreciate the tips. Yeah you're right, it looks like bitlocker would be ideal, but I think that option nis unavailable without UEFI. [Edit: I will look more into bitlocker, as I've just read it doesn't require UEFI.]

 

Although Truecrypt is technically unsupported now, I still think it is a frontrunner for encryption. I know there are a few other options, like Veracrypt, etc. So I could look into other similar options. I'm just wondering if there are other ways. If i encrypted the ENTIRE drive with truecrypt or other, would that also still put wear onto the SSD?

 

I don't have nuclear codes or something EXTREMELY high risk on my computer, but I do feel strongly about protecting personal data, like banking, taxes, etc. I'd like to encrypt 80-100GB of data on the drive. I'm not opposed to encrypting the whole thing though. I'm just trying to gauge how significantly it would affect my SSD in speed and wear. I haven't been able to find a clear solution online. Too bad the UEFI option isn't available to me at this time.

Kilobyte Kid

Re: SSD Encryption

Bitlocker does not need UEFI, but the Opal 2 h/w encryption system does. If you encrypt the whole drive via software it will appear 'full' in effect (encrypted free space is effectively 'full' at a basic level) which will hurt performance severely.

With Bitlocker in software mode you can choose to encrypt only the used space. This avoids the issue.

Note that the Trucrypt devs advise a switch to Bitlocker on their web site now they have dropped support.

You can still get h/w encryption though. You need to use an ATA password instead. Some motherboards allow you to set a password for your drive (as distinct to the bios access password you can set). That effectively locks your encrypted ssd even if removed and transferred to a different system.
Kilobyte Kid

Re: SSD Encryption

Oh, the performance hit in using Bitlocker in software mode (encrypting just the used space) is not massive, you can see tests on the internet. I think they were around 12% slower or something? I forget, but you can find them. Acceptable but h/w encryption is best as there's no speed impact at all.
JEDEC Jedi

Re: SSD Encryption

As far as I know Bitlocker is available in Pro version of Windows and if your are going to free upgrade from Windows 7 Home it will not upgrade to Windows 10 Pro.

 

The data on your SSD are being stored encrypted all the time. Using AndyCalling's terminology you can choose one of the 'gate keepers' to that hardware encryption, eDrive Bitlocker or ATA password. Personally I use ATA password protection, easier to enable/disable, no interference from OS and it's bugs.

 

However I believe that if you are used to using truecrypt you could try to use it exactly the way you have planned to, that is to encrypt only 100GB data partition.

Let's say I have a 256GB SSD with OS, some apps and 100GB of personal data (pictures, documents, taxes declaration, few movies). My personal data is almost completely static, I do not move it, no erasures and barely no changes to the files (most of them are photos and movies). If I would encrypt my personal data only I would have another set of 100GB static data and I believe the SSD's controller would treat it similar way. Since still there would be a part of OS partition with empty space and TRIM would work on that partition with no problem I think that is a scenario that could work well. 

I am not sure about that but if I would be about to use truecrypt I would try to use it that way Smiley Happy

______________________________________
How do I know what memory to buy?
Shop for your region: US | UK | EU | France |
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Kilobyte Kid

Re: SSD Encryption

Thanks guys, you guys have clarified things far better than hours of research that I'd attempted.

 

I'll just summarize what you guys said and what my options are for SDD encryption, to see if I'm understanding things.

Options:

 

1. eDrive Bitlocker (requires Windows Pro/Enterprise. Not available on Home editions)

2. TCG Opal (requires UEFI compatibility in BIOS)

3. ATA password (older BIOSes usually have this)

4. Software (Truecrypt, veracrypt, many others).

 

Since 1. I'm on Windows Home, and 2. my BIOS doesn't support UEFI, I'm limited to option 3 and 4.

 

Option 3: I'll post a screenshot. I'm assuming my ATA Password option would be "HDD/SDD Password Select" from the picture below. Does this mean BIOS would modify the actual SSD to require a password? If I removed the SSD and used it as an external drive on another computer, for instance, how would it request for my password? I can't find much information online (every search result shows people freaking out about how to crack their forgotten password. The good news is it sounds like it's very effective!).

 

Password

 

Option 4: Software (eg Truecrypt). A disadvantage is that the software option may or may not have TRIM support for the encrypted portion of the drive (Truecrypt claims to, but using Truecrypt is debatable (due to the circumstance of the project being abandoned)). In addition, the entire encrypted partition would be seen as "used" by the SSD. For instance, if I were to partition my SSD into eg 140GB C:/ and 100GB D:/ and i encrypted only the D:/, then the SSD would see all 100GB as "used". Therefore, to keep the SSD running well, I would want to keep quite a bit of space open on my C:/.

 

Hope I"m understanding it all correctly. Thanks again for the great info!

 

 

Kilobyte Kid

Re: SSD Encryption

That bios screenshot shows just the right setting, the 'HDD/SDD Password' options are the ATA password options we are referring to (firmware tends to name things differently sometimes). That is your best bet considering your hw/sw limitations. That will give you full hardware encryption on your SSD which will have zero impact on speed and longevity. So long as you have a decent complex password (try http://www.passwordcard.org/en if you haven't before) that is going to be the best and the fastest encryption option you could choose.

 

Go for it!