3

I want to encrypt my OS that is on an SSD (Windows 7, x64, mbr partition style).
From what I know Veracrypt will encrypt the whole disk, not only the actual data.
Not only! it will "fill" the empty space (inside the decrypted disk) with random data to allow hidden OS/containers.
This means that the SSD will think that the SSD is full and wear leveling will be limited, thus decreasing the life and speed of the SSD.
Can a solution be to write in the encrypted disk a very big file that fills the disk and then delete it so that trim will run and mark again most of the disk as empty? Will it be one trim operation or more probably many many trim operations (one per sector) that might fill the trim buffer and failing?
Does Windows 7 defragmenting also retrim the disk by sending trim operations at slow speed to allow the disk to process them?
Or do I have to do nothing and Veracrypt will notice that it's an SSD and encrypt only data and not the whole disk?
Can someone point me to a solution inside the Veracrypt guide?

I'm not interested in hidden containers (that anyway will not work/be hidden over an ssd).

The solid state drive, though encrypted, reported the appropriate amount of storage space

I'm sure that the os will report correct disk size and used/free percentage, my question is does the ssd know that most of the disk is empty (thanks to trim)? or it will think that is full? if trim doesn't work speed will degradate and wear leveling too, thus decteasing the ssd life. so i want to be sure that trim is working and know how to retrim the disk after encrypting which i think it's necessary since veracrypt encrypt also free space. How can i be sure that trim works after encrypting? is it necessary to do something after encrypting? if yes how do i trim the disk? will the trim function be permanently broken because veracrypt encrypt also free space so the ssd will think that is 100% full all the time?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
veracryptuser
  • 66
  • 1
  • 4
  • 2
    Are you expecting "hidden containers" to remain hidden after trimming? – AndrolGenhald Jan 11 '19 at 21:00
  • Did you read this as a start ?: https://www.veracrypt.fr/en/Trim%20Operation.html – Overmind Jun 13 '19 at 05:16
  • Veracrypt's stubborn insistence on "encrypting" free space is the reason why I stopped using it. I understand plausible deniability, but not everyone wants that. Even LUKS doesn't enforce that. – KalEl Feb 26 '22 at 08:36

1 Answers1

1

First, I have used VeraCrypt on multiple SSDs and haven't had any issues with performance as a result. This includes devices from Samsung and off brand devices as well. The solid state drive, though encrypted, reported the appropriate amount of storage space on my machines and worked as expected.

As it applies to SSDs, wear leveling is likely your biggest risk factor with trying to secure your drive. I recommend reading the warning here and then determining if your hardware leverages the wear leveling functionality.

https://www.veracrypt.fr/en/Wear-Leveling.html

That said, the common implementation suggestion for solid state dries is that you:

  1. Start with a clean drive
  2. Encrypt the entire drive before placing data
  3. Write your data to the encrypted drive
  4. Call it a day

As with any system configuration, I highly recommend testing this solution with a non-production machine to ensure that it responds favorably given your hardware, os, and other variable. You don't want to hose your production machine with an encrypted, failed, hard drive.

Connor Peoples
  • 1,421
  • 5
  • 12
  • 3
    This doesn't answer whether or not using TRIM is necessary (it's not, and it would actually destroy the hidden volume and reveal other filesystem metadata). – forest Jan 13 '19 at 09:02
  • This is a misleading answer. You may not and probably will not see immediate performance issue, but I wouldn't waste a full write cycle on a 1 TB Samsung 980 PRO. – KalEl Mar 24 '22 at 00:19