34
6
I need full disk encryption for business laptop computers running a current version of Windows 10 Pro. The computers have an NVMe SSD drive from Samsung and an Intel Core i5-8000 CPU.
From some web research today, there are currently only two options available: Microsoft BitLocker and VeraCrypt. I am fully aware of the state of open and closed source and the security implications that come with that.
After reading some information about BitLocker, which I had never used before, I have the impression that starting with Windows 10 BitLocker only encrypts newly written data on the disk but not everything that already exists, for performance reasons. (That documentation says I have a choice, but I don't. They didn't ask me what I want after activating it.) I have used TrueCrypt system encryption in the past and know that existing data encryption is a visible task that takes a few hours. I cannot observe such behaviour with BitLocker. No noticeable background CPU or disk activity.
Activating BitLocker is really easy. Click a button, save the recovery key somewhere safe, done. The same process with VeraCrypt made me abandon the idea. I needed to actually create a fully working recovery device, even for testing purposes on a throw-away system.
I've also read that VeraCrypt currently has a design flaw that makes some NVMe SSDs extremely slow with system encryption. I can't verify it because the setup is too complicated. At least after activating BitLocker, I can't see a significant change in disk performance. Also the VeraCrypt team has insufficient resources to fix that "complicated bug". Additionally, Windows 10 upgrades can't operate with VeraCrypt in place, which makes frequent full-disk de- and encryptions necessary. I hope BitLocker works better here.
So I'm almost settled on using BitLocker. But I need to understand what it does. Unfortunately, there is almost no information about it online. Most consists of blog posts that give an overview but no concise in-depth information. So I'm asking here.
After activating BitLocker on a single-drive system, what happens to existing data? What happens to new data? What does it mean to "suspend BitLocker"? (Not the same as permanently deactivating it and thereby decrypting all data on disk.) How can I check the encryption status or force the encryption of all existing data? (I don't mean unused space, I don't care about that, and it's required for SSDs, see TRIM.) Is there some more detailed data and actions about BitLocker other than "suspend" and "decrypt"?
And maybe on a side note, how does BitLocker relate to EFS (encrypted file system)? If only newly written files are encrypted, EFS seems to have a very similar effect. But I know how to operate EFS, it's much more understandable.
Nice overview, thank. Regarding the last sentence: I see many use cases - BitLocker encrypts my hard disk against people outside the company, but my IT group can access all data in my absence, as they have the master key. EFS works well for documents that I don't want my IT department or my manager to be able to access. – Aganju – 2018-09-15T21:28:10.950
6
@Aganju: The same IT group probably has already deployed a policy that designates an EFS data recovery agent. If you have documents that you don't want your IT department to access, don't store them on a company device at all.
– user1686 – 2018-09-15T22:01:37.6402"Bitlocker (...) encrypts all existing data (...) works at whole-disk level" -> you forgot to mention partitions. With an HDD with 2 partitions, I activated Bitlocker to encrypt only 1 of them (the one with the data, not the OS). When booting with a linux-based OS, only the data from the unencrypted partition can be read. – CPHPython – 2018-09-16T13:33:06.680
@CPHPython: True, and this is where it probably gets inconsistent -- in software mode it's able to encrypt just a partition, but in SSD (OPAL2) mode I'm not sure if that ability exists. I think it locks the entire drive and (as far as I managed to understand OPAL) the 'PBA' will unlock it before any OS runs. – user1686 – 2018-09-23T10:23:11.853