Migrate TrueCrypt system volume to a new drive (Windows, SSD)

The only good advice I have seen so far was to decrypt system drive, then migrate using Acronis or whatnot, then encrypt it back.

This advice works, except with SSD you could have as well just left your drive unencrypted. Especially, if you have pagefile on system drive, and you probably do, since it is the only way to ensure hibernation works, you have portions of the system memory on your drive, which contains encryption keys, passwords, and all other good stuff. And with SSD, there is no conceivable way to guarantee that it is overwritten.

I am not even saying about the rest of drive contents, which is probably also lurking out there unsecured.

So, the question is: what you do? Have anybody here successfully completed a secure migration of encrypted system drive?

EDIT: This question is about migrating encrypted operating system from drive A to drive B without producing unencrypted copy on either physical drive.

galets

Posted 2012-04-15T19:02:48.753

Reputation: 401

I'd seriously follow the advice. It's best practice. I'd also consider disabling hibernation, but that's another discussion altogether. – None – 2012-04-15T19:49:24.147

the pagefile and the hibernation file are two separate things on windows. – nc4pk – 2012-04-15T19:54:02.523

@Randolph West: so, you understand the reason why I am not doing it, and you still recommend me to? I am just trying to see a logic here. – galets – 2012-04-15T20:14:44.190

I'm sorry, I don't understand what you mean. If you want to migrate an encrypted Windows partition to a new drive, best practice is to unencrypt it, then clone it, then re-encrypt it again. That is what you asked, and I answered that it was the best way to do it. Whether you encrypt the data on the other side is secondary, and really has no bearing on your question, because it becomes redundant if you think encryption won't actually secure all the contents of the drive. In that case, you still have to unencrypt it. Asked and answered. – None – 2012-04-17T00:35:40.710

Answers

I have successfully performed migration of encrypted drive, and documented the steps here: http://blog.galets.net/2012/04/migrate-encrypted-os-to-another-ssd.html

In short, I used following technique:

Import system to a virtual machine by cloning it
Decrypt virtual drive
Extend virtual drive
Copy virtual drive to a new physical SSD

galets

Posted 2012-04-15T19:02:48.753

Reputation: 401

I know this is a really old post, but still relevant. I was able to successfully hot clone a Truecrypt 7.1a encrypted Windows 7 system drive to a new Samsung SSD using their included utility. I did let it install the latest version.

Once cloned, the system booted directly into Windows without asking for the TrueCrypt verification (unencrypted).

You can then use TrueCrypt to encrypt the drive, or use an alternate encryption method to re-encrypt the new SSD. If upgrading to Windows 10 Pro as well, Bitlocker is included so would be a good alternative to TrueCrypt.

Jeff Pelletier

Posted 2012-04-15T19:02:48.753

Reputation: 1

The general idea for SSD drives: encrypt before anything else. This is how I'd do it given your constraints:

Install identical operating system to the target drive, encrypt the target drive with TC (encrypt OS or create a hidden OS, depending on your setup.)
Use USMT, built-in Windows tools, or other (backup/restore, migration) solutions to transfer user profiles, settings, etc. Crucial: for transfers, use encrypted media such as TC containers to move data between the systems. Alternatively use direct copying (you can mount TC-encrypted partitions of the target drive from under your current running OS).
Profit?

You are correct that decrypting the current OS running off an SSD drive is not a terribly good idea; however, if the reason for transfer is the current SSD failing, you can also decrypt and image the system, then trash the SSD using hammer and fire or whatever destruction method you find appealing.

minya

Posted 2012-04-15T19:02:48.753

Reputation: 378

This depends on the nature of the source and destination drives. If they are identical SSDs, for example, you can do a dumb block-level copy of drive A to drive B. You have the problem that this will, in fact, produce an exact clone, with the same encryption keys and the same Windows SIDs and so forth, but it satisfies your stated goals.

I haven't tried specific tools for Windows, but you could check out EaseUS Disk Copy or just use dd, though there's much greater chance of user error with dd.

Old Pro

Posted 2012-04-15T19:02:48.753

Reputation: 1 751