2
2
I have a Windows 7 laptop that I want to encrypt with TrueCrypt. I could create a Virtual Encrypted Disk, which appears to be a file that is mounted as a drive, and then I can store the files I want encrypted on that drive. I could also encrypt my entire Windows partition (which is my entire C:\ drive).
Which one should I choose and why? What circumstances make one better/worse than the other?
Thomas Owens
Posted 2010-08-21T12:35:49.960
Reputation: 3 663
2
There are in fact two questions here: encrypt only a few files or the whole drive, and use the native Windows feature or TrueCrypt. Here are a few differences in terms of security.
Whole disk vs. only sensitive files
If you only encrypt your sensitive files, you may leak sensitive information in other places: swap, temporary files, browsing history, system logs, etc.
If you encrypt the whole disk and screw up (e.g. forget your password), you have to reinstall everything. If you only lose a few files that you've backed up (unencrypted, on media stored in a physically secure place), it's not a big deal.
If you only encrypt sensitive files, it's obvious to an attacker what the sensitive stuff is. Then they might get you to decrypt it by using lead-pipe cryptography or lawyers. (TrueCrypt has a hidden volume feature that gives you plausible deniability, but plausible doesn't always imply believed.)
TrueCrypt vs. Windows native
TrueCrypt is available on other operating systems, so you can copy an encrypted disk to another machine and use it there. Even if you don't plan on sharing the disk between machines, this can be useful if your Windows won't boot and you urgently need to access one of the encrypted files.
TrueCrypt is open source, so there's a better chance that a vulnerability or backdoor has been found by now. On the other hand, the native Windows feature is made by people who presumably know the Windows internals better.
Encryption for confidentiality isn't the only purpose of cryptography. Integrity is another important property: whether someone can modify your data by accessing your machine without using your password (e.g., to introduce a mistake in your report just before you submit it to your boss, or to install a key logger which will reveal your password). TrueCrypt doesn't provide integrity; I don't know about Windows native encryption.
Gilles 'SO- stop being evil'
Posted 2010-08-21T12:35:49.960
Reputation: 58 319
0
If you ever plan on installing another operating system along with your current one you will have to decrypt the hard drive first if you go with full disk encryption. Also if you want a linux operating system with your windows installation you can't have entire disk encryption.
If you plan on moving files around I would suggest the container method. That is their point. Portability.
Unfundednut
Posted 2010-08-21T12:35:49.960
Reputation: 6 650
Doesn't 'Full Disk Encryption' only encrypt the entire partition instead of the entire disk? If so, I would suppose a dual-boot would still be possible. – Martijn Heemels – 2014-01-22T09:18:02.347
I don't know where the Windows native came from. I have no intention of using BitLocker, which is the Windows drive encryption tool. My only choices are TypeCrypt for whole drive encryption or TrueCrypt for creating a Virtual Encrypted Drive. – Thomas Owens – 2010-08-21T14:08:44.530
Although I'm not planning on using the Windows BitLocker tool, I think this answer best addresses my questions and concerns. Accepting now. Thanks. – Thomas Owens – 2010-08-22T00:47:59.947