2

I am using TrueCrypt's 'Full Disk Encryption' and according to TrueCrypt's FAQ I should 'Permanently Decrypt System Partition/Drive' before reinstalling Windows. This does not make any sense to me. Would reinstalling Windows not undo the encryption in the first place?

The reason I would like to know, is because 'Permanently Decrypt System Partition/Drive' will take a long time.

Note: If the system partition/drive is encrypted and you want to reinstall or upgrade Windows, you need to decrypt it first (select System > Permanently Decrypt System Partition/Drive). However, a running operating system can be updated (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted.

Xen
  • 123
  • 1
  • 4

5 Answers5

4

I wouldn't have a clue why you would first need to do a full decryption. It might be that this is a feature for people who are using an OEM version of windows that comes with a special recovery partition. I'd just install windows over your encrypted drive, I don't think that will give you any issues.

The same of course for upgrades for obvious reasons.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
1

Reading the FAQ in question the TrueCrypt folks are trying to explain relates to reinstalling Windows on a system with a data volume encrypted that you wish to keep. The idea is that even though you don't reformat that volume the details needed to access it are lost in the Windows installation and thus the data is no longer recoverable.

zedman9991
  • 3,377
  • 15
  • 22
0

The most probable reason is the way TrueCrypt and now VeraCrypt encrypts a volume. In order to encrypt a system volume you would either need to install it as code that boots with the system or as a part of the OS.

In the former instance it needs to run below the OS and handle all input/output operations. You would probably need to replace the interrupt routines and only have them handle operations on the encrypted disk. This is very complicated, has a lot of function duplication, and also needs to fit into the boot sector and any reserved sectors at its disposal.

Installing it as a part of the OS is the simpler and more reliable option as it doesn't have any function duplication and uses all the default routines. The downside to this is that the OS needs to be running for it to work so you can't install it before installing the OS.

Truecrypt and Veracrypt as I understand it uses a little of both. It first has just enough compacted boot code to decrypt the system partition using all of the default routines. Then it loads the basic OS functions and its own ones after which it switches over to running on top of the OS and handling requests for the encrypted volume. This means that installing a new OS over it breaks this functionality and makes the volume inaccessible. Even if it used the former mechanism there's still a chance that installing a new OS could overwrite the boot code so in either instance it's advisable to only encrypt a system volume after installing the OS on an unencrypted volume.

Andrwe
  • 1
0

Generally when you install windows you format the hard drive so I can't see a need to worry about or decrypt the partition (unless there is data you'd like to get to before installing).

Drew Khoury
  • 441
  • 3
  • 10
-1

If the system partition/drive is encrypted and you want to reinstall or upgrade Windows, you need to decrypt it first (select System > Permanently Decrypt System Partition/Drive). However, a running operating system can be updated (security patches, service packs, etc.) without any problems even when the system partition/drive is encrypted.

John D.
  • 1